Dec 29, 2021

Log4j スキャナー

すでに色々出てるのでメモ。

CISAやCrowdStrike、「Log4j」向けスキャナーを提供--限界があるとの指摘も (12/24)

https://japan.zdnet.com/article/35181344/

『最大の課題は、本番環境にあるパッケージソフトウェア内のLog4Shellを検出することだ。(Log4jのような)Javaファイルは、その他のファイルの何層か下にネストされていることがあり、浅い検索では見つけられない』


CISAのスキャナー(↓)は、リモートスキャンも出来るみたい。

cisagov/log4j-scanner (12/21-28)

https://github.com/cisagov/log4j-scanner

手元でフルアップデート済みのものに試してみた(当然、何も出なかった)。
CUIだが、使いやすいし、表示も分かり易い。




Dec 23, 2021

Log4jのヤバさ

まず、Log4jのヤバさを会話形式で易しくまとめた記事(↓)

「Log4j」のトラブルってどうヤバいの? 非エンジニアにも分かるように副編集長に解説させた (12/16)

https://www.itmedia.co.jp/news/articles/2112/16/news128.html


piyokangoさんの硬派な まとめ(↓)

Log4jの深刻な脆弱性CVE-2021-44228についてまとめてみた (12/13)

https://piyolog.hatenadiary.jp/entry/2021/12/13/045541

『.. 既にサポートが終了している1.xバージョンも脆弱性の影響を受けることが検証で確認されている*3が予め構成を変更している必要があり、2.xと比較して相当にリスクは低い..』

だそうだ。さらに幾つか興味本位でピックアップ(↓)

・Red Hat
 https://access.redhat.com/security/vulnerabilities/RHSB-2021-009

『The following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.

    ・Red Hat Enterprise Linux

    ・Red Hat Advanced Cluster Management for Kubernetes 

 (注、その他 多数)

』 

な一方で

Technical summary

A flaw was found in the Java logging library Apache Log4j in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters can execute arbitrary code on the server via the JNDI LDAP endpoint. Refer to CVE-2021-44228 for more details.

Mitigation

For Log4j versions 2.10 and later:

  • set the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true

For Log4j versions between 2.7 and 2.14.1:

  • all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m

For Log4j versions between 2.0-beta9 and 2.10.0:

  • remove the JndiLookup class from the classpath. For example: 

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

On OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421

On OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441

とも。

 

・Oracle
 Oracle Security Alert Advisory - CVE-2021-44228

・VMware
 https://www.vmware.com/security/advisories/VMSA-2021-0028.html

VMware Horizon, vCenter Server, HCX, NSX-T Data Center, vCenter Cloud Gateway .. その他多数

 

・IBM
 https://www.ibm.com/support/pages/node/6525706

Affected Products and Versions
WebSphere Application Server 9.0
WebSphere Application Server 8.5

元IBM製品に、こんなのもあったな(↓)

・HCL Technologies

Log4J 2 / Log4Shell の脆弱性に関するNotes、Domino、Verse、Traveler への影響 (CVE-2021-44228、CVE-2021-45046、CVE-2021-45105、CVE-2021-44832)
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095594


・Fortinet

 https://www.fortiguard.com/psirt/FG-IR-21-245

 Tuesday December 15, 8:50 PM Pacific Time現在、下記状況

『The following products are NOT impacted:

 .. FortiOS (includes FortiGate & FortiWiFi) .. 

The following products are impacted and fixes are being worked on. This advisory will be updated as soon as ETAa are available:

FortiAIOps - Fixed in version 1.0.2
FortiAnalyzer BigData - Fixed on 2021-12-10 in 6.4.7 & 7.0.2
FortiCASB - Fixed on 2021-12-10
FortiConverter Portal - Fixed on 2021-12-10
FortiCWP - Fixed on 2021-12-10
FortiEDR Cloud - Not exploitable. Additional precautionary mitigations put in place on 2021-12-10
FortiInsight - Not exploitable. Additional precautionary mitigations being investigated.
FortiIsolator - Fix scheduled for version 2.3.4
FortiMonitor - Mitigations for NCM & Elastiflow available
FortiPortal - Fixed in 6.0.8 and 5.3.8
FortiSIEM - Mitigation available
ShieldX - Fix scheduled for versions 2.1 and 3.0 - ETA 2021/12/17


・AMD

 https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1034

『Currently, no AMD products have been identified as affected.』


・Intel

 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html

Datacenter Manager, Secure Device Onboard, Computer Vision Annotation Tool, Optimized Analytics Package, Intel QAT Codec, Edge Insights for Autonomous Mobile Robots, oneAPI各種 

.. Clear Linux Project」なんてのもあるんですね。

.. 他にも多数。意識せず使ってたって事もあるかも。ご自分で確認されたし。

 

・NVIDIA 

 https://nvidia.custhelp.com/app/answers/detail/a_id/5294

 01/04現在で、

Remediated NVIDIA Products 

The following sections list the NVIDIA products affected, versions affected, and the updated versions  available or mitigations that require customer action.

  CUDA Toolkit Visual Profiler and Nsight Eclipse Edition
  DGX Systems
  NetQ
  vGPU Software License Server


・Palo Alto Networks

 https://security.paloaltonetworks.com/CVE-2021-44228

『We have determined that some configurations of Panorama appliances with PAN-OS 9.0, PAN-OS 9.1, and PAN-OS 10.0 are impacted by CVE-2021-44228 and CVE-2021-45046 through the use of Elasticsearch. Fixes were released on December 20, 2021 to address both vulnerabilities on impacted PAN-OS versions. Panorama appliances are not impacted by CVE-2021-45105. 

 PAN-OS for Panorama < 9.0.15, < 10.0.8-h8, < 9.1.12-h3  .. affected

 Exact Data Matching CLI < 1.2 .. affected