The zero-day exploit Log4Shell endangers numerous servers in companies, being a critical vulnerability in the widely used Java library Log4j. Finding servers with the affected libraries is a priority, so that sysadmins can remediate this threat. Checkmk allows system administrators to easily identify such vulnerable systems in their IT infrastructure and take countermeasures.

With Log4Shell, a new zero-day exploit has become known since last Friday, which puts numerous servers at a critical risk. The exploit allows a flaw in the popular Java library Log4j to be exploited and a shell to be obtained on a server. This allows arbitrary code to be executed on the server and the system to be compromised. The exploit impacts every system running the Java library. That means Log4j affects Windows servers as well as Linux systems.

It is therefore particularly important for system administrators to now be able to identify all systems in their IT infrastructure that use the affected Log4j library. This is the only way to protect the systems from being compromised and to initiate security measures, such as applying security updates. With Checkmk, you are able to automatically identify these systems in your IT infrastructure, regardless if they are running on Linux or Windows.

Service in Checkmk detecting log4j libraries

This is possible thanks to Checkmk's rapid extensibility. For example, the monitoring software is able to use a local check to search the file system on a server specifically for the affected Log4j2 modules. The local checks in Checkmk allow you to quickly and easily extend your monitoring. You can distribute these small scripts to the appropriate servers and get for example an overview of all Linux and Windows servers where Log4j2 libraries are installed.

Update from December 20th:

In the meantime the Checkmk Community worked on and created a sophisticated plugin that you can install as an extension package to your monitoring. The plugin helps you to detect all systems in your IT infrastructure which are affected by the Log4j exploit. All information about the plugin can be found below.

Vulnerability scanner and mitigation patch for Log4j2

Updated on December, 16th 2020 at 01:00pm (CET)

The Checkmk Community reacted very fast to the exploit and shared their first scripts for Checkmk to detect Log4j2 vulnerabilities in their IT infrastructure. Forum user Doc used log4j2-scan to write a shell script for CVE-2021-44228 vulnerability scanning and mitigation patching for Linux servers:

#!/bin/bash

# Christian Wirtz, 2021-12-15
# Wrapper around:
# https://github.com/logpresso/CVE-2021-44228-Scanner
# for checkmk usage - used Logpresso CVE-2021-44228 Vulnerability Scanner 1.6.2
# https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v1.6.2/logpresso-log4j2-scan-1.6.2-linux.tar.gz
# extract this into ../../bin/

DESTPATH="/usr/"
COUNT=0
RESULT=`/usr/lib/check_mk_agent/bin/log4j2-scan $DESTPATH`

FILES_VUL=`echo "$RESULT" | grep "vulnerable files" | grep -v "potentially vulnerable files" | awk '{ print $2 }'`
FILES_POTVUL=`echo "$RESULT" | grep "potentially vulnerable files" | awk '{ print $2 }'`
FILES_MIT=`echo "$RESULT" | grep "mitigated files" | awk '{ print $2 }'`
SCANNED=`echo "$RESULT" | grep "Scanned"`
RUNTIME=`echo "$RESULT" | grep "Completed in" | awk '{ print $3 }'`
SHORT="$FILES_VUL vulnerable files, $FILES_POTVUL potentially vulnerable files, $FILES_MIT mitigated files, $SCANNED, Runtime: $RUNTIME s"
LONG=`echo "$RESULT" | awk 1 ORS='\\\\n'`
PERFDATA="vulnerable=$FILES_VUL;1;1|potential_vulnerable=$FILES_POTVUL;1;1|mitigated=$FILES_MIT;;|real_time=${RUNTIME};;;1;"

echo "P CVE-2021-44228_log4j_$DESTPATH $PERFDATA $SHORT (searchpath: $DESTPATH)\n$LONG"

You might want to adjust the DESTPATH depending on how broad you want to search. Please keep in mind to place the script and log4j2-scan bin (tested with v1.6.2) in the right folder of the agent of the host and make them executable. The structure under /usr/lib/check_mk_agent/ should be:

|-- bin
|   `-- log4j2-scan
`-- local
    `-- 86400
        `-- check_CVE-2021-44228_log4j.sh

The log4j2-scan creates a service detects CVE-2021-44228 vulnerability in your infrastructure

You can easily install CVE-2021-44228_log4j by using it as local check. Be aware to insert the current version of the binaries log4j-scan AND log4j2-scan.exe in the right folder. The binaries can be found on the GitHub repo of Logpresso.

If you want to identify vulnerable Windows systems you can also easily do this with a local check. With both scripts, Checkmk can help you to quickly track down all systems that are vulnerable to the Log4Shell exploit.

