Hey all,
if you are looking for a solution to find all you vulnerable systems for the log4j (log4shell) issue, you are at the right place ;) With Quest KACE Systems Management Appliance (SMA) you can check your systems for the java libraries and create a report about all you devices.
Link for the action pack: Download
Kind Regards
Timo
https://www.itninja.com/community/customer/file/52
Kind Regards
Timo - Timokirch 2 years ago
Regards,
Sebastian - ZellstoffStendal 2 years ago
The Custom Inventory Rule reads C:\Log4J_hits.txt, but what creates the Log4J_hits.txt file? I think I missed a step.
Thanks! - seanmurphyswlaw 2 years ago
I found my error. I needed to run the imported Script "Log4J detector Windows" from the Scripting menu in KACE SMA first to generate the Log4J_hits.txt file.
Thanks again! - seanmurphyswlaw 2 years ago
Also, when I tried to run the script I get this in the script log:
021-12-20 09:53:29: Alert not enabled, moving to next phase....
2021-12-20 09:53:34: Sending script log4j.ps1 to client....
2021-12-20 09:53:38: Script sent
2021-12-20 09:53:43: Sending dependency log4j-detector-2021.12.20.jar to client....
2021-12-20 09:53:49: Dependency sent
2021-12-20 09:53:49: Executing script....
2021-12-20 10:03:55: The last step timed out after no response from the client. Please try again.
2021-12-20 10:03:55: Error -1 received while executing script
2021-12-20 10:03:55: Run As failed: unspecified error=-1
Also when I tried to run manually on a device all I get is this (and it sits for ever) not sure if it is working or not?
PS C:\WINDOWS\system32> C:\ProgramData\Quest\KACE\scripts\562\log4j2.ps1
java : -- github.com/mergebase/log4j-detector v2021.12.20 (by mergebase.com) analyzing paths (could take a while).
At C:\ProgramData\Quest\KACE\scripts\562\log4j2.ps1:1 char:1
+ java -jar C:\ProgramData\Quest\KACE\scripts\562\log4j-detector-2021.1 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (-- github.com/m... take a while).:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
-- Problem: C:\$Recycle.Bin\S-1-5-21-1564419734-2420335311-593277322-500\$IJ8LBP4.zip - Not actually a zip!?! (no magic number)
-- Problem: C:\$Recycle.Bin\S-1-5-21-1564419734-2420335311-593277322-500\$INV7YMW.zip - Not actually a zip!?! (no magic number)
-- Problem: C:\$Recycle.Bin\S-1-5-21-1564419734-2420335311-593277322-500\$IYFM98L.zip - Not actually a zip!?! (no magic number)
Any info would be much appreciated!
Thanks
Jason - jct134 2 years ago
i have tried just now with the latest .jar file of the github project (2021.12.20). The scripts executed all fine but the results are a looking not solid (at least at the first look my test client reported a 2.16 as vulnerable 2.10 version).
can you share your script command so that i can check if that is an issue of SMA or of the new jar version?
Kind Regards
Timo - Timokirch 2 years ago
Tested Version 2021.12.20 - Timokirch 2 years ago
Thanks. - Ted S 2 years ago
feel free to check the github page of the script vendor (https://github.com/mergebase/log4j-detector#itemmore). You can configure the script to just look at a specific path or enable verbose logging. So you could check if you file was checked.
Kind regards - Timokirch 2 years ago