On December 9th, an acute remote code execution (RCE) vulnerability was reported in the Apache logging package Log4j 2 versions 2.14.1 and below (CVE-2021-44228). Apache Log4j is the most popular java logging library with over 400,000 downloads from its GitHub project. The Log4j library is embedded in almost every Internet service or application we are familiar with, including Twitter, Amazon, Microsoft, Minecraft and more.
The exploit allows threat actors to control java-based web servers and launch remote code execution attacks.
This SK explains how to check if your endpoints are vulnerable to the Log4j vulnerability published recently.
Check Point provides two scripts to assist you to check your endpoints and determine if they are vulnerable to the Log4j vulnerability, one for Windows clients, and one for Linux clients.
The script does not
determine if your endpoint was attacked, it only determine if your endpoint is vulnerable to the Log4j exploit, additionally, it does not block or detect an attack using this exploit.
To use the script:
- Download the relevant scripts, and save them on your computer
Script for Windows Endpoints
Script for Linux Endpoints
- Log in to the Endpoint Management Web Portal, and select the Push Operations tab
- Add a new push operation: Click Add > Agent Settings > Remote Command. Then, click the Next button
- Click the + button to add the devices you want to scan with the script. As a first stage select your Windows endpoints, and at the second phase select your Linux endpoints.
- Complete the details for the Push Operation window according to the following details:
- Comment: Add a comment to help you identify the push operation. For example, "Check Log4j Vulnerability"
- Type: "Unsigned Power Shell"
- User Settings: Select Currently logged-un User or a Custom user, and provide the credentials of that user.
- Click Upload, and select the Windows script downloaded earlier for Windows endpoints, or the Linux script downloaded earlier for Linux endpoints
- Parameters: leave blank
- Arguments: leave blank
- Select the scheduling you prefer
- Click Finish
When the Push Operation is set, the script runs on your endpoints.
You can monitor the results by looking at the Operation Output
column of the Endpoint List:
- A message of "No vulnerabilities found" means that the endpoint is not vulnerable.
- Any other message, means that the endpoint is potentially vulnerable. In this case, we recommend to take an action to secure the endpoint. An example of such an action can be uninstallation of the software with the vulnerable files.