Check for JAR Files (possibly) affected by CVE-2021-44228

This Server Configuration Monitor script will check for JAR files on all drives and see if they make reference to the JndiLookup class.  Currently, this profile will not dig further than just checking if the files exist.  In other words, it does not check the version to see if it's an affected version.

Later versions may include additional updates.

Anonymous
  • I made thins thing JAR File Check [CVE-2021-44228] for SAM, but it comes with a bunch of caveats.  Please read the post before enabling it.

  • Do you have a query to find which nodes returned results?   From what I can see, the listing isn't available through SWQL or SQL.

  • You can try, but I wouldn't trust you to have much luck considering the limitations imposed by the PowerShell Session that's used when calling remote scripts (intentionally for security).  That being said, if you get something working (which doesn't timeout - this thing can run for a LOOOONG time), then please share it up in the SAM Applications Template space.

  • How about with "Windows PowerShell Monitor" component adding it to a new template?

  • Not with this profile, but if you crack open the file, the PowerShell is...

    # Get a list of all the local drives on the Machine
    $Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root
    # Search each drive for all JAR files ('*.jar')
    $JarFiles = Get-ChildItem -Path $Drives -File -Recurse -Include '*.jar' -Force -ErrorAction SilentlyContinue
    # Search through the contents of all these files for the JndiLookup class.
    $Results = $JarFiles | Select-String -Pattern 'JndiLookup.class' | Select-Object -Property Path -Unique | Sort-Object -Property Path
    if ( $Results ) {
       Write-Host 'Possibly affected JAR files found at:'
       $Results
    }
    else {
       Write-Host 'No matching JAR files found.'
    }

    Then you'd just need to run this on every server in your environment.  Alternatively, you can setup a 30-day free trial of SCM and import this profile.

    Please note that this is incredibly disk intensive and doesn't run in a few seconds.  On one of my servers (with 5 drives and millions of files) it took 11 minutes.