Support Center > Search Results > SecureKnowledge Details
Detecting Log4j Vulnerability on Endpoint environment Technical Level
On December 9th, an acute remote code execution (RCE) vulnerability was reported in the Apache logging package Log4j 2 versions 2.14.1 and below (CVE-2021-44228). Apache Log4j is the most popular java logging library with over 400,000 downloads from its GitHub project. The Log4j library is embedded in almost every Internet service or application we are familiar with, including Twitter, Amazon, Microsoft, Minecraft and more.

The exploit allows threat actors to control java-based web servers and launch remote code execution attacks.

This SK explains how to check if your endpoints are vulnerable to the Log4j vulnerability published recently.

Check Point provides two scripts to assist you to check your endpoints and determine if they are vulnerable to the Log4j vulnerability, one for Windows clients, and one for Linux clients.
The script does not determine if your endpoint was attacked, it only determine if your endpoint is vulnerable to the Log4j exploit, additionally, it does not block or detect an attack using this exploit.

To use the script:
  1. Download the relevant scripts, and save them on your computer
    Script for Windows Endpoints
    Script for Linux Endpoints

  2. Log in to the Endpoint Management Web Portal, and select the Push Operations tab

  3. Add a new push operation: Click Add > Agent Settings > Remote Command. Then, click the Next button

  4. Click the + button to add the devices you want to scan with the script. As a first stage select your Windows endpoints, and at the second phase select your Linux endpoints.

  5. Complete the details for the Push Operation window according to the following details:
    1. Comment: Add a comment to help you identify the push operation. For example, "Check Log4j Vulnerability"
    2. Type: "Unsigned Power Shell"
    3. User Settings: Select Currently logged-un User or a Custom user, and provide the credentials of that user.
    4. Click Upload, and select the Windows script downloaded earlier for Windows endpoints, or the Linux script downloaded earlier for Linux endpoints
    5. Parameters: leave blank
    6. Arguments: leave blank
    7. Select the scheduling you prefer

  6. Click Finish

When the Push Operation is set, the script runs on your endpoints.
You can monitor the results by looking at the Operation Output column of the Endpoint List:
  • A message of "No vulnerabilities found" means that the endpoint is not vulnerable.
  • Any other message, means that the endpoint is potentially vulnerable. In this case, we recommend to take an action to secure the endpoint. An example of such an action can be uninstallation of the software with the vulnerable files.

Give us Feedback
Please rate this document