log4j vulnerability scanner
WARNING: As with any tool you download from the Internet…
- Check the source code.
- Don’t run as root or other high-privileged user.
- Run only in a test system and never in prod.
- Keep out of reach of Children.
Here’s some quick notes about using a tool I discovered to check for the recent log4j security vulnerability (otherwise known as CVE-2021-45046).
Firstly you’ll need to install golang, clone the local-log4j-vuln-scanner and build the code.
sudo yum install golang
git clone https://github.com/hillu/local-log4j-vuln-scanner.git
cd local-log4j-vuln-scanner
go build -o local-log4j-vuln-scanner ./scanner
There’s also a “patcher”, although I’m not sure I’d touch that atm…
go build -o local-log4j-vuln-patcher ./patcher - I probably wouldn't do this!
Then, once you’ve fired up a disposal test environment in your favourite cloud, you can run the tool against your instances. I’m using Ansible to make that easy…
Copy scanner to host
ansible all -m copy -a "src=local-log4j-vuln-scanner dest=/tmp/local-log4j-vuln-scanner mode=0300" -i inventory.yml -b -u ec2-user --private-key /home/ec2-user/.ssh/mysecretkey.pem
Execute scanner on hosts
We’ll scan just the /user and /opt directories here. Any others can be appended to the command
ansible all -m shell -a "/tmp/local-log4j-vuln-scanner /usr /opt" -i inventory.yml -b -u ec2-user --private-key /home/ec2-user/.ssh/mysecretkey.pem
Clean up
ansible all -m file -a "path=/tmp/local-log4j-vuln-scanner state=absent" -i inventory.yml -b -u ec2-user --private-key /home/ec2-user/.ssh/mysecretkey.pem