Test this content before applying it to production systems.
Download the latest package from releases here: https://github.com/VerveIndustrialProtection/CVE-2021-44228-Log4j/releases and then Import the Fixlets, Analyses, and Computer Group into a site and apply computer subscriptions.
There are three detection methods available for each supported Operating System. It's important to understand the differences between these detectors before using them.
That being said, the way you use all detections is exactly the same. You simply action them against your devices using the OS-specific detection Fixlet and then review the results using the universal Warning-* Fixlets or the universal analysis for triage information.
All detection methods correctly catalog beta/alpha versions.
| Method | Impact | Runtime | True Positive | True Negative | False Positive | False Negatives |
|---|---|---|---|---|---|---|
| Verve Log4j Detector | Extremely Low | <1s | Good | Good | Very Good | Poor |
| Verve Log4j Enhanced Detector | Low | 1-15s | Very Good | Very Good | Very Good | Very Good |
| Verve Log4j Full System Scan | High | 5-30m | Very Good | Very Good | Very Poor | Very Good |
The Verve Log4j Detector is an Ultra-fast low-impact detection mechanism. It does a simple search for Java processes that have loaded log4j JARs. It does not search within our JARs/WARs/etc and thus is likely to produce false negatives.
It also cannot tell the difference between a JAR that has had its jndi class removed (a potential mitigation).
Use this to get a good sense of what you need to start work on immediately, it produces very few false positives and lets you get working immediately.
These Fixlets have minimal prerequisites. The Windows one downloads a sysinternals tool called Handle to do the heavy lifting.
The Fixlets for this method are:
Invoke - Verve Log4j Detector - LinuxInvoke - Verve Log4j Detector - Windows
The Verve Log4j Enhanced Detector extends the Ultra-fast low-impact detection mechanism previous described by using it to identify processes on the system that have loaded JARs/WARs/etc. It then provides them to a disection tool which looks into the JAR/WAR/etc and sees if it can locate any embedded Log4j libraries. This method can detect JARs with their JNDI class removed and will not report them as vulnerable as a result.
This method has a higher impact on the system, directly proportional to the number of open JAR/WAR/etc on the system. That being said, this method is always a lower impact than using a file system scanner. These Fixlets have some prerequisites. Both Fixlets require a Java Runtime and so a portable JRE 8 runtime is downloaded as part of the action, used to run the detection, and then is discarded.
The Fixlets for this method are:
Invoke - Verve Log4j Enhanced Detector - LinuxInvoke - Verve Log4j Enhanced Detector - Windows
The Verve Log4j Full System Scan relies on Logpresso and is a high-impact detection mechanism. It looks inside of JARs/WARs/etc to identify Log4j libraries.
Unlike the other methods, this finds Log4j files that are on disk but not in use.
Examples include:
- Programs not currently running
- Installers in Downloads Folder
- Old applications on secondary Hard Disks
- Misc folders unrelated to the intended usage of the system
This method produces a lot of data with a lot of false positives. Data from this method requires an operator to analyze it before it's useful for remediation.
We recommended using the other methods when possible.
The Fixlets for this method are:
Invoke - Verve Log4j Full System Scan - LinuxInvoke - Verve Log4j Full System Scan - Windows
To review the results of the detection Fixlets you can view the Analysis called: Verve Log4j Detector - Results - Universal
In addition, once the Fixlets have finished the following additional Fixlets become relevant on vulnerable machines:
Warning - Verve Log4j Detector reports CVE-2021-44228 - UniversalWarning - Verve Log4j Detector reports CVE-2021-45046 - UniversalWarning - Verve Log4j Detector reports CVE-2021-45105 - Universal
A Fixlet called Invoke - Clear all Verve Log4j Detector results - Universal is available which wipes any scan results from the system.
If you have any issues please file an issue on the repository and include the results for that computer from the Verve Log4j Detector - Debug - Universal analysis.
This content is produced, maintained and copyrighted by Verve Industrial Protection. You may use and distribute this content freely but you may not remove this notice. If you modify this content or derive other content from this content you must make the modified content available for free under these same terms. This content carries no Express or Implied Warranty. THE LICENSED PROPERTY IS PROVIDED "AS IS", WITH ALL FAULTS. THERE ARE NO WARRANTIES OR GUARANTEES, EXPRESS OR IMPLIED, RELATING TO THE VERVE INDUSTRIAL PROTECTION IP, THE PROPRIETARY KNOWLEDGE, OR OTHER SERVICES OR PRODUCTS TO BE PROVIDED HEREUNDER, OR ANY PROSPECTS OR OUTCOME THEREOF. VERVE INDUSTRIAL PROTECTION DISCLAIMS ANY AND ALL, AND INSTRUCTOR ACKNOWLEDGES AND AGREES THAT THERE ARE NO, REPRESENTATIONS, WARRANTIES, COVENANTS, OR CONDITIONS, WHETHER EXPRESS, IMPLIED, ARISING AT LAW, IN EQUITY, OR BY CUSTOM OF TRADE, STATUTORY OR OTHERWISE, ORAL OR WRITTEN, INCLUDING WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, TITLE OR QUIET ENJOYMENT. FURTHER, VERVE INDUSTRIAL PROTECTION DOES NOT WARRANT THAT THE LICENSED PROPERTY IS ERROR-FREE OR WILL BE AVAILABLE AT ALL TIMES OR OPERATE WITHOUT INTERRUPTION. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY VERVE INDUSTRIAL PROTECTION, ITS AGENTS, OR ITS EMPLOYEES, AT ANY TIME SHALL CREATE A WARRANTY OF ANY KIND. SOME STATES OR JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF EXPRESS OR IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. IN THAT EVENT, WARRANTIES SHALL ONLY BE IMPOSED TO THE EXTENT DETERMINED BY A COURT OF COMPETENT JURISDICTION AS REQUIRED BY APPLICABLE LAW.