WARNING: As with any tool you download from the Internet…
- Check the source code.
- Don’t run as root or other high-privileged user.
- Run only in a test system and never in prod.
- Keep out of reach of Children.
Here’s some quick notes about using a tool I discovered to check for the recent log4j security vulnerability (otherwise known as CVE-2021-45046).
Firstly you’ll need to install golang, clone the local-log4j-vuln-scanner and build the code.
There’s also a “patcher”, although I’m not sure I’d touch that atm…
Then, once you’ve fired up a disposal test environment in your favourite cloud, you can run the tool against your instances. I’m using Ansible to make that easy…
Copy scanner to host
Execute scanner on hosts
We’ll scan just the /user and /opt directories here. Any others can be appended to the command