Mitigate Apache Log4Shell vulnerability (CVE-2021-44228) using custom scripts
This article is a continuation of our previous post on Log4Shell vulnerability. In this article, we discuss the steps to mitigate log4shell vulnerability in affected web server applications with Endpoint Central server using custom script. For steps to detect the affected web server installations in your network systems, refer to our previous post. The custom script discussed in this post performs the mitigation steps suggested by apache which can be referred here. This mitigation is applicable for vulnerable web server applications/software whose vendors haven't provided patches or mitigation to resolve Log4jshell vulnerability in their applications/software. Note: It is recommended to verify with the application/software vendor and qualify the impact of the this mitigation before applying it.
The custom script performs the following mitigation operations:
- Stops the web server application service that is using the vulnerable Log4j versions.
- Locates the log4j-core-x.jar files. 'x' indicates the vulnerable Log4j versions.
- Removes the "jndilookup.class" file from the jar files that match vulnerable Log4j versions.
- Starts the web server application service back.
The steps to deploy the custom script using Endpoint Central are as follows:
- Login to Endpoint Central server console
- Navigate to Configurations tab and locate the script repository section in the left pane of the console.
- In the Script Repository section, go to Templates view, and locate the following custom scripts - "log-4j Mitigation script.exe" (For Windows) and "Linux-Log-4j-Mitigation.sh" (For Linux). Select the mentioned scripts and click on Add to Respository.
- Now go to configurations and select Windows or Linux based on the OS platform of the systems for which you wish to mitigate Log4j.
- Hover over custom script and click on computer. This will open up the custom script configuration deployment work flow.
- Give the configuration a name.
- For Execute Script from/run, choose Repository.
- In the Script Name field, search for and select the previously added custom script for Windows/Linux accordingly.
-
-
If you're deploying the script for Windows, specify the below arguments in the Script Argument field:
Note: Windows script needs two arguments. Argument 1 locates the vulnerable Log4j jar files from affected web sever. Argument 2 is used to stop and start the web server application service.
- Argument 1 : Specify the home directory path or the exe path of the vulnerable web server application within double quotes. For example, the exe path can be specified in this format - "C:\sample test server\log4j vulnerable server\apache\bin\httpd.exe", or the home directory path can be specified in this format - "C:\Test server\Vulnerable test server". Note: If you're using a Endpoint Central set-up with the vulnerability management add-on enabled, you can easily find the home directory path or the exe path of the vulnerable web server installations in your network from the Endpoint Central web console using the steps mentioned in our previous post on Log4Shell vulnerability.
- Argument 2 : Specify the service name of the vulnerable web server application within double quotes. The argument 1 and argument 2 must be specified in a single line and separated by a space. For example, the two arguments must be specified in this format - "C:\Test server\Vulnerable test server" "SERVICE_NAME". The service name of the vulnerable web server application can be obtained from services.msc. Open services.msc in the affected Windows machine and locate the service name of the vulnerable web server application. Double click on the service name and in the resulting popup window, you can find the service name.
Note: For Windows, only one path and one service name can be specified at a time. Separate configuration deployments have to be created to mitigate different web server applications using custom script.
-
If you're deploying the script for Linux, specify the below arguments in the Script Argument field:
Note: Linux script needs 2 arguments. Argument 1 is used to stop and start the vulnerable web server application service. Argument 2 locates the vulnerable Log4j jar files from affected web sever.
- Argument 1 : Specify the service name of the vulnerable web server application(s) within double quotes. If you're specifying services of multiple web server applications, separate them with a comma. For example, service names of multiple web servers can be specified in this format - "tomcat9,apache2". Note: If you're using a Endpoint Central set-up with the vulnerability management add-on enabled, you can easily find the vulnerable web server installations in your network as well as their home directory path or the exe path from the Endpoint Central web console using the steps mentioned in our previous post on Log4Shell vulnerability.
- Argument 2 : Specify the home directory path of the vulnerable web server application within double quotes. For example, the home directory path can be specified in this format - "/var/lib/tomcat9". Directory paths for multiple web servers can be specified in this format - "/var/lib/tomcat9,/etc/apache2". The argument 1 and argument 2 must be specified in a single line and separated by a space in the following format - "tomcat9,apache2" "/var/lib/tomcat9,/etc/apache2"
- Leave dependency files field empty
- Specify the exit code as 0.
- Select frequency as once and check the "Enable logging for Troubleshooting"
- Select the Windows/Linux targets depending on the OS platform for which you're deploying the script. Only the systems with web server installations having the same service name and the path given in the arguments at step 12 should be selected. Note: If you're using a Endpoint Central set-up with the vulnerability management add-on enabled, you can easily find the affected systems from the Endpoint Central web console using the steps mentioned in our previous post on Log4Shell vulnerability.
- Configure retry and notification setting, if needed.
- Click deploy or deploy immediately.
You can enable a free trial of the endpoint security add-on for Endpoint Central for upto 25 systems, by navigating to admin > Endpoint Security add-on. To purchase the endpoint security add-on license, contact sales@manageengine.com.