Some of my Arctic Wolf customers and colleagues asked me to post here and share our Log4Shell vulnerability detections scripts with the Automox community:
- GitHub: https://github.com/rtkwlf/wolf-tools/tree/main/log4shell
- Windows PowerShell: https://github.com/rtkwlf/wolf-tools/blob/main/log4shell/log4shell_deep_scan.ps1
- Linux/macOS sh: https://github.com/rtkwlf/wolf-tools/blob/main/log4shell/log4shell_deep_scan.sh
The Arctic Wolf Log4Shell Deep Scan is designed to detect Java application packages subject to CVE-2021-44228 and CVE-2021-45046.
The scripts search the system for Java applications that contain the Log4J class JndiLookup.class which is the source of the Log4Shell vulnerabilities. If this class is found within an application, the script looks for updates to Log4J that indicate the application has been updated to use Log4J 2.16+ or Log4J 2.12.2+. If the application contains JndiLookup.class but does not appear to have been updated, the application is vulnerable.
If you have any questions about the script or feedback, let me know!
- David Ries
Oh dang..score! Thanks,
QUICK UPDATE - due to the amazingly high quality of this script, it’s now available as a tested/approved worklet to our entire install base and can be found here in the Worklet Catalog. This is one of the best log4j remediation approaches we’ve seen, so our team made it official. Some screenshots can be seen below:
Big thanks to
@DavidRies and the folks at ArcticWolf for this one!