Detect Apache Log4j CVE-2021-44228 with Ansible Playbook

By Luca Berton · Published 2024-01-01 · Category: installation

Use Ansible to automate the detection of Apache Log4j CVE-2021-44228 vulnerability. Follow this guide to set up and run detection scripts efficiently.

Detect Apache Log4j CVE-2021-44228 with Ansible Playbook

How to automate the Detector Log4Shell Remote Code Execution Log4j (CVE-2021–44228)?

I'm going to show you a live Playbook with some simple Ansible code. I'm Luca Berton and welcome to today's episode of Ansible Pilot.

Log4Shell Remote Code Execution Log4j (CVE-2021–44228)

Remember 2014? Heartbleed was a bug in OpenSSL, the most popular open-source code library for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols usage in encrypting websites and software. At the time the flaw allowed to read confidential information allowing the hackers to trick a vulnerable web server with encryption keys. Back to the present! Log4j - the Java program compromised by the Log4Shell bug - is a widely used, multi-platform open-source Java logging framework library developed and maintained under the volunteer Apache Software Foundation. Log4j is widely used on servers to record users' activities to analyze later by security or development teams. Hackers could use the Log4Shell flaw to access sensitive information on a variety of devices, plant ransomware attacks, and take over machines to mine cryptocurrencies. The vulnerability was discovered almost by happenstance when Microsoft announced it had found suspicious activity in Minecraft: Java Edition, a popular video game it owns. The flaw was officially founded by Chen Zhaojun of Alibaba's Cloud Security Team on the 24th of November 2021. Some estimation to Wiz and EY, the vulnerability affected 93% of enterprise cloud environments. Affected commercial services include Amazon Web Services, Cloudflare, iCloud, Minecraft: Java Edition, Steam, Tencent QQ, and many others.

Links

• https://en.wikipedia.org/wiki/Log4Shell • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 • https://access.redhat.com/security/vulnerabilities/RHSB-2021-009 • https://news.sophos.com/en-us/2021/12/17/inside-the-code-how-the-log4shell-exploit-works/

Red Hat detector

version 1.2 release 2021-12-20 • cve-2021-44228--2021-12-20-1836.sh • cve-2021-44228--2021-12-20-1836.sh.asc

version 1.3 release 2022-01-10 • cve-2021-44228--2022-01-10-1242.sh • cve-2021-44228--2022-01-10-1242.sh.asc

## Playbook A real-life Playbook of how to automate the Red Hat Detector Log4Shell Remote Code Execution Log4j (CVE-2021–44228) on Linux with Ansible playbook.

code

• vars.yml

# Red Hat detector: https://access.redhat.com/security/vulnerabilities/RHSB-2021-009
sh_detector: "cve-2021-44228--2021-12-20-1836.sh"
sh_signature: 'cve-2021-44228--2021-12-20-1836.sh.asc'
detector_baseurl: 'https://access.redhat.com/sites/default/files/'
detector_path: "/var/"
detector_dir: "/tmp/cve-2021-44228/"
detector_run_dir: 'tmp'
detector_options: '-n -d --no-progress --scan {{ detector_path }}'
gpg_keyid: '7514F77D8366B0D9'
gpg_public_key: 'gpg --keyserver pgp.mit.edu --recv {{ gpg_keyid }}'
clean_run_before: true
delete_after: false
verify_gpg: true

• log4j-cve-2021–44228.yml

---
- name: detector for Apache Log4j (CVE-2021-44228)
  hosts: all
  become: true
  tasks:
    - include_vars: vars.yml
- name: dependency present
      ansible.builtin.package:
        name: unzip
        state: present
        update_cache: true
- name: create detector directory
      ansible.builtin.file:
        path: '{{ detector_dir }}'
        state: directory
- name: download detector file(s)
      ansible.builtin.get_url:
        url: "{{ detector_baseurl }}{{ item }}"
        dest: "{{ detector_dir }}{{ item }}"
        mode: '0755'
        owner: root
        group: root
      with_items:
        - '{{ sh_detector }}'
        - '{{ sh_signature }}'
- name: gpg public key
      ansible.builtin.shell: '{{ gpg_public_key }}'
      when: verify_gpg == true
- name: gpg verify detector
      ansible.builtin.shell: 'gpg --verify {{ detector_dir }}{{ sh_signature }} {{ detector_dir }}{{ sh_detector }}'
      when: verify_gpg == true
- name: remove any detector run directory
      ansible.builtin.file:
        path: '{{ detector_dir }}{{ detector_run_dir }}'
        state: absent
      when: clean_run_before == true
- name: create detector run directory
      ansible.builtin.file:
        path: '{{ detector_dir }}{{ detector_run_dir }}'
        state: directory
- name: run detector/scanner
      ansible.builtin.shell: '{{ detector_dir }}{{ sh_detector }} {{ detector_options }} --tmp {{ detector_dir }}{{ detector_run_dir }}'
- name: files in detector run directory
      ansible.builtin.find:
        paths: '{{ detector_dir }}{{ detector_run_dir }}'
      register: vulnerable
- name: print vulnerable path(s) found
      ansible.builtin.debug:
        var: vulnerable
- name: remove detector directory
      ansible.builtin.file:
        path: '{{ detector_dir }}'
        state: absent
      when: delete_after == true

code with ❤️ in GitHub

execution

PLAY [detector for Apache Log4j (CVE-2021-44228)] ******************************
TASK [Gathering Facts] *********************************************************
ok: [Playbook]
TASK [include_vars] ************************************************************
ok: [Playbook]
TASK [dependency present] ******************************************************
ok: [Playbook]
TASK [create detector directory] ***********************************************
ok: [Playbook]
TASK [download detector file(s)] ***********************************************
ok: [Playbook] => (item=cve-2021-44228--2021-12-20-1836.sh)
ok: [Playbook] => (item=cve-2021-44228--2021-12-20-1836.sh.asc)
TASK [gpg public key] **********************************************************
changed: [Playbook]
TASK [gpg verify detector] *****************************************************
changed: [Playbook]
TASK [remove any detector run directory] ***************************************
changed: [Playbook]
TASK [create detector run directory] *******************************************
changed: [Playbook]
TASK [run detector/scanner] ****************************************************
changed: [Playbook]
TASK [files in detector run directory] ************
ok: [Playbook]
TASK [print vulnerable path(s) found] ******************************************
ok: [Playbook] => {
    "vulnerable": {
        "changed": false,
        "examined": 1,
        "failed": false,
        "files": [],
        "matched": 0,
        "msg": "All paths examined",
        "skipped_paths": {}
    }
}
TASK [remove detector directory] ***********************************************
skipping: [Playbook]
PLAY RECAP *********************************************************************
Playbook                       : ok=12   changed=5    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0

Ansible Galaxy role

Code also available as Ansible Galaxy role lucab85.ansible_role_log4shell:

ansible-galaxy install lucab85.ansible_role_log4shell

Conclusion

Now you know how to automate the Detector Log4Shell Remote Code Execution Log4j (CVE-2021–44228) on Linux with Ansible.

• the Ansible Galaxy reference • skipping tasks with Ansible when • switching users with Ansible become • using the ansible.builtin.file module

Category: installation

Watch the video: Detect Apache Log4j CVE-2021-44228 with Ansible Playbook — Video Tutorial

Browse all Ansible tutorials · AnsiblePilot Home

AnsiblePilot — Master Ansible Automation

Popular Topics

About Luca Berton