Local check to detect Log4j2 on Windows servers

Based on the work of Doc, thl-cmk, adopted the Windows script for the latest version of log4j2-scan.exe (v.1.6.2)

<#
 thl-cmk@outlok.com, 2021-12-15
 Wrapper around: https://github.com/logpresso/CVE-2021-44228-Scanner
 for checkmk usage based on the bash script by Christian Wirtz
#>

$RESULT=(C:\ProgramData\checkmk\agent\bin\log4j2-scan.exe --all-drives)
$FILES_VUL=((echo $RESULT | Select-String -Pattern "vulnerable files" | Select-String -Pattern "potentially vulnerable files" -NotMatch | Select-String -Pattern "Fixed" -NotMatch) -split ' ')[1]
$FILES_POTVUL=((echo $RESULT | Select-String -Pattern "potentially vulnerable files") -split ' ')[1]
$FILES_MIT=((echo $RESULT |  Select-String -Pattern "mitigated files") -split ' ')[1]
$SCANNED=(echo $RESULT | Select-String -Pattern "Scanned" | Select-String -Pattern "Running scan" -NotMatch)
$RUNTIME=((echo $RESULT | Select-String -Pattern "Completed in" ) -split ' ')[2]
$DRIVES_SCANNED=((echo $RESULT | Select-String -Pattern "Scanning drives" ) -split ' ')[2]
$SHORT="Files: $FILES_VUL vulnerable, $FILES_POTVUL potentially vulnerable, $FILES_MIT mitigated, $SCANNED, Runtime: $RUNTIME s, drives: $DRIVES_SCANNED"
$PERFDATA="vulnerable=$FILES_VUL;1;1|potential_vulnerable=$FILES_POTVUL;1;1|mitigated=$FILES_MIT;;|real_time=${RUNTIME};;;1;"
$LONG=$RESULT -join "\n"

# if someone needs the count metric uncomment the next line (count and vulnerable metric are identical)
#$PERFDATA="count=$FILES_VUL;1;1|vulnerable=$FILES_VUL;1;1|potential_vulnerable=$FILES_POTVUL;1;1|mitigated=$FILES_MIT;;|real_time=${RUNTIME};;;1;"

echo "P CVE-2021-44228_log4j $PERFDATA $SHORT\n$LONG"

The local check for Windows platforms needs to be placed in the directory %ProgramData%\checkmk\agent\local\ on the target host. The binary for the script log4j2-scan.exe must be downloaded from GitHub and inserted in the directory %ProgramData%\checkmk\agent\bin\. Now the check should work and you can detect Log4j on Windows servers in your infrastructure.

Fast response to Log4Shell exploit

In the Checkmk Community the Spanish user a3093 was one of the first members, who shared such a script for Checkmk to track down the Log4j2 libraries in the IT infrastructure in our forum. If you are interested into the conversation check out the topic in our forum. The script scans all systems for potentially affected .jar files.

A detailed guide on how to roll out local checks on your systems to detect Log4j2 modules on Windows servers or Linux systems can be read in detail in our documentation.

Checkmk plugin scans for vulnerable Log4j systems

Updated on December, 21th 2021 at 7 pm (CET)

Due to the excellent spirit in the Checkmk community, a sophisticated plugin for Checkmk has been created in the meantime from Doc's script by thl_cmk, which not only rolls out the CVE-2021-44228-Scanner of Logpresso (version 2.3.1 for Linux and Windows from 12/19/2021), but also takes into account the different outputs the tool delivers from newer versions on. In this way, it is possible to detect vulnerable Log4j libraries on Windows and Linux systems in your infrastructure and to customize the time series data for the service in Checkmk.

The plugin discovers the following Log4j issues:

You can download the plugin as MKP here. After downloading it can be rolled out on the target system(s) for Checkmk Enterprise Edition users via the Agent Bakery. Attention: Before you use the package please remove all older versions or the local checks related to this plugin.

If you want to use the plugin with the Checkmk Raw Edition, please follow these instructions from thl_cmk. It also covers the deployment on AIX/Solaris systems and provides some help for troubleshooting in case the plugin does not work.

Having such a flexible method available in Checkmk comes in handy often, especially when dealing with vulnerabilities.


Related Articles

The hidden cost of false positive alerts
The hidden cost of false positive alerts
As explained in the previous article, most IT operations teams err on the side of caution when it comes to alerting. In other words, they are…
Dealing with false alerts in monitoring
Dealing with false alerts in monitoring
In statistics, we must always deal with two types of errors, typically referred to as ‘Type I’ and ‘Type II’. A Type I error is, in statisticians’…
Improve the communication of alerts with SIGNL4
Improve the communication of alerts with SIGNL4
There is a critical incident in production or IT. Several services have been impacted, business and customers are seriously affected. Luckily, with…