AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible code in RHSB-2021-009 Log4Shell - Remote Code Execution - log4j (CVE-2021-44228)

By Luca Berton · Published 2024-01-01 · Category: installation

Learn how my Ansible Playbook was featured in Red Hat Security Bulletin RHSB-2021-009 to address the Log4Shell vulnerability (CVE-2021-44228).

Ansible code in RHSB-2021-009 Log4Shell - Remote Code Execution - log4j (CVE-2021-44228)

My Ansible Playbook code was officially included in the Red Hat Security Bulletin RHSB-2021-009 Log4Shell - Remote Code Execution - log4j (CVE-2021-44228).

RHSB-2021-009

Red Hat Security Bulletin RHSB-2021-009Ansible PlaybookAnsible variable file

See also: Detect Apache Log4j CVE-2021-44228 with Ansible Playbook

Ansible Playbook

Read about the line-by-line video of the Vulnerability Scanner/Detector Log4Shell Remote Code Execution Log4j (CVE-2021–44228) — Ansible log4j-cve-2021–44228.

code with ❤️ in GitHub

Ansible Galaxy Role

Read about the line-by-line video of the Download and Use Ansible Galaxy Role - ansible-galaxy and requirements.yml.

Ansible Galaxy lucab85/ansible_role_log4shell role.

See also: Mitigate CVE-2021-4034 on RHEL with Ansible Playbook

Conclusion

My Ansible Playbook code was officially included in the Red Hat Security Bulletin RHSB-2021-009 Log4Shell.

Related Articles

the Ansible Galaxy reference

See also: Configuring Kernel Parameters in RedHat-like Linux Systems with Ansible System Role

About Log4Shell (CVE-2021-44228)

Log4Shell is a critical remote code execution vulnerability in Apache Log4j 2, a widely used Java logging library. Discovered in December 2021, it scored a CVSS 10.0 — the maximum severity. The vulnerability allows attackers to execute arbitrary code on any system running a vulnerable version of Log4j.

How the Ansible Playbook Works

The playbook scans systems for vulnerable Log4j instances by: Searching the filesystem for .jar files containing Log4j Checking versions to identify vulnerable releases (2.0 to 2.17.0) Reporting findings with file paths, versions, and severity Optional remediation by removing the vulnerable JndiLookup.class

# Example: Quick Log4j scan with Ansible
- name: Scan for Log4j vulnerabilities
  hosts: all
  become: true
  tasks:
    - name: Find all jar files containing log4j
      ansible.builtin.find:
        paths: /
        patterns: "log4j-core-*.jar"
        recurse: true
        file_type: file
      register: log4j_files

- name: Report vulnerable files
      ansible.builtin.debug:
        msg: "VULNERABLE: {{ item.path }}"
      loop: "{{ log4j_files.files }}"
      when: log4j_files.files | length > 0


- name: No vulnerabilities found
      ansible.builtin.debug:
        msg: "No Log4j files found on {{ inventory_hostname }}"
      when: log4j_files.files | length == 0

Remediation with Ansible

# Remove the vulnerable JndiLookup class from jar files
- name: Mitigate Log4Shell
  hosts: all
  become: true
  tasks:
    - name: Find vulnerable jars
      ansible.builtin.find:
        paths: /
        patterns: "log4j-core-2.*.jar"
        recurse: true
      register: jars

- name: Remove JndiLookup class
      ansible.builtin.command: >
        zip -q -d {{ item.path }} org/apache/logging/log4j/core/lookup/JndiLookup.class
      loop: "{{ jars.files }}"
      register: result
      changed_when: result.rc == 0
      failed_when: false


- name: Restart affected services
      ansible.builtin.service:
        name: "{{ item }}"
        state: restarted
      loop: "{{ services_using_log4j | default([]) }}"
      when: result.changed

Impact and Timeline

| Date | Event | |---|---| | Nov 24, 2021 | Vulnerability reported to Apache | | Dec 9, 2021 | Public disclosure (CVE-2021-44228) | | Dec 10, 2021 | Apache Log4j 2.15.0 released (partial fix) | | Dec 13, 2021 | Apache Log4j 2.16.0 released (complete fix) | | Dec 17, 2021 | Apache Log4j 2.17.0 released (additional hardening) | | Jan 11, 2022 | Red Hat RHSB-2021-009 includes Ansible Playbook |

FAQ

Is Log4Shell still relevant?

Yes. While patches have been available since December 2021, many systems — especially internal applications, embedded systems, and legacy Java apps — may still run vulnerable versions. Regular scanning is recommended.

Does this playbook work on all Linux distributions?

Yes. The playbook uses ansible.builtin.find and ansible.builtin.command, which work on any Linux distribution. It scans the entire filesystem for vulnerable .jar files.

How do I use the Ansible Galaxy role?

# Install the role
ansible-galaxy install lucab85.ansible_role_log4shell

# Run it
ansible-playbook -i inventory log4shell_scan.yml

Category: installation

Watch the video: Ansible code in RHSB-2021-009 Log4Shell - Remote Code Execution - log4j (CVE-2021-44228) — Video Tutorial

Browse all Ansible tutorials · AnsiblePilot Home