Difference between revisions of "Vulnerability Remediation"

From Lingoport Wiki
Jump to: navigation, search
(For Lingoport Clients)
(Apache Log4j Security Vulnerabilities)
Line 17: Line 17:
 
The below scripts may be used in conjunction to replace all log4j 2.x with log4j 2.15.
 
The below scripts may be used in conjunction to replace all log4j 2.x with log4j 2.15.
   
0. Check if your system is vulnerable with the following script, which will search all of /var /tomcat /home /opt /lib for the vulnerable libraries.
+
0. Check if your system is vulnerable with the following script, which will search your system for vulnerable libraries.
   
 
This script is designed to be run as root, or via sudo:
 
This script is designed to be run as root, or via sudo:
Line 24: Line 24:
 
#!/bin/bash
 
#!/bin/bash
   
if [ "$EUID" -ne 0 ]
+
if [ "$EUID" -ne 0 ]
then echo "Please run $0 as root"
+
then echo "Please run $0 as root"
exit
+
exit
 
fi
 
fi
 
   
 
while read -r log4j_jar ; do
 
while read -r log4j_jar ; do
Line 35: Line 34:
 
fi
 
fi
 
if [[ "$log4j_jar" == *"-2.15"* ]] ; then
 
if [[ "$log4j_jar" == *"-2.15"* ]] ; then
#echo "Up to date: $log4j_jar"
+
echo "Up to date: $log4j_jar"
 
continue
 
continue
 
fi
 
fi
 
if [[ "$log4j_jar" == *"-1."* ]] ; then
 
if [[ "$log4j_jar" == *"-1."* ]] ; then
#echo "1.x - safe: $log4j_jar"
+
echo "1.x - safe: $log4j_jar"
 
continue
 
continue
 
fi
 
fi
 
if unzip -l "$log4j_jar" | grep -q JndiLookup.class ; then
 
if unzip -l "$log4j_jar" | grep -q JndiLookup.class ; then
echo "$log4j_jar"
+
echo "Vulnerable: $log4j_jar"
  +
else
  +
echo "Outdated: $log4j_jar"
 
fi
 
fi
done <<< "$(find / '(' -path '/var*' -o -path '/tomcat*' -o -path '/home*' -o -path '/opt*' -o -path '/lib*' -o -path '/usr*' ')' -name 'log4j*.jar')"
+
done <<< "$(find / -name 'log4j*.jar')"
 
</pre>
 
</pre>
   

Revision as of 19:30, 13 December 2021

Lingoport's Response to Major Software Vulnerabilities

Apache Log4j Security Vulnerabilities

A major security vulnerability allowing for remote code execution on affected systems.

See: https://logging.apache.org/log4j/2.x/security.html

Lingoport Response

Pending further action, Lingoport has shut down all non-critical systems.

Critical systems have been patched to remove all copies of log4j 2.x with log4j 2.15 followed by a hard reboot.

For Lingoport Clients

The below scripts may be used in conjunction to replace all log4j 2.x with log4j 2.15.

0. Check if your system is vulnerable with the following script, which will search your system for vulnerable libraries.

This script is designed to be run as root, or via sudo:

#!/bin/bash

if [ "$EUID" -ne 0  ]
then echo "Please run $0 as root"
     exit
fi

while read -r log4j_jar ; do
    if [[ -z "$log4j_jar" ]] ; then
        continue
    fi
    if [[ "$log4j_jar" == *"-2.15"* ]] ; then
        echo "Up to date: $log4j_jar"
        continue
    fi
    if [[ "$log4j_jar" == *"-1."* ]] ; then
        echo "1.x - safe: $log4j_jar"
        continue
    fi
    if unzip -l "$log4j_jar" | grep -q JndiLookup.class ; then
        echo "Vulnerable:  $log4j_jar"
    else
        echo "Outdated:    $log4j_jar"
    fi
done <<< "$(find / -name 'log4j*.jar')"


1. Retrieve log4j 2.15:

cd /tmp/
curl -O https://dlcdn.apache.org/logging/log4j/2.15.0/apache-log4j-2.15.0-bin.zip 
unzip apache-log4j-2.15.0-bin.zip 

2. Replace other log4j instances on your system with 2.15

The following script will replace vulnerable log4j libraries with 2.15. It searches all of /var /tomcat /home /opt /lib for the vulnerable libraries, and replace any that are found.

This script is designed to be run as root or via sudo.

#!/bin/bash

set -e

if [ "$EUID" -ne 0 ]
  then echo "Please run $0 as root"
  exit
fi


strip_version() {
    target="$1"
    echo "$target" | sed -E 's|-[0-9.]+.jar|-|'
}

if [[ ! -d /tmp/apache-log4j-2.15.0-bin/ ]] ; then
    echo >&2 "Please retrieve apache log4j 2.15 and unzip it in /tmp before running this script"
    exit 1
fi

while read -r log4j_jar ; do
    if [[ -z "$log4j_jar" ]] ; then
        continue
    fi
    if [[ "$log4j_jar" == *"-2.15"* ]] ; then
        echo "Up to date: $log4j_jar"
        continue
    fi
    if [[ "$log4j_jar" == *"-1."* ]] ; then
        echo "1.x - safe: $log4j_jar"
        continue
    fi
    if unzip -l "$log4j_jar" | grep -q JndiLookup.class ; then
        echo "$log4j_jar"
        while read -r replace_target ; do
            if [[ -z "$replace_target" ]] ; then
                continue
            fi
            if [[ "$replace_target" == *"-2.15"* ]] ; then
                continue
            fi
            user_group="$(stat -c "%U:%G" "$replace_target")"
            without_version="$(strip_version "$replace_target")"
            patched_jar="$(basename "$without_version")2.15.0.jar"
            echo "$replace_target - $perms - $without_version - $patched_jar"
            set -x
            cp /tmp/apache-log4j-2.15.0-bin/"$patched_jar" "$(dirname "$replace_target")"
            chown "$user_group" "$(dirname "$replace_target")/$patched_jar"
            mv "$replace_target" "$replace_target.orig.vulnerable"
            set +x
        done <<< "$(find "$(dirname "$log4j_jar")" -name "log4j*.jar")"
        #cp "$log4j_jar" "$log4j_jar.orig.vulnerable"
        #zip -q -d "$log4j_jar" org/apache/logging/log4j/core/lookup/JndiLookup.class
    fi
done <<< "$(find / '(' -path '/var*' -o -path '/tomcat*' -o -path '/home*' -o -path '/opt*' -o -path '/lib*' -o -path '/usr*' ')' -name 'log4j*.jar')"

3. You may wish to run the check script from #0 a second time to validate the fix.

4. Please reboot your system after replacing your libraries. This will ensure that the patch becomes fully effective.