How to find vulnerable log4j programs on a Windows 10 PC and how to provide first-aid when I cannot update to log4j version 2.16.0 and beyond?

CodePudding user response：

It is possible to delete JndiLookup class from log4j-core jar files in order to provide first aid in the context of the log4j security desaster. Delete the JndiLookup classes, if you cannot update the Java application to a version with fixed log4j version 2.16.0.

So this is just a first-aid quick fix until you get application updates! The Following PowerShell script will search all drives for log4j-core*.jar files. In any found one, we will delete the JndiLookup class from it.

Thus, create an anyname.ps1 file with the following content:

# Ensure we can run everything
Set-ExecutionPolicy Bypass -Scope Process -Force

# Escape characters in PowerShell: https://ss64.com/ps/syntax-esc.html

Write-Host "Start iterating drives..."
$volumes = Get-WmiObject win32_volume -filter "drivetype=3"
foreach ($volume in $volumes)
{
    $driveletter = $volume.driveletter # e.g. C:
    if ($driveletter -ne $null)
    {
        $drivename   = $volume.name        # e.g. C:\
        
        Write-Host "`n== Checking $driveletter... =="
 
        Write-Host "== Find log4j-core*.jar files... =="
        Get-ChildItem -Path $drivename -Filter log4j-core*.jar -Recurse -ErrorAction SilentlyContinue | % {
                Write-Host "== $($_.FullName) =="
                
                Write-Host "> zip.exe -q -d `"$($_.FullName)`" `"org/apache/logging/log4j/core/lookup/JndiLookup.class`""
                zip.exe -q -d "$($_.FullName)" "org/apache/logging/log4j/core/lookup/JndiLookup.class"
                
                Write-Host "> unzip.exe -l `"$($_.FullName)`" | grep.exe JndiLookup"
                unzip.exe -l "$($_.FullName)" | grep.exe JndiLookup
                
                Write-Host "== END =="
            }
    }
}

Write-Host "Press ENTER to continue..."
cmd /c Pause | Out-Null

Now you can execute this ps1 file.

Easy way to execute the ps1 file: create an anyname.cmd file besides the identically named ps1 file with the following content:

powershell.exe -ExecutionPolicy ByPass -noprofile -command "&{start-process powershell -ArgumentList '-ExecutionPolicy ByPass -noprofile -NoExit -file \"%~dpn0.ps1\"' -verb RunAs}"

You can double-click the cmd. It will execute the ps1 script with elevated privileges.

Kind regards!

CodePudding user response：

I provided the first-aid PowerShell script in the other answer, however, meanwhile there are several advanced tools that allow detection and patching of log4j-based applications, in context of CVE-2021-44228, for the case that you cannot upgrade the application and its bundled log4j, yet.

https://github.com/mergebase/log4j-detector

log4j-detector is a Java-based tool that searches for vulnerable log4j instances. It detects log4j in "Java Über JARs" as well as otehr JARs/WARs, in uncompressed directories on the file-system (aka *.class) and in shaded jars. It provides information about the found log4j versions. (It does not provide a patcher to fix the findings.) But this one seems to be most thorough in its detection.

https://github.com/hillu/local-log4j-vuln-scanner

log4j-vuln-scanner is a Go-based tool, with binary releases for x86_64 Windows, Linux, MacOSX,that searches for vulnerable log4j instances. It finds log4j also within other JAR and WAR files and it provides information about the found log4j versions. (It seems not as thorough as the log4j-detector above.) But this one provides a patcher to fix the findings.

https://github.com/Neo23x0/log4shell-detector

log4shell-detector is a python-based tool that searches for log files and, from the logs strings, tries to detect any exploitation attempts.