cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Esben_D
Lansweeper Employee
Lansweeper Employee
I've created a Log4j blog post containing much of the information that has become available around this vulnerability.

We created two rudimentary reports, one based on software publishers and one based on event logs. However, I presume most people will be able to use the default reports like software installed, services installed, and processes running better on an individual basis depending on which services/software are used within their environment.

You can read more about the log4j vulnerability here.
2 Comments
Esben_D
Lansweeper Employee
Lansweeper Employee
Report and blog have been updated yesterday to include more info and publishers that have been affected.
Hendrik_VE
Champion Sweeper III
For those interested, you can find a powershell script below (based on the one from github) that searches for vulnerable log4j libraries. The result is written to the eventlog, on which you can create a report in Lansweeper.

<# Get-Log4shellVuln.ps1
.SYNOPSIS
Get-Log4shellVuln.ps1 scans all local drives for presence of log4j jar files and analyzes the contents of the jar file to determine if it is vulnerable to #log4shell (CVE-2021-44228) vulnerability
.DESCRIPTION
Review all local disks for any presence of log4j jar files, extract the manifest from the file and determine if the version is less than 2.15.
Output to console status of individual files and global result at end.
Record list of all jar files in log4j.csv, manifest versions in log4j-manifest.csv, and finally presence of jndi class in log4j-jndi.csv
Requires .net 4 or later
Use Update-Log4shellVuln.ps1 to mitigate the vulnerability by deleting the JndiLookup.class from within the vulnerable JAR files. (Note: Industry recommendation is to upgrade, but this may be a good temporary stop-gap)

"C:\log4j-result.txt" # Final result of script, 'Not Vulnerable' or 'Vulnerable'
"C:\log4j-vuln.csv" #List of only vulnerable log4*.jar files

"C:\log4j.csv" # List of all log4j*.jar files
"C:\log4j-manifest.csv" #List of all log4j*.jar files and their manifest version
"C:\log4j-vuln.csv" #List of only vulnerable log4*.jar files
"C:\log4j-jndi.csv" #List of JndiLookup.class files within jar files
#>
param (
[Parameter(Mandatory = $false)]
[string]
$logFolder = "$env:temp"
)
Add-Type -AssemblyName System.IO.Compression
Add-Type -AssemblyName System.IO.Compression.FileSystem

$resultFile = "$logFolder\log4j-result.txt" # Final result of script, 'Not Vulnerable' or 'Vulnerable'
$log4jCsv = "$logFolder\log4j.csv" # List of all log4j*.jar files
$targetManifestFile = "$logFolder\log4j-manifest.txt" # Temporary file for extracting manifest meta information from a text file
$manifestCsv = "$logFolder\log4j-manifest.csv" #List of all log4j*.jar files and their manifest version
$vulnerableCsv = "$logFolder\log4j-vuln.csv" #List of only vulnerable log4*.jar files
$jndiCsv = "$logFolder\log4j-jndi.csv" #List of JndiLookup.class files within jar files
$log4Filter = "log4j*.jar"
Remove-Item $vulnerableCsv -Force -ErrorAction SilentlyContinue
$jarFiles = Get-PSDrive -PSProvider FileSystem | ?{!$_.DisplayRoot} | Select-Object -ExpandProperty Root | Get-ChildItem -File -Recurse -Filter $log4Filter -ErrorAction SilentlyContinue | ? {$_.Extension -in ".jar"} |Select-Object -ExpandProperty FullName

####$jarFiles = Get-ChildItem $logFolder -File -Recurse -Filter $log4Filter -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName
if ($jarFiles) { $jarFiles | Export-Csv $log4jCsv }
$global:result = $null
foreach ($jarFile in $jarFiles) {
Write-Output "$($jarFile.ToString())"
$global:jndiExists = $false
$zip = [System.IO.Compression.ZipFile]::OpenRead($jarFile)
$zip.Entries |
Where-Object { $_.Name -like 'JndiLookup.class' } | ForEach-Object {
$output = "$($jarFile.ToString()),$($_.FullName)"
Write-Output $output
$output | Out-File -Append $jndiCsv
if ($null -eq $global:result) { $global:result = "Jndi class exists" }
$global:jndiExists = $true
}
$zip.Entries |
Where-Object { $_.FullName -eq 'META-INF/MANIFEST.MF' } | ForEach-Object {
[System.IO.Compression.ZipFileExtensions]::ExtractToFile($_, $targetManifestFile, $true)
$implementationVersion = (Get-Content $targetManifestFile | Where-Object { $_ -like 'Implementation-Version: *' }).ToString()
Write-Output $implementationVersion
"$($jarFile.ToString()),$($implementationVersion.ToString())" | Out-File -Append $manifestCsv
Remove-Item $targetManifestFile -ErrorAction SilentlyContinue
$implementationVersion_ = $implementationVersion.Replace('Implementation-Version: ', '').Split('.')
if ([int]$implementationVersion_[0] -eq 2 -and [int]$implementationVersion_[1] -le 16 ) {
Write-Output "log4shell vulnerable version"
if ($global:jndiExists) {
"$($jarFile.ToString())" | Out-File -Append $vulnerableCsv
$global:result = "Vulnerable"
}
}
}

}
if ($null -eq $global:result) { $global:result = "Not Vulnerable" }
if(!$jarFiles) {$global:result = "No jar files matching the filter criteria '$($log4Filter)' found on this system"}
$global:result | Out-File $resultFile


Write-Output "$global:result"


EventCreate /L Application /T Error /ID 999 /D $global:result
if($output) {EventCreate /L Application /T Error /ID 999 /D $($output)}



This is the Lansweeper report for the specific event code:

Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.IPAddress,
tsysOS.OSname As OS,
tblAssets.Lastseen,
tblNtlog.TimeGenerated,
tblNtlogSource.Sourcename,
tblNtlogMessage.Message
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Inner Join tblState On tblState.State = tblAssetCustom.State
Inner Join tblNtlog On tblNtlog.AssetID = tblAssets.AssetID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblNtlogUser On tblNtlogUser.LoguserID = tblNtlog.LoguserID
Inner Join tblNtlogFile On tblNtlogFile.LogfileID = tblNtlog.LogfileID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Where tblNtlog.TimeGenerated > GetDate() - 7 And tblNtlogSource.Sourcename Like
'%eventcreate%' And tblNtlog.Eventcode = 999 And Case tblNtlog.Eventtype
When 1 Then 'Error'
When 2 Then 'Warning'
When 3 Then 'Information'
When 4 Then 'Security Audit Success'
When 5 Then 'Security Audit Failure'
End = 'Error' And tblState.Statename = 'Active'
Order By tblNtlog.TimeGenerated Desc,
tblAssets.Domain