asked on log4j vulnerability in solaris
the following command detect log4j vulnerability in Linux systems:
sudo grep -r --include "*.jar" JndiLookup.class /
but it is not working for Solaris systems .
is there any alternatives for Solaris ?
Linux* Solaris ClusterSecurityVulnerabilities
Last Comment
noci
ASKER
thank you for your comment .
my concern is how to detect the existence of log4j in solaris
I do not care for the command
my concern is how to detect the existence of log4j in solaris
I do not care for the command
ASKER CERTIFIED SOLUTION
Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Better to use java.exe to run the detector jar file to scan for the jars files. Here are two tools
https://github.com/mergebase/log4j-detector
https://github.com/logpresso/CVE-2021-44228-Scanner
On UNIX (AIX, Solaris, and so on)
https://github.com/mergebase/log4j-detector
Usage
java -jar log4j-detector-2021.12.16.jar
Usage: java -jar log4j-detector-2021.12.16.jar [--verbose] [paths to scan...]
https://github.com/logpresso/CVE-2021-44228-Scanner
On UNIX (AIX, Solaris, and so on)
java -jar logpresso-log4j2-scan-1.7.0.jar [--fix] target_path
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
it the java runtime is not installed then you are ok... java can't run without the JDK/JRE
ASKER
@noci
would you explain :
find / -name '*log4*.jar' -exec bash -c "unzip -l '{}' org/apache/logging/log4j/core/lookup/JndiLookup.class | grep JndiLookup" \;
is it safe ?
would you explain :
find / -name '*log4*.jar' -exec bash -c "unzip -l '{}' org/apache/logging/log4j/core/lookup/JndiLookup.class | grep JndiLookup" \;
is it safe ?
find a program to create a list of files... (or run commands on files).
/ is search starting place (root filesystem)
-name the match for the files
-exec run a program...
bash -c "................" run a shell command
unzip -l '{}' org/apache/logging/log4j/core/lookup/JndiLookup.class - check if a file is present in the archive (.jar are zip archives).
grep Jndi... filters the unzip output to only show line having Jndi... on it.
Is it safe... yes.
BTW: new insights are you CANNOT rely on the name of the problematic .jar being log4j.....
several products just added the log4j as a jar in a jar, or renamed the outer .jar or even build a complete new kit with the files from a broken log4j included in their own product jar. (Commvault has a archive module that does this). To add insult to the injure..., you .jar file might be called .war, .ear, .eer .. depending on the deployment platform you use for web applications.
(this is quickly becoming a HUGE MESS...).
/ is search starting place (root filesystem)
-name the match for the files
-exec run a program...
bash -c "................" run a shell command
unzip -l '{}' org/apache/logging/log4j/core/lookup/JndiLookup.class - check if a file is present in the archive (.jar are zip archives).
grep Jndi... filters the unzip output to only show line having Jndi... on it.
Is it safe... yes.
BTW: new insights are you CANNOT rely on the name of the problematic .jar being log4j.....
several products just added the log4j as a jar in a jar, or renamed the outer .jar or even build a complete new kit with the files from a broken log4j included in their own product jar. (Commvault has a archive module that does this). To add insult to the injure..., you .jar file might be called .war, .ear, .eer .. depending on the deployment platform you use for web applications.
(this is quickly becoming a HUGE MESS...).
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
I'm not familiar with Solaris, but while some Linux Distro's use sudo by default to perform commands that should only be done by root, others haven't even installed sudo or set it up... In those cases you have to login as root & then enter your command without sudo, or install sudo from your repository then set it up...