Notice To follow this guide, vScope Server module is required
Apache Log4j is a Java-based logging utility and one of the most popular logging libraries used by software developers. On 24 November 2021, exposed a critical vulnerability that allowed potential attackers to execute arbitrary code by injecting attacker-controlled data into a logged message.
The vulnerability has been listed as CVE-2021-44228 on National Vulnerability Database and described in detail on Apache.org.
If you want to know if vScope is affected (it is not), we keep posting updates in a post on our newsfeed.
How vScope can help
Since vScope stores and updates a detailed map of assets in your data center, you can use vScope to quickly get an overview of how you might be affected by the CVE-2021-4428 vulnerability. Here are two easy searches in vScope to help you get started.
Important Notice There is no auto-win here, meaning vScope will not provide you with 100% coverage of all affected applications. There might be false positives. You should use these methods together with recommendations from software suppliers and scanning results from antivirus software.
Shortcut: Search for Log4j
Try search vScope for ‘log4j’ and you will find two reports bundled in vScope.
Looking at running processes
If you are using vScope to inventory Windows OS, you will have access to updated information about processes running on servers (and clients). These processes can give your hints about applications that are using Log4j.
Start by building a table about processes, add columns “Command Line”, “Application”, and “System”. Filtering on “log4j” and/or “JNDI” in the Command Line column will show any processes that might use the Log4j library.
Locating vulnerable applications
vScope keeps track of any applications found in data sources such as Windows/Linux OS SCCM, Jamf, Desktop Central. This means that you can do powerful filters to list any applications, version, vendor, and where it is installed. So, with a relevant list of vulnerable applications, you can quickly find if any application is installed in your environment.
Below is a regex including 280 applications that have been confirmed as affected by CVE-2021-44228. The list has been fetched from Cisagov’s Github. Simply copy and paste the below regex and paste it into the Name -> Match filter in a table about Applications.
Remember: There might be false positives in the resulting table, the application may have been removed from Cisagov’s list of affected applications, or vScope’s discovery might not inventory your complete infrastructure.
regex:(?sui).*(CGS|SIEM Splunk Connector|OpenSearch|AWS Lambda|AWS CloudHSM|Druid|Flink|Log4j|Kafka|SOLR|Opencast|Aptible|Jira Server & Data Center|Confluence Server & Data Center|Bamboo Server & Data Center|Crowd Server & Data Center|Fisheye|Crucible|Avaya Analytics|Avaya Aura® Device Services|Avaya Aura for OneCloud Private|Avaya Aura® Application Enablement Services|Avaya Aura® Contact Center|Avaya Aura® Device Services|Avaya Aura® Media Server|Avaya Aura® Presence Services|Avaya Aura® Session Manager|Avaya Aura® System Manager|Avaya Aura® Web Gateway|Avaya Breeze™|Avaya Contact Center Select|Avaya CRM Connector - Connected Desktop|Avaya Meetings|Avaya OneCloud-Private|Avaya Session Border Controller for Enterprise|Avaya Social Media Hub|Avaya Workforce Engagement|Business Rules Engine|Callback Assist|Control Manager|Device Enrollment Service|Equinox™ Conferencing|Interaction Center|IP Office™ Platform|Proactive Outreach Manager|Avaya Device Enablement Service|Avaya one cloud private -UCaaS - Mid Market Aura|PowerBuilder|CA Advanced Authentication|CA Risk Authentication|CA Strong Authentication|Symantec Endpoint Protection Manager (SEPM)|Cisco Webex Meetings Server|Cisco Advanced Web Security Reporting Application|Cisco CloudCenter Suite Admin|Cisco Crosswork Change Automation|Cisco Evolved Programmable Network Manager|Cisco Integrated Management Controller (IMC) Supervisor|Cisco Intersight Virtual Appliance|Cisco Network Services Orchestrator (NSO)|Cisco WAN Automation Engine (WAE)|Cisco UCS Director|Cisco Computer Telephony Integration Object Server (CTIOS)|Cisco Packaged Contact Center Enterprise|Cisco Unified Contact Center Enterprise - Live Data server|Cisco Unified Contact Center Enterprise|Cisco Unified Intelligent Contact Management Enterprise|Cisco Unified SIP Proxy Software|Cisco Video Surveillance Operations Manager|Cisco Kinetic for Cities|Cisco Umbrella|Cisco Unified Communications Manager Cloud|Cisco Webex Cloud-Connected UC (CCUC)|CDH, HDP, and HDF|Cloudera Enterprise|Cloudera Data Science Workbench (CDSW)|Hortonworks Data Platform (HDP)|Ambari|Cloudera Cybersecurity Platform|Data Steward Studio (DSS)|Arcadia Enterprise|CDP Private Cloud Base|Cloudera Manager (Including Backup Disaster Recovery (BDR) and Replication Manager)|Cloudera Data Warehouse (CDW)|Cloudera Machine Learning (CML)|Cloudera Data Engineering (CDE)|Workload XM|Cloudera Flow Management (CFM)|Cloudera Edge Management (CEM)|Cloudera Stream Processing (CSP)|CDS 3 Powered by Apache Spark|CDS 3.2 for GPUs|Cloudera Runtime (including Cloudera Data Hub and all Data Hub templates)|Cloudera Manager (Including Backup Disaster Recovery (BDR) and Replication Manager)|Cloudera Data Warehouse (CDW)|Cloudera Machine Learning (CML)|Cloudera Data Engineering (CDE)|Cloudera Data Flow (CFM)|Cloudera Streaming Analytics (CSA)|Cloudera Data Visualization (CDV)|Cloudera DataFlow (CDF)|Replication Manager|Ecosystem|Privileged Threat Analytics (PTA)|Managed cluster nodes|Synthetic Activegates|Elasticsearch|Logstash|Reveal(x)|Endpoint Proxy|Policy Manager|Policy Manager Proxy|Elements Connector|Messaging Security Gateway|DLP Manager|Security Manager (Web, Email and DLP)|Autonomous Identity|FortiAIOps|FortiCASB|FortiConvertor|FortiEDR Cloud|FortiNAC|FortiNAC|FortiPolicy|FortiPortal|FortiSIEM|FortiSOAR|ShieldX|Gradle Enterprise|Gradle Enterprise Test Distribution Agent|Gradle Enterprise Build Cache Node|Cognos Controller|Planning Analytics Workspace|Power HMC|App ID|Certificate Manager|Cloud Object Storage|Cloud Object Storage|Cloudant|Container Registry|Container Security Services|Continuous Delivery|Hyper Protect DBaaS for MongoDB|Hyper Protect DBaaS for PostgreSQL|Hyper Protect Virtual Server|Internet Services|Knowledge Studio|Managed VMware Service|Natural Language Understanding|VMware Solutions|VMware vCenter Server|VMware vSphere|vRealize Operations and Log Insight|IBM Instana Agent|DSS-G|XClarity Administrator (LXCA)|XClarity Energy Manager (LXEM)|XClarity Integrator (LXCI) for VMware vCenter|NetApp ONTAP Tools for VMware vSphere|ThinkAgile HX|ThinkAgile VX|Azure Data lake store java|Azure DevOps Server|Team Foundation Server|MongoDB Atlas Search|Multiple NetApp products|Neo4j Graph Database|New Relic Java Agent|Okta RADIUS Server Agent|Okta On-Prem MFA Agent|Panorama|InsightOps DataHub|InsightOps r7insight_java logging library|Logentries DataHub|Logentries le_java logging library|log4j-core low|log4j-core|log4j-core|log4j-core low|log4j-core|log4j-core|log4j-core|log4j-core low|log4j-core low|log4j-core|log4j-core|openshift3/ose-logging-elasticsearch5|openshift4/ose-metering-presto|openshift4/ose-metering-hive|openshift4/ose-logging-elasticsearch6|logging-elasticsearch6-container|opendaylight|log4j-core low|Virtual SmartZone (vSZ)|Capital|Comos Desktop App|Desigo CC Advanced Reporting|Desigo CC Info Center|E-Car OC Cloud Application|EnergyIP Prepay|GMA-Manager|HES UDIS|Industrial Edge Management App|Industrial Edge Management OS|Industrial Edge Management Hub|LOGO! Soft Comfort|Mindsphere Cloud Application|Opcenter Intelligence|Operation Scheduler|SIGUARD DSA|SIMATIC WinCC|SiPass integrated V2.80|SiPass integrated V2.85|Siveillance Command|Siveillance Control Pro|Siveillance Identity V1.5|Siveillance Identity V1.6|Siveillance Vantage|Solid Edge Wiring Harness Design|Spectrum Power 4|Spectrum Power 7|Teamcenter Suite|VeSys|Xpedition EDM Server|Xpedition EDM Client|Server & Application Monitor (SAM)|Database Performance Analyzer (DPA)|Sophos Mobile EAS Proxy|Data Stream Processor|IT Service Intelligence (ITSI)|Splunk Enterprise|Splunk Enterprise Amazon Machine Image (AMI)|Splunk Enterprise Docker Container|Stream Processor Service|Omega Controller|UniFi Network Application|UniFi Network Controller|VMware vCenter Server|VMware vCenter Server|VMware vCenter Server|VMware Horizon|VMware HCX|VMware NSX-T Data Centern|VMware Unified Access Gateway|VMware Workspace ONE Access|VMware Identity Manager|VMware vRealize Operations|VMware vRealize Operations Cloud Proxy|VMware vRealize Log Insight|VMware vRealize Automation|VMware vRealize Lifecycle Manager|VMware Telco Cloud Automation|VMware Carbon Black Cloud Workload Appliance|VMware Carbon Black EDR Server|VMware Site Recovery Manager|VMware Tanzu GemFire|VMware Tanzu Greenplum|VMware Tanzu Operations Manager|VMware Tanzu Application Service for VMs|VMware Tanzu Kubernetes Grid Integrated Edition|VMware Tanzu Observability by Wavefront Nozzle|Healthwatch for Tanzu Application Service|Spring Cloud Services for VMware Tanzu|Spring Cloud Gateway for VMware Tanzu|Spring Cloud Gateway for Kubernetes|API Portal for VMware Tanzu|Single Sign-On for VMware Tanzu Application Service|App Metrics|VMware vCenter Cloud Gateway|VMware Tanzu SQL with MySQL for VMs|VMware vRealize Orchestrator|VMware Cloud Foundation|VMware Workspace ONE Access Connector (VMware Identity Manager Connector)|VMware Horizon DaaS|VMware Horizon Cloud Connector).*
If you are used to using vScope, you know that there are often several ways to do documentation and reporting. In this case, you might want to consider looking for any Java or Apache installations as well.
Please let us know if you have any additional ideas for using vScope to find Log4j vulnerabilities!