Updated version of the CVE-2021-44228-log4j plugin avilable

thl-cmk · March 9, 2022, 7:34pm

Version 20220309.v0.1.4 of the CVE-2021-44228-log4j plugin is available here

Whats new:

updated the scanner to version 3.0.1. The new scanner version shows which user is running the scan and will report scan errors on missing permissions.
added “Report safe files” (scanner option --report-patch)
added “Use logpresseo log watch” (scanner option --api-key/–http-proxy) see Logpresso Watch for more information
moved the executables to a separate MKP package log4j_executables-2020305.v3.0.1.mkp (The version of this package refers to the logpresso scanner version).

IMPORTANT: If you update from a previous version, you need first to uninstall the old cve_2021_44228_log4j package. Then install the new cve_2021_44228_log4j package and the log4j_executables-2020305.v3.0.1.mkp package.

For the executable to get deployed you need 2 new bakery rules (Linux/Windows).
Go to: Setup > Agents > Windows, Linux, Solaris, AIX > Agent rules > log4j CVE scanner executable

thl-cmk · March 12, 2022, 2:42pm

I forgot one thing to mention, the log4j_executables-2020305.v3.0.1.mkp package requires at least CMK 2.0.0p21. So before you update the package you might need to update your CMK system. Why?

rprengel · March 13, 2022, 3:27pm

Thank again for your work.
Ralf

TimoSch · March 16, 2022, 12:12pm

Hi,

2.0.0.p21, cve_2021_44228_log4j package is installed on our virt1.
If I try to install the new package I’ve got the follwing error:

“This package cannot be installed: File conflict: /omd/sites/ui/local/share/check_mk/agents/plugins/log4j2-scan.linux is part of another package.”

What I have to do?
Thanks for a short feedback.
Timo

thl-cmk · March 16, 2022, 12:20pm

Was an older version of this package installed on your virt1?

TimoSch · March 16, 2022, 1:51pm

No, I have installed to current version from exchange.

thl-cmk · March 16, 2022, 2:52pm

ok, that’s not the latest package, but that’s ok. So you haven’t installed any log4 package other than the one from the Exchange (version 20220205.v0.1.2)? It’s a little strange then. The Error message says the file /omd/sites/ui/local/share/check_mk/agents/plugins/log4j2-scan.linux is already there and belongs to another package. I only know this error,

if you first install the log4_executable (log4j_executables-2020305.v3.0.1.mkp) package and
then try to install the package from the exchange
update the plugin to the latest version
without first uninstalling it and then trying to install the executable package.

If you have done this, you can either remove the log4_executable package and use the
package from the exchange, or use the latest version of this plugin (along with the executable package) available here on my git repository (it’s the same as in the update announcement).

TimoSch · March 17, 2022, 7:50am

Thanks for your quick response!
I remove everything from my “old” config. Extensions, agent rules eg… Download v20220205 from your github, 3.0.5 too. Upload complete successful! Reassign my rules back. After a couple of minutes, the first servers shows me new data:

2022-03-17T08:35:13+01:00
SCAN OPTIONS: --all-drives --report-path c:\windows\temp\log4j_report.json --report-json --scan-logback --scan-log4j1 --scan-zip --silent
SCRIPT VERSION: 20220114.v0.0.4
BAKERY VERSION: 20220307.v0.1.2

Logpresso CVE-2021-44228 Vulnerability Scanner 3.0.1 (2022-02-13)

I think, issue is resolved…

Regards
Timo

thl-cmk · March 17, 2022, 8:44am

happy to help ;-). One thing, there is no need to remove the rules before updating from version 20220205.v0.1.2 to 20220309.v0.1.4. You need only uninstall the old package and install both new packages (CVE-2021-44228-log4j and log4j_executables-2020305.v3.0.1.mkp).

