WARNING: As with any tool you download from the Internet…

  • Check the source code.
  • Don’t run as root or other high-privileged user.
  • Run only in a test system and never in prod.
  • Keep out of reach of Children.

Here’s some quick notes about using a tool I discovered to check for the recent log4j security vulnerability (otherwise known as CVE-2021-45046).

Firstly you’ll need to install golang, clone the local-log4j-vuln-scanner and build the code.

sudo yum install golang
git clone https://github.com/hillu/local-log4j-vuln-scanner.git
cd local-log4j-vuln-scanner
go build -o local-log4j-vuln-scanner ./scanner

There’s also a “patcher”, although I’m not sure I’d touch that atm…

go build -o local-log4j-vuln-patcher ./patcher - I probably wouldn't do this!

Then, once you’ve fired up a disposal test environment in your favourite cloud, you can run the tool against your instances. I’m using Ansible to make that easy…

Copy scanner to host

ansible all -m copy -a "src=local-log4j-vuln-scanner dest=/tmp/local-log4j-vuln-scanner mode=0300" -i inventory.yml -b -u ec2-user --private-key /home/ec2-user/.ssh/mysecretkey.pem

Execute scanner on hosts

We’ll scan just the /user and /opt directories here. Any others can be appended to the command

ansible all -m shell -a "/tmp/local-log4j-vuln-scanner /usr /opt" -i inventory.yml -b -u ec2-user --private-key /home/ec2-user/.ssh/mysecretkey.pem

Clean up

ansible all -m file -a "path=/tmp/local-log4j-vuln-scanner state=absent" -i inventory.yml -b -u ec2-user --private-key /home/ec2-user/.ssh/mysecretkey.pem