Difference between revisions of "Vulnerability Remediation"
(→For Lingoport Clients) |
(→For Lingoport Clients) |
||
| Line 16: | Line 16: | ||
The below scripts may be used in conjunction to replace all log4j 2.x with log4j 2.15. |
The below scripts may be used in conjunction to replace all log4j 2.x with log4j 2.15. |
||
| + | |||
| + | 0. Check if your system is vulnerable with the following script, which will search all of /var /tomcat /home /opt /lib for the vulnerable libraries. |
||
| + | |||
| + | This script is designed to be run as root, or via sudo: |
||
| + | |||
| + | <pre> |
||
| + | #!/bin/bash |
||
| + | |||
| + | while read -r log4j_jar ; do |
||
| + | if [[ -z "$log4j_jar" ]] ; then |
||
| + | continue |
||
| + | fi |
||
| + | if [[ "$log4j_jar" == *"-2.15"* ]] ; then |
||
| + | #echo "Up to date: $log4j_jar" |
||
| + | continue |
||
| + | fi |
||
| + | if [[ "$log4j_jar" == *"-1."* ]] ; then |
||
| + | #echo "1.x - safe: $log4j_jar" |
||
| + | continue |
||
| + | fi |
||
| + | if unzip -l "$log4j_jar" | grep -q JndiLookup.class ; then |
||
| + | echo "$log4j_jar" |
||
| + | fi |
||
| + | done <<< "$(find / '(' -path '/var*' -o -path '/tomcat*' -o -path '/home*' -o -path '/opt*' -o -path '/lib*' ')' -name 'log4j*.jar')" |
||
| + | </pre> |
||
| + | |||
1. Retrieve log4j 2.15: |
1. Retrieve log4j 2.15: |
||
| Line 28: | Line 54: | ||
The following script will replace vulnerable log4j libraries with 2.15. It searches all of /var /tomcat /home /opt /lib for the vulnerable libraries, and replace any that are found. |
The following script will replace vulnerable log4j libraries with 2.15. It searches all of /var /tomcat /home /opt /lib for the vulnerable libraries, and replace any that are found. |
||
| + | |||
| + | This script is designed to be run as root or via sudo. |
||
<pre> |
<pre> |
||
| Line 74: | Line 102: | ||
</pre> |
</pre> |
||
| + | 3. You may wish to run the check script from #0 a second time to validate the fix. |
||
| − | 3. Please reboot your system after replacing your libraries. This will ensure that the patch becomes fully effective. |
||
| + | |||
| + | 4. Please reboot your system after replacing your libraries. This will ensure that the patch becomes fully effective. |
||
Revision as of 20:43, 11 December 2021
Contents
Lingoport's Response to Major Software Vulnerabilities
Apache Log4j Security Vulnerabilities
A major security vulnerability allowing for remote code execution on affected systems.
See: https://logging.apache.org/log4j/2.x/security.html
Lingoport Response
Pending further action, Lingoport has shut down all non-critical systems.
Critical systems have been patched to remove all copies of log4j 2.x with log4j 2.15 followed by a hard reboot.
For Lingoport Clients
The below scripts may be used in conjunction to replace all log4j 2.x with log4j 2.15.
0. Check if your system is vulnerable with the following script, which will search all of /var /tomcat /home /opt /lib for the vulnerable libraries.
This script is designed to be run as root, or via sudo:
#!/bin/bash
while read -r log4j_jar ; do
if [[ -z "$log4j_jar" ]] ; then
continue
fi
if [[ "$log4j_jar" == *"-2.15"* ]] ; then
#echo "Up to date: $log4j_jar"
continue
fi
if [[ "$log4j_jar" == *"-1."* ]] ; then
#echo "1.x - safe: $log4j_jar"
continue
fi
if unzip -l "$log4j_jar" | grep -q JndiLookup.class ; then
echo "$log4j_jar"
fi
done <<< "$(find / '(' -path '/var*' -o -path '/tomcat*' -o -path '/home*' -o -path '/opt*' -o -path '/lib*' ')' -name 'log4j*.jar')"
1. Retrieve log4j 2.15:
cd /tmp/ curl -O https://dlcdn.apache.org/logging/log4j/2.15.0/apache-log4j-2.15.0-bin.zip unzip apache-log4j-2.15.0-bin.zip
2. Replace other log4j instances on your system with 2.15
The following script will replace vulnerable log4j libraries with 2.15. It searches all of /var /tomcat /home /opt /lib for the vulnerable libraries, and replace any that are found.
This script is designed to be run as root or via sudo.
#!/bin/bash
strip_version() {
target="$1"
echo "$target" | sed -E 's|-[0-9.]+.jar|-|'
}
if [[ ! -d /tmp/apache-log4j-2.15.0-bin/ ]] ; then
echo >&2 "Please retrieve apache log4j 2.15 and unzip it in /tmp before running this script"
exit 1
fi
while read -r log4j_jar ; do
if [[ -z "$log4j_jar" ]] ; then
continue
fi
if [[ "$log4j_jar" == *"-2.15"* ]] ; then
echo "Up to date: $log4j_jar"
continue
fi
if [[ "$log4j_jar" == *"-1."* ]] ; then
echo "1.x - safe: $log4j_jar"
continue
fi
if unzip -l "$log4j_jar" | grep -q JndiLookup.class ; then
echo "$log4j_jar"
while read -r replace_target ; do
user_group="$(stat -c "%U:%G" "$replace_target")"
without_version="$(strip_version "$replace_target")"
patched_jar="$(basename "$without_version")2.15.0.jar"
echo "$replace_target - $perms - $without_version - $patched_jar"
set -x
cp /tmp/apache-log4j-2.15.0-bin/"$patched_jar" "$(dirname "$replace_target")"
chown "$user_group" "$(dirname "$replace_target")/$patched_jar"
mv "$replace_target" "$replace_target.orig.vulnerable"
set +x
done <<< "$(find "$(dirname "$log4j_jar")" -name "log4j*")"
#cp "$log4j_jar" "$log4j_jar.orig.vulnerable"
#zip -q -d "$log4j_jar" org/apache/logging/log4j/core/lookup/JndiLookup.class
fi
done <<< "$(find / '(' -path '/var*' -o -path '/tomcat*' -o -path '/home*' -o -path '/opt*' -o -path '/lib*' ')' -name 'log4j*.jar')"
3. You may wish to run the check script from #0 a second time to validate the fix.
4. Please reboot your system after replacing your libraries. This will ensure that the patch becomes fully effective.
