Rubrik : Detect Log4j occurences
Background
There is no mystery, java log4j flaw had a huge impact on any IT team these days. If you want to know more details about it, I really encourage you to read this and upgrade asap your affected systems. This being said, it would be nice to know what systems are affected ... It could be cumbersome to search in each and every systems, especially if you have more than 1000 VMs ... If you are using Rubrik for your backups, it might simplify things !
Rubrik to the rescue!
Indeed, one of the strengths of Rubrik is the onboarded indexing and search engine which give you immediate access to the metadata. In short, we would like to search every occurrences of log4j*.jar and compare the versions. According to the official documentation, any version lower than 2.12.2 is vulnerable.
There is an API endpoint that helps to search inside the snapshots file structure (Windows and Linux). With the help of other Rubrik Guardian (@nboyadj) and the Rubrik Support Team, we managed to create a strategy to retrieve all those occurrences within the snapshots.
The script is easy to read and provide insightful information to understand what system is current and what requires immediate patching. This time, we are using bash scripting language so, you can run the script on any Linux or macos machine. The only requirement is to have the jq package installed (brew install jq on macos). It searches within any vmware or Nutanix AHV VMs.
The script is on my GitHub, simply save it as log4j.sh and make it executable. Of course, do not forget to edit the cluster IP and the credentials before running it.
Output is similar to this :
[...]
my_vCenter,"/usr/lib/vmware-vpxd-svcs/lib/log4j-api.jar"
my_vCenter,"/usr/lib/vmware/cis_upgrade_runner/payload/component-scripts/sso/lstool/lib/log4j-1.2-api-2.13.1.jar"
my_vCenter,"/usr/lib/vmware-vsphere-ui/server/work/Catalina/localhost/ROOT/eclipse/plugins/log4j-over-slf4j-1.7.22.jar"
my_vCenter,"/usr/lib/vmware/common-jars/log4j-jcl-2.13.1.jar"
my_vCenter,"/usr/lib/vmware/common-jars/apache-log4j-extras-1.1.jar"
[...]
This is a CSV that can be easily analyzed in an Excel-style software where the first part is the VM name and the second is the path of the matching occurrence.
It will definitely help to locate any log4j requiring upgrade.
I really hope this help, it was a common effort and I decided to share it with the community.
Wow, super helpful, THANK YOU
ReplyDeleteThanks for the script. A couple remarks/questions:
ReplyDelete1. The script does not work if Dual Factor Authentication is enabled
2. The scripts runs through all snapshots. Is it possible to have it searching only in the latest snapshot or to display the snapshot date?
Lieven, thanks for your comment. Indeed, for 2FA I'm afraid there is nothing I can do.
DeleteFor your other comment, I agree, I will check what can be done. I'm using the global search as you have seen, so I'm depending of the results. I'll have a look.