Tenable Research Release Highlights

Forum Discussion

bmcsulla's avatar
bmcsulla
4 years ago

CVE-2021-44228/CVE-2021-45046 Windows and Linux Mitigation...

CVE-2021-44228/CVE-2021-45046 Windows and Linux Mitigation Audits

  

Summary:

In some environments, customers who can’t patch their systems to protect against the Log4j vulnerabilities need a way to evaluate if their systems are using the proper vendor provided workaround mitigation measures for CVE-2021-4228 and CVE-2021-45046. In both of these CVE advisories, the vendor recommends upgrading to a non-vulnerable version, or if users are not able to upgrade they “may remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class” as a workaround. 

Tenable has developed audits that can evaluate Windows and Linux systems to detect if the workaround mitigation has been applied correctly. Please note, this audit does not assess the current Log4j version level which is the primary vendor recommended mitigation. Since the workaround mitigation for CVE-2021-44228 and CVE-2021-45046 are the same we are providing a single audit file for each OS type. These Tenable Audits complement the currently available Vulnerability Detection and Remote Direct Check Plugins to provide best breadth and depth of coverage for assessing our customers security posture on this emerging threat. 

Impact:

Customers can now detect if Log4j workaround mitigations have been correctly applied on their systems by using the CVE-2021-44228 / CVE-2021-45046 audits. These audits detect and report if the JndiLookup vulnerable classpath resides on Windows and Linux environments which is an indication that the workaround mitigation was not properly implemented.

Audits:

The following audits can be found here:

cve-2021-44228_cve-2021-45046-windows.audit

cve-2021-44228_cve-2021-45046-linux.audit

Target Release Date:

Immediate

CVE
Tenable

8 Replies

  • james_watson's avatar
    james_watson
    Connect Rookie
    4 years ago

    Hi, I'm having some mixed results with this audit template, hoped you could help:

    I've run the Audit cve-2021-44228_cve-2021-45046-windows.audit using (using an admin authenticated scan) against 2 of our Windows hosts for testing.

    One comes back with the PASSED output as follows

    'Checking:

    org/apache/logging/log4j/core/lookup/JndiLookup.class not found'

    POLICY VALUE

    '^org/apache/logging/log4j/core/lookup/jndilookup.class not found$'

    The other comes back with WARNING output

    'WMI_CMD_EXEC_FAILED: Could not execute command

    POLICY VALUE

    '^org/apache/logging/log4j/core/lookup/jndilookup.class not found$'

    The host with the WARNING output is confirmed vulnerable to CVE-2021-45046, but the output is not what I was expecting (would have expected FAILED, as documented in the github readme)

    Am I doing something obviously wrong?

  • jrturpin's avatar
    jrturpin
    4 years ago

    Hi James,

    There could be several reasons why you're returning that warning output. Please take a look at some common troubleshooting tips:

    1. Ensure the target host isn't in hibernation mode
    2. Ensure there are no Firewalls blocking access to this target
    3. It could be related to a timeout issue. You can improve this by increasing the network timeout under Advanced -> General -> Performance Options during scan setup. In addition, you can adjust the variable @SEARCH_PATHS@ found in the audit. By default the audit will crawl the entire filesystem during detection which may cause timeout issues on large filesystems. This is highlighted in more detail in the README file.

    If you're still experiencing this issue you may want to open a ticket with support in order for us to debug further. Thanks.

  • Bill_E's avatar
    Bill_E
    Connect Contributor II
    4 years ago

    I've created the plugin. It is failing on line#54

    Code copied from https://github.com/tenable/audit_files/tree/master/cve-2021-44228_cve-2021-45046

      • jrturpin's avatar
        jrturpin
        4 years ago

        Hi Bill,

        This isn't related to the issue above. The issue you're experiencing is different. This isn't a plugin. This is a .audit which uses a compliance plugin to scan the target. Please use the Policy Compliance template to run the scan using the .audits found on the github repo. https://docs.tenable.com/nessus/Content/Compliance.htm

  • gabriel_nazer's avatar
    gabriel_nazer
    4 years ago

    Hi, thanks for sharing these Audit files. Is there any plan for realeasing similar files for CVE-2021-4104 (https://www.tenable.com/cve/CVE-2021-4104)?

    Thanks in advance.

    • bmcsulla's avatar
      bmcsulla
      4 years ago

      I believe there is coverage for this in https://www.tenable.com/plugins/nessus/156103

      • gabriel_nazer's avatar
        gabriel_nazer
        4 years ago

        Hi, thanks for your response, but that plugin inform the version of Apache Log4j that can be affeted only if JMSAppender is configured, and I would like an audit file to check if JMSAppender is configured or not

        "The version of Apache Log4j on the remote host is 1.2. It is, therefore, affected by a remote code execution vulnerability when specifically configured to use JMSAppender."