Running the powershell script on the entire C drive of some servers, and get an extremely long output of directories that were unable to be scanned. Is there a version of the script that only output the possibly vulnerable files that need to be reviewed, to avoid searching through thousands of lines of output just to find the one line of output actually needed?

As described in this reddit thread, Get-ChildItem can return nothing when an "Access is denied" error (System.UnauthorizedAccessException) occurs, despite -ErrorAction Ignore. I found that this happened on some systems when scanning a whole drive from the root directory.

The solution suggested by OPconfused, i.e. building the list of files manually, worked in my case. The "Access is denied" error is still shown, but the script proceeds to check the files that are found.

$jars = @();
Get-ChildItem -Path $topdir -File -Recurse -Force -Include "*.jar","*.war","*.ear","*.zip" -ErrorAction Ignore | % { $jars += $_ };

I recommend adding an option to exclude a path, for example: .\checkjindi.ps1 c:\ -skip c:\temp\

Sequel to #4:

Theoretically relying on the file extension isn't reliable. Check this post by @DidierStevens:

https://isc.sans.edu/forums/diary/Recognizing+ZLIB+Compression/25182/

Unfortunately I couldn't quickly find a way to do this using only native powershell stuff (I'm sure it can be done, possibly via importing some .NET stuff, but that's not something rapidly figured out.), but there does exist a python option:

https://blog.didierstevens.com/2018/10/28/update-file-magic-py-version-0-0-4/

Workaround - use:

[System.IO.Path]::GetTempFileName()

instead

See

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_functions_cmdletbindingattribute?view=powershell-5.1

&

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_functions_advanced_parameters?view=powershell-5.1

I'm not sure if it is really worthy to become an issue or not, but I gave it a shot.

Line 65 of checkjndi.py has a lot of endswiths to check for the four file extensions (.jar, .war, .ear, .zip). Python documentation on str.endswith says it accepts a tuple to look for as the suffix parameter instead of a single string.

So one str.endswith can be called and the code gets much more readable.

If this is not a worthy issue, please tell me and I will simply close it.

Hello,

Thanks for sharing the tool. While testing it I noticed that python script fail silently on forder where it doesnt have read access. This behavior differ from the sh script version.

The sh script would be more usefull as it's not requiring python3 install but it seem to not scan the folder recursively in the same way as the python script (ex. scanning at root level).

Python version worked well the validation I needed, thank you again!

Eric

e.g. Get-ChildItem requires Microsoft.PowerShell.Management
Write-Output and Add-Type require Microsoft.PowerShell.Utility

https://docs.microsoft.com/en-us/powershell/scripting/developer/module/importing-a-powershell-module?view=powershell-5.1#restricting--the-members-that-are-imported

And Import-Module itself requires Microsoft.PowerShell.Core ;)

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/set-strictmode?view=powershell-5.1

Wouldn't necessarily want it in the published version for obvious reasons, but should use it for development. A quick test shows that right now, $toplevel & $checkfiles aren't initialized explicitly.

I am not sure how to address this warning when I run the scanner. It is showing I am missing a parameter so it is not scanning hidden or system files. Where whould this parameter need to be included to make sure the scan is as complete as possible.

PS C:\WINDOWS\system32> (directory)\checkjndi.ps1
WARNING: -Force not used, will not scan System or Hidden files.

com.intellij.spring.model.xml.jee.JndiLookup is identified as a vulnerability. This class has nothing in common with org.apache.logging.log4j.core.lookup.JndiLookup. See IntelliJ issue.

<#
.Description
Scans filesystem for .jar, war, and ear files that contains log4j code that may be vulnerable to CVE-2021-44228
Supply a top-level directory to begin searching, or default to the current directory.
.PARAMETER Toplevel
Top-level directory to begin search for jar files.
.EXAMPLE
PS> .\checkjindi.ps1
Scan the current directory and subdirectory for jar files.
.EXAMPLE
PS> .\checkjindi.ps1 c:
Scan the entire c:\ drive for jar files.
.SYNOPSIS
Scans filesystem for .jar files that contains log4j code that may be vulnerable to CVE-2021-44228.
#>
param ([string]$toplevel = ".")

