Scan all endpoints for Log4j with 1-Click
As you’ve caught up on work since the weekend, you may have heard of Critical Vulnerability CVE-2021-44228, which is affecting a Java logging package Log4j which is widely used in many services, including Apache, Apple iCloud, Minecraft, Tesla and Twitter. Huntress has a very good thread on the MSP subreddit (link).
In rapid response, we pulled together an endpoint scanner for Tier2Tickets users, made it free for anyone else, and also published an Open-Source version. It is very basic and subsequently easy to use:
- Visit https://dev.helpdeskbuttons.com/test/log4j2 (you may need to log out and log back in to access the page.)
- Enter the email address you would like notifications of flagged endpoints to be sent to.
- Click Submit to automatically scan all of your endpoints that have the Tier2Tickets agent and each affected endpoint will send you an email including known affected files and classes to the email you entered.
It is very fast, and only took us about 10 minutes to scan several thousand endpoints. As mentioned, we have not restricted the use of this tool to paid accounts, so you can use it for all of your endpoints if you wish and our system will not block you from installing more agents than you have licenses for. Otherwise, please freely use the source code, linked below.
Our only ask is that you make sure you are checking your spam folder and marking this as not-spam so we don’t get flagged for sending out thousands of emails.
If you find affected endpoints you can usually mitigate this issue by setting log4j.formatMsgNoLookups=true in log4j.properties
Here is an example script that will do this for an Eclinicalworks server: https://pastebin.com/zr8G5DWL
Hope you find this useful. Please do not consider this a finished product that is guaranteed to detect everything: we know the tool is rough, we knocked it out quickly based on other tools we had already created, but it’s easy to use and will give you a good papertrail of devices to act on. We will keep working on it to add other detection methods and update it as we can.
We’ll be in touch with updates,
*Open Source Version: If you aren’t using Tier2Tickets, you can make your own tool with this code, https://pastebin.com/ndmF58nt , where you will just need to replace “email” on line 21 with your email. It will post to an HTML form which anyone can do with Wordpress or other preferred site but we are using AWS/PHP like this: https://pastebin.com/ihXjcEQK