Go to Kolide
All Collections
FAQ
FAQ: Log4j (Log4Shell)

FAQ: Log4j (Log4Shell)

Information about Log4Shell CVE-2021-44228
Jason Meller avatar
Written by Jason Meller. Updated over a week ago

What is Log4j?

Log4j is an extremely popular and widely deployed logging utility and framework written in Java. It one of the most widely used and adopted components in Java-based application that need to create structured/standardized output logs.

Log4j can be found in all types of applications including games (ex: Minecraft), WebServers (Apache), and other developer tools like IDEs (ex: macOS Xcode).

You can read more about Log4j at its official Github repository.

What is the Log4j Vulnerability (Log4Shell)?

Log4Shell CVE-2021-44228, and the related CVE-2021-45046 and CVE-2021-45105, are remote-code execution vulnerabilities in Log4j. An attacker can craft a specific log message that will causes the remote Log4j component to remotely download and execute arbitrary code. In many cases this leads to a complete compromise of the victim's device.

More information on the vulnerability can be found in this Wikipedia article.

Is Kolide Impacted by Log4Shell?

No. Neither Kolide's SaaS web application or Kolide's endpoint agent are impacted by Log4j. None of our components are written in Java and do not have any known Java dependencies.

Kolide will continue to assess risk created by Log4Shell and future Log4j vulnerabilities with its Cloud providers and sub-processors. At this time we believe Kolide cannot be compromised by this vulnerable component through any external provider.

As a customer how can I use Kolide to locate vulnerable Java apps that use Log4J?

Auditing ones for Log4j vulnerabilities is arduous. Kolide can help audit the running jars for Log4j usage. You can use the following query (developed by Zach Wasserman) to help find them. As this is limited to the running processes, and is based on looking for jdni usage, it is not comprehensive. You can run this directly by using this using this URL.

WITH target_jars AS (
  SELECT DISTINCT path
  FROM (
      WITH split(word, str) AS(
        SELECT '', cmdline || ' '
        FROM processes
        UNION ALL
        SELECT substr(str, 0, instr(str, ' ')), substr(str, instr(str, ' ') + 1)
        FROM split
        WHERE str != '')
      SELECT word AS path
      FROM split
      WHERE word LIKE '%.jar'
    UNION ALL
      SELECT path
      FROM process_open_files
      WHERE path LIKE '%.jar'
  )
)
SELECT path, matches
FROM yara
WHERE path IN (SELECT path FROM target_jars)
  AND count > 0
  AND sigrule IN (
    'rule log4jJndiLookup {
      strings:
        $jndilookup = "JndiLookup"
      condition:
        $jndilookup
    }',
    'rule log4jJavaClass {
      strings:
        $javaclass = "org/apache/logging/log4j"
      condition:
        $javaclass
    }'
  );



Did this answer your question?