Check for JAR Files (possibly) affected by CVE-2021-44228

This Server Configuration Monitor script will check for JAR files on all drives and see if they make reference to the JndiLookup class. Currently, this profile will not dig further than just checking if the files exist. In other words, it does not check the version to see if it's an affected version.

Later versions may include additional updates.

KMSigma.SWI

Parents

the_ben_keen over 2 years ago

Remember, to install a SCM Profile, you must be logged into your instance as a User with SCM Admin access. If you go to Settings > All Settings > Server Configuration Manager Settings and get a 404 error, go to User Management, edit the account you are trying to use and scroll to the bottom and expand the "Server Configuration Monitor Settings. Change the "SCM User Role" from User to Admin. Save the changes and then go back to the SCM settings. Click on the "Profile" tab and upload the profile you just downloaded from this article.
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel
perkin.lee over 2 years ago in reply to the_ben_keen

is there a way to implement this without SCM? We are not running SCM and are also in need of a solution to find these JAR files
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel

KMSigma.SWI over 2 years ago in reply to perkin.lee

Not with this profile, but if you crack open the file, the PowerShell is...

# Get a list of all the local drives on the Machine
$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root
# Search each drive for all JAR files ('*.jar')
$JarFiles = Get-ChildItem -Path $Drives -File -Recurse -Include '*.jar' -Force -ErrorAction SilentlyContinue
# Search through the contents of all these files for the JndiLookup class.
$Results = $JarFiles | Select-String -Pattern 'JndiLookup.class' | Select-Object -Property Path -Unique | Sort-Object -Property Path
if ( $Results ) {
   Write-Host 'Possibly affected JAR files found at:'
   $Results
}
else {
   Write-Host 'No matching JAR files found.'
}

Then you'd just need to run this on every server in your environment. Alternatively, you can setup a 30-day free trial of SCM and import this profile.

Please note that this is incredibly disk intensive and doesn't run in a few seconds. On one of my servers (with 5 drives and millions of files) it took 11 minutes.

sunvad over 2 years ago in reply to KMSigma.SWI

How about with "Windows PowerShell Monitor" component adding it to a new template?
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel
KMSigma.SWI over 2 years ago in reply to sunvad

You can try, but I wouldn't trust you to have much luck considering the limitations imposed by the PowerShell Session that's used when calling remote scripts (intentionally for security). That being said, if you get something working (which doesn't timeout - this thing can run for a LOOOONG time), then please share it up in the SAM Applications Template space.
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel
KMSigma.SWI over 2 years ago in reply to KMSigma.SWI

I made thins thing JAR File Check [CVE-2021-44228] for SAM, but it comes with a bunch of caveats. Please read the post before enabling it.
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel

Comment

KMSigma.SWI over 2 years ago in reply to KMSigma.SWI

I made thins thing JAR File Check [CVE-2021-44228] for SAM, but it comes with a bunch of caveats. Please read the post before enabling it.
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel

Children

No Data