Check for JAR Files (possibly) affected by CVE-2021-44228

This Server Configuration Monitor script will check for JAR files on all drives and see if they make reference to the JndiLookup class.  Currently, this profile will not dig further than just checking if the files exist.  In other words, it does not check the version to see if it's an affected version.

Later versions may include additional updates.

Anonymous
Parents
  • Remember, to install a SCM Profile, you must be logged into your instance as a User with SCM Admin access.  If you go to Settings > All Settings > Server Configuration Manager Settings and get a 404 error, go to User Management, edit the account you are trying to use and scroll to the bottom and expand the "Server Configuration Monitor Settings.  Change the "SCM User Role" from User to Admin.  Save the changes and then go back to the SCM settings.  Click on the "Profile" tab and upload the profile you just downloaded from this article.  

  • is there a way to implement this without SCM? We are not running SCM and are also in need of a solution to find these JAR files

  • Not with this profile, but if you crack open the file, the PowerShell is...

    # Get a list of all the local drives on the Machine
    $Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root
    # Search each drive for all JAR files ('*.jar')
    $JarFiles = Get-ChildItem -Path $Drives -File -Recurse -Include '*.jar' -Force -ErrorAction SilentlyContinue
    # Search through the contents of all these files for the JndiLookup class.
    $Results = $JarFiles | Select-String -Pattern 'JndiLookup.class' | Select-Object -Property Path -Unique | Sort-Object -Property Path
    if ( $Results ) {
       Write-Host 'Possibly affected JAR files found at:'
       $Results
    }
    else {
       Write-Host 'No matching JAR files found.'
    }

    Then you'd just need to run this on every server in your environment.  Alternatively, you can setup a 30-day free trial of SCM and import this profile.

    Please note that this is incredibly disk intensive and doesn't run in a few seconds.  On one of my servers (with 5 drives and millions of files) it took 11 minutes.

  • How about with "Windows PowerShell Monitor" component adding it to a new template?

  • You can try, but I wouldn't trust you to have much luck considering the limitations imposed by the PowerShell Session that's used when calling remote scripts (intentionally for security).  That being said, if you get something working (which doesn't timeout - this thing can run for a LOOOONG time), then please share it up in the SAM Applications Template space.

Comment
  • You can try, but I wouldn't trust you to have much luck considering the limitations imposed by the PowerShell Session that's used when calling remote scripts (intentionally for security).  That being said, if you get something working (which doesn't timeout - this thing can run for a LOOOONG time), then please share it up in the SAM Applications Template space.

Children