Avatar of Hashim Nangarhari
Hashim Nangarhari
Flag for Saudi Arabia asked on

log4j vulnerability in solaris

the following command detect log4j vulnerability in Linux systems:

sudo grep -r --include "*.jar" JndiLookup.class /

but it is not working for Solaris systems .

is there any alternatives for Solaris ?

Linux* Solaris ClusterSecurityVulnerabilities

Avatar of undefined
Last Comment
noci

8/22/2022 - Mon
rindi

What happens when you try that command, what messages do you get? Could it be possible that the command "sudo" can't be found?

I'm not familiar with Solaris, but while some Linux Distro's use sudo by default to perform commands that should only be done by root, others haven't even installed sudo or set it up... In those cases you have to login as root & then enter your command without sudo, or install sudo from your repository then set it up...
Hashim Nangarhari

ASKER
thank you for your comment .
my concern is how to detect the existence of log4j in solaris
I do not care for the command
ASKER CERTIFIED SOLUTION
noci

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
btan

Better to use java.exe to run the detector jar file to scan for the jars files. Here are two tools

https://github.com/mergebase/log4j-detector

Usage

java -jar log4j-detector-2021.12.16.jar 

Usage: java -jar log4j-detector-2021.12.16.jar [--verbose] [paths to scan...]

Open in new window


https://github.com/logpresso/CVE-2021-44228-Scanner
On UNIX (AIX, Solaris, and so on)
java -jar logpresso-log4j2-scan-1.7.0.jar [--fix] target_path

Open in new window


All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
David Johnson, CD

it the java runtime is not installed then you are ok... java can't run without the JDK/JRE
Hashim Nangarhari

ASKER
@noci
would you explain :
find / -name '*log4*.jar'   -exec bash -c "unzip -l '{}' org/apache/logging/log4j/core/lookup/JndiLookup.class | grep JndiLookup"  \;

is it safe ? 
noci

find a program to create a list of files... (or run commands on files).
/ is search starting place (root filesystem)
-name the match for the files
-exec run a program...
bash -c    "................"    run a shell command
unzip -l '{}' org/apache/logging/log4j/core/lookup/JndiLookup.class    - check if a file is present in the archive (.jar are zip archives).
grep Jndi...     filters the unzip output  to only show line having Jndi... on it.

Is it safe... yes.


BTW: new insights are you CANNOT rely on the name of the problematic .jar being log4j.....
several products just added the log4j as a jar in a jar, or renamed the outer .jar  or even build a complete new kit with the files from a broken log4j included in their own product jar.   (Commvault has a archive module that does this).   To add insult to the injure..., you .jar file might be called .war, .ear, .eer .. depending on the deployment platform you use for web applications.
(this is quickly becoming a HUGE MESS...).
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.