Rene · May 6, 2022, 3:27pm

Hey.
If I want to use under the option "exclude path (bulk). (20220309.v0.1.4 + 20200305.v3.0.1) I always get the following error in the backery…

Agentenbacken und signieren. für alle Hosts gestartet...
2022-05-06 17:00:21,390 [30] [cmk.web.automations 21062] 'check_mk --automation bake-agents' returned 'Error creating agent for COMKDBCLNCTMP01: Error in bakery plugin "cve_2021_44228_log4j" ("files" section): not enough values to unpack (expected 2, got 1)

Traceback (most recent call last):
  File "/omd/sites/itsm/lib/python3/cmk/base/cee/bakery/agent_bakery.py", line 338, in _collect_bakelet_objects
    objects += function(**func_args)
  File "/omd/sites/itsm/lib/python3/cmk/base/cee/api/bakery/function_types.py", line 98, in filtered_generator
    for element in function(*args, **kwargs):
  File "", line 173, in get_cve_2021_44228_log4j_files
ValueError: not enough values to unpack (expected 2, got 1)
.
'
2022-05-06 17:00:21,391 [40] [cmk.web.automations 21062] Error running 'check_mk --automation bake-agents' (exit code 2)
2022-05-06 17:00:21,393 [40] [cmk.web.background-job 21062] Exception in background function
Traceback (most recent call last):
  File "/omd/sites/itsm/lib/python3/cmk/gui/background_job.py", line 210, in _execute_function
    func_ptr(*args, **kwargs)
  File "/omd/sites/itsm/lib/python3/cmk/gui/cee/plugins/wato/agent_bakery/misc.py", line 897, in bake_agents_background_job
    watolib.check_mk_local_automation('bake-agents',
  File "/omd/sites/itsm/lib/python3/cmk/gui/watolib/automations.py", line 140, in check_mk_local_automation
    raise _local_automation_failure(
cmk.utils.exceptions.MKGeneralException: Error running automation call bake-agents (exit code 2), error: 

Error creating agent for COMKDBCLNCTMP01: Error in bakery plugin "cve_2021_44228_log4j" ("files" section): not enough values to unpack (expected 2, got 1)

Traceback (most recent call last):
  File "/omd/sites/itsm/lib/python3/cmk/base/cee/bakery/agent_bakery.py", line 338, in _collect_bakelet_objects
    objects += function(**func_args)
  File "/omd/sites/itsm/lib/python3/cmk/base/cee/api/bakery/function_types.py", line 98, in filtered_generator
    for element in function(*args, **kwargs):
  File "", line 173, in get_cve_2021_44228_log4j_files
ValueError: not enough values to unpack (expected 2, got 1)
.


Ausnahme: Error running automation call bake-agents (exit code 2), error: 

Error creating agent for COMKDBCLNCTMP01: Error in bakery plugin "cve_2021_44228_log4j" ("files" section): not enough values to unpack (expected 2, got 1)

Traceback (most recent call last):
  File "/omd/sites/itsm/lib/python3/cmk/base/cee/bakery/agent_bakery.py", line 338, in _collect_bakelet_objects
    objects += function(**func_args)
  File "/omd/sites/itsm/lib/python3/cmk/base/cee/api/bakery/function_types.py", line 98, in filtered_generator
    for element in function(*args, **kwargs):
  File "", line 173, in get_cve_2021_44228_log4j_files
ValueError: not enough values to unpack (expected 2, got 1)

thl-cmk · May 6, 2022, 5:51pm

@Rene shoul be fixed now. If you like give it a try.

Rene · May 7, 2022, 9:18am

It works without problems. Many thanks for the quick help/fix!
Best regards and a happy weekend!

Updated version of the CVE-2021-44228-log4j plugin avilable

2022-03-17T08:35:13+01:00 SCAN OPTIONS: --all-drives --report-path c:\windows\temp\log4j_report.json --report-json --scan-logback --scan-log4j1 --scan-zip --silent SCRIPT VERSION: 20220114.v0.0.4 BAKERY VERSION: 20220307.v0.1.2

2022-03-17T08:35:13+01:00
SCAN OPTIONS: --all-drives --report-path c:\windows\temp\log4j_report.json --report-json --scan-logback --scan-log4j1 --scan-zip --silent
SCRIPT VERSION: 20220114.v0.0.4
BAKERY VERSION: 20220307.v0.1.2