#Requires -Version 3.0

Add-Type -Assembly 'System.IO.Compression.FileSystem'

$global:foundvulnerable = $false

function Get-Files {
param (
[string]$topdir
)

$jars = @();
Get-ChildItem -Path $topdir -File -Recurse -Force -Include "*.jar","*.war","*.ear","*.zip","JndiLookup.class" -ErrorAction Ignore | % { $jars += $_ } | out-null

return $jars

}

function Process-JAR {
param (
[Object]$jarfile,
[String]$origfile = "",
[String]$subjarfile = ""
)
try {
$jar = [System.IO.Compression.ZipFile]::Open($jarfile, 'read');
}
catch {
return
}
[bool] $ispatched = 0;
[bool] $hasjndi = 0;
[string] $outputstring = "";

ForEach ($entry in $jar.Entries) {
    #Write-Output $entry.Name;
    if($entry.Name -like "*JndiLookup.class"){
        if ($origfile -eq "")
        {
            $hasjndi = 1;
            $outputstring = "$jarfile contains $entry";
        }
        else
        {
            $hasjndi = 1;
            $outputstring = "$origfile contains $subjarfile contains $entry";
        }
        $TempFile = [System.IO.Path]::GetTempFileName()
        try {
            [System.IO.Compression.ZipFileExtensions]::ExtractToFile($entry, $TempFile, $true);
            if (Select-String -Path $TempFile -Pattern "JNDI is not supported"){
                $ispatched = 1;
            }
        }
        catch {}
        Remove-Item $TempFile;
    }
    elseif ($entry.Name -like "*MessagePatternConverter.class"){
        $TempFile = [System.IO.Path]::GetTempFileName()
        try {
            [System.IO.Compression.ZipFileExtensions]::ExtractToFile($entry, $TempFile, $true);
            if (Select-String -Path $TempFile -Pattern "Message Lookups are no longer supported"){
                $ispatched = 1;
            }
        }
        catch {}
        Remove-Item $TempFile;
    }
    elseif (($entry.Name -like "*.jar") -or ($entry.Name -like "*.war") -or ($entry.Name -like "*.ear") -or ($entry.Name -like "*.zip")) {
        if ($origfile -eq "")
        {
            $origfile = $jarfile.FullName
        }
        $TempFile = [System.IO.Path]::GetTempFileName()
        try {
            [System.IO.Compression.ZipFileExtensions]::ExtractToFile($entry, $TempFile, $true);
            Process-JAR $TempFile $origfile $entry.FullName;
        }
        catch{}
        Remove-Item $TempFile;

    }
}
$jar.Dispose();
if ($ispatched){
    $outputstring = $outputstring + " ** BUT APPEARS TO BE PATCHED **";
}
if ($hasjndi -and $ispatched){
    Write-Host $outputstring;
}
elseif ($hasjndi){
    $global:foundvulnerable = $true
    Write-Warning $outputstring;
}

}

$drives = Get-WmiObject -Class Win32_LogicalDisk | Select -Property DeviceID, DriveType | where {$_.DriveType -eq 3} | select DeviceID

$checkfiles = @()
foreach ($drive in $drives)
{

$topLevel = "$($drive.DeviceID)\"
$checkfiles += Get-Files $topLevel;   

}

ForEach ($checkfile In $checkfiles)
{
if ($checkfile.Name -eq "JndiLookup.class")
{
Write-Host "$checkfile IS JndiLookup.class"
}
else
{
Process-JAR $checkfile;
}
}

if ($global:foundvulnerable -eq $false)
{
"No vulnerable components found"
}

Seems like a problem with the downloaded version.

When this line runs it crashes on some systems and won't continue the scan.

Get-ChildItem -Path $topdir -File -Recurse -Force:$Force -Include ".jar",".war",".ear",".zip","JndiLookup.class" -ErrorAction SilentlyContinue -ErrorVariable UnscannablePaths

If the process gets an “Get-ChildItem : Access to the path 'C:\ProgramData\Templates' is denied” error, it continues scanning

If the process gets an “Get-ChildItem : Access is denied” error, it crashes

To resolve the issue I changed the line to

Get-ChildItem -Path $topdir -File -Recurse -Force -ErrorAction SilentlyContinue -ErrorVariable UnscannablePaths | Where-Object {($.extension -eq ".jar") -or ($.extension -eq ".war") -or ($.extension -eq ".ear") -or ($.extension -eq ".zip") -or ($_.Name -eq "JndiLookup.class")}

After making the above change, I also had to change the following two lines.

