Confronting the Log4Shell vulnerability in your environment has seemed anything but “easy” due to its prevalence in Java applications. Rapid remediation is critical. In this blog, Qualys offers some advice – and a new utility – to speed up the process.
Remediation is a critical step to ensure that attackers do not exploit the Log4Shell vulnerable assets in your environment. As most organizations have multiple Java-based applications in their environment. _and _most Java-based applications use Log4J, the scope of this problem is significant. In addition, the ease of exploitation of this vulnerability makes it a race against time to remediate the issue as quickly and effectively as possible.
While Log4Shell is one of the most serious vulnerabilities ever discovered, remediating it is rapidly becoming a faster process than you might think.
The answer is upgrades and patches… with a little help from Qualys. Let’s review your options:
Many of the applications installed in your environment are developed by vendors. As with any application, these third-party applications may be vulnerable to Log4Shell. Most vendors will test their application(s) to ensure that they are not vulnerable for Log4Shell and, if they are, will release a patch to fix the vulnerability.
Qualys recommends customers analyze the risk involved in waiting for the application vendor’s patch to be released. If the risk can be mitigated, then Qualys Patch Management can be used to deploy the vendor’s patch as soon as it is available.
On the Apache Log4j webpage (Apache Log4j Security Vulnerabilities), the following actions are recommended to mitigate Log4Shell (CVE-2021-44228):
Based on application patching best practices, some may assume that patching a vulnerable application by upgrading the Log4j library may break the application and will require extensive testing to ensure it doesn’t happen.
Therefore, a less risky remediation option might be to remediate the vulnerability by removing the JndiLookup class. Indeed, this action is becoming a popular method by many organizations as the immediate remediation option.
Organizations can use Qualys Patch Management to perform both remediation actions more quickly than before. How?
Qualys has released an open source tool that helps our customers perform the removal. It simplifies the complexity of remediating Log4Shell utilizing the removal of the JndiLookup class.
The remediation utility removes all instances of the JndiLookup class from all the vulnerable Log4j libraries found on any and all of your assets. ****
The initial challenge with Log4Shell remediation is _finding _all vulnerable Log4j instances in the asset. The Jndilookup class can be found inside a Jar, inside a nested jar (essentially an archive inside an archive), or inside any other types of archives (war, ear, zip etc.) located anywhere on the disk.
To ensure that all instances on a specific asset are remediated, the Qualys remediation utility relies on the findings as reported by the Qualys Log4jScanner utility. (To learn more about Qualys open source scan utility, please refer to our blog: Out-of-Band Detection for Log4Shell.)
The scan utility must run on each asset before running the remediation tool.
What are the benefits of using this remediation tool with Qualys Patch Management?
Existing Qualys Patch Management customers can follow these four steps to remediate Log4Shell in their assets.
Download the remediation tool from GitHub.
Store the Log4jRemediate.exe file on a Web server (internally or externally), so all your agents can access it over HTTP.
Create a new Job in Patch Management and select a tag (or individual assets) that represent the assets you would like to remediate.
In the pre-action step, add a new Install Software action and configure it as follows:
Install script:
This PowerShell script is executed by the agent, then is used to run the remediation utility and report its results to the Qualys platform. This script can be customized based on the customer’s needs. Note: In case the Java application is running, it is best to use the script to stop the Java application before the remediation tool runs. The remediation tool may fail if the Java process prevents it from removing the JndiLookup class.
Here is an example of a script that can be used to run the remediation tool:
[string]$QualysProgramDataLocation = $Env:ProgramData + "\Qualys\QualysAgent\PatchManagement\PatchDownloads\"
[string]$PackageName = "Log4jRemediate.exe"
$Log4jRemediateFullPath = $QualysProgramDataLocation + $PackageName
$Arguments = "/remediate_sig"
function Start-Program {
param (
[ValidateNotNullOrEmpty()]
[string]
$ProgramFullPath,
[Parameter(Mandatory = $false)]
[string]
$Arguments
)
try {
$pinfo = New-Object System.Diagnostics.ProcessStartInfo
$pinfo.FileName = $ProgramFullPath
$pinfo.RedirectStandardError = $true
$pinfo.RedirectStandardOutput = $true
$pinfo.UseShellExecute = $false
if ($null -ne $Arguments) {
$pinfo.Arguments = $Arguments
}
$pinfo.WorkingDirectory = Get-Location
$p = New-Object System.Diagnostics.Process
$p.StartInfo = $pinfo
$p.Start() | Out-Null
$p.WaitForExit()
if(Test-Path -Path "$Env:ProgramData\Qualys\remediation_status.out") {
$content = (Get-Content -Path "$Env:ProgramData\Qualys\remediation_status.out" -Encoding utf8) -join "`n"
Write-Host "Process Stdout:"
Write-Host $content
}
else {
Write-Host "Remediation status file not found"
}
Write-Host "Exit Code: "$p.ExitCode
return $p.ExitCode
}
catch {
Write-Host -ForegroundColor DarkRed "Failed to execute program" $_.Exception.Message
return 1
}
}
if (Test-Path $Log4jRemediateFullPath) {
Write-Host "Found $PackageName at "$Log4jRemediateFullPath
}
else {
Write-Host "$PackageName does not exist at "$Log4jRemediateFullPath
exit 1;
}
Write-Host "Launching $PackageName..."
$ReturnCode = Start-Program $Log4jRemediateFullPath $Arguments
if ($ReturnCode -eq 0) {
Write-Host "$PackageName returned success."
exit 0;
}
else {
Write-Host "$PackageName returned failure. See output for more details."
exit 1
}
Finish all the other steps required to create a new job and enable the job.
Use the Job tab and specifically the Job progress page to check on the progress and results of this job.
Note: There is no need to add patches to the job. Qualys Patch jobs can run actions without deploying patches from the same job.
For more information on Qualys Patch Management, please visit:
Patch Management Getting Started Guide | Patch Management Online Help