OLD: Write-Host "$checkfile IS JndiLookup.class"
NEW: Write-Host "$($checkfile.FullName) IS JndiLookup.class"

OLD: Process-JAR $checkfile;
NEW: Process-JAR $checkfile.FullName;

It seems that, in the PowerShell and Python scripts, if the MessagePatternConverter.class is found, it will check and mark the entry as patched if it finds the target text Message Lookups are no longer supported. I'm confused because that entry never outputs to the screen, whether it is marked as patched or not.

Can you explain the purpose of that check?

• What is the intent if the MessagePatternConverter.class does contain Message Lookups are no longer supported?
• What is the intent if the MessagePatternConverter.class does NOT contain Message Lookups are no longer supported?

Although the README does indicate that "this script will by design limit scans to a single filesystem", it's not obvious that checkjndi.py skips directories that are mount points. In our case, we had vulnerable versions of log4j which were on separate partitions but those partitions were excluded from the scan and, as such, we were given false negatives. Only after commenting-out the "filter" line (we have very few NFS mounts) did we get a thorough scan which detected additional vulnerabilities. Recommend adding some output which indicates which directories are being skipped.

$checkfiles = Get-Files $toplevel;
ForEach ($checkfile In $checkfiles) {
    if ($checkfile.Name -eq "JndiLookup.class")
    {
        Write-Warning "$checkfile *IS* JndiLookup.class"
    }
    else
    {
        Process-JAR $checkfile;
    }
}

imho, this whole block from the end of the file should be its own function & called at the end, instead of doing it directly.

Hello,
First thank you for this script.
Second, how can I exclude a directory from the scan (I know it sounds controversial but it is a problem when the script downloads .zip files from one drive / google drive and can potentially jam your machine).

How can I run the PS version and make it scan all drives without knowing in advance which drives exist and which not (for automation so I can scan all servers)?

For hopefully obvious reasons of executionpolicy restrictions

2.12.2 is not vulnerable to CVE-2021-44228.

I am maintaining a collection of samples here that you may find useful for testing: https://github.com/mergebase/log4j-samples

@pester

(Wouldn't want it in the published version however, since that'd require importing non-built in modules which'd make deployment/distribution more difficult in restricted/controlled environments.)

See also #11

Not sure where I'm going wrong using the powershell script. I'm getting the following error "The "<" operator is reserved for future use. ".

It's not needed anywhere else. Would depend on #13.

When I execute the Powershell script on an application server in the lab:

powershell.exe -executionpolicy bypass -file .\checkjndi.ps1 -toplevel C:\ -Force

I'm receiving warnings on DatabaseJndiLookup.class which is not related to JndiLookup.class in log4j-core jar file. See examples below:

See https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_switch?view=powershell-5.1

&

https://docs.microsoft.com/en-us/powershell/scripting/learn/deep-dives/everything-about-switch?view=powershell-5.1

Not sure whether it's a good idea in this particular case yet, however.

The checkjndi.sh script sets a return code of 1 if the unzip program is not found. It should also set a non-zero return code if potential issues are found. Since there is already a flag whether a vulnerable component is found ($foundvulnerable) it would be easy to do so. It should also set a non-zero return code if JndiLookup.class is found.

Title.
This is only a problem on servers with many .jar's,.war's, etc.
It happens due to the order deletion within the subjar loop.

Also the test before the rm commands should be changed from -n to -f to avoid trying to delete non existent files.

Hi, I am new to Ubuntu and MAC. I ran the PowerShell script to find vulnerability on windows. There I mentioned all the Local Hard Drives partitions in a text file and ran the script. Now how do I do it in Linux and MAC machines? I need to scan all the partitions and files. Please provide me with the solution. Thanks in advance.

It looks like the Python version suffers from the same issue that was fixed in 9cd5455 where any error opening the archive will just be swallowed.
See:
https://github.com/CERTCC/CVE-2021-44228_scanner/blob/main/checkjndi.py#L41
https://github.com/CERTCC/CVE-2021-44228_scanner/blob/main/checkjndi.py#L56

Not sure if this is a problem, but it does mean the .py and .ps1 versions behave differently.

Yet another Log4j high severity vulnerability requiring 2.17.0
https://nvd.nist.gov/vuln/detail/CVE-2021-45105
https://logging.apache.org/log4j/2.x/security.html

Both exploded Jars and *.zip are reachable by Java.

(Don't want attackers just renaming WEB-INF/lib/log4j-core-2.1.0.jar to log4j-core-2.1.0.zip to foil scanners!)

Help