Vulnerability Scanner/Detector Log4Shell Remote Code Execution Log4j (CVE-2021–44228) — Ansible log4j-cve-2021–44228
How to automate the Vulnerability Scanner/Detector provided by Red Hat RHSB-2021–009 Log4Shell — Remote Code Execution — log4j (CVE-2021–44228) with Ansible Playbook. Installation of dependency, GPG key verification, Vulnerability Scanner/Detector run, and result display on target Linux machine.


How to automate the Detector Log4Shell Remote Code Execution Log4j (CVE-2021–44228)?
I’m going to show you a live demo with some simple Ansible code. I’m Luca Berton and welcome to today’s episode of Ansible Pilot.
Log4Shell Remote Code Execution Log4j (CVE-2021–44228)
Remember 2014? Heartbleed was a bug in OpenSSL, the most popular open-source code library for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols usage in encrypting websites and software. At the time the flaw allowed to read confidential information allowing the hackers to trick a vulnerable web server with encryption keys. Back to the present! Log4j - the Java program compromised by the Log4Shell bug - is a widely used, multi-platform open-source Java logging framework library developed and maintained under the volunteer Apache Software Foundation. Log4j is widely used on servers to record users’ activities to analyze later by security or development teams. Hackers could use the Log4Shell flaw to access sensitive information on a variety of devices, plant ransomware attacks, and take over machines to mine cryptocurrencies. The vulnerability was discovered almost by happenstance when Microsoft announced it had found suspicious activity in Minecraft: Java Edition, a popular video game it owns. The flaw was officially founded by Chen Zhaojun of Alibaba’s Cloud Security Team on the 24th of November 2021. Some estimation to Wiz and EY, the vulnerability affected 93% of enterprise cloud environments. Affected commercial services include Amazon Web Services, Cloudflare, iCloud, Minecraft: Java Edition, Steam, Tencent QQ, and many others.
Links
- https://en.wikipedia.org/wiki/Log4Shell
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
- https://access.redhat.com/security/vulnerabilities/RHSB-2021-009
- https://news.sophos.com/en-us/2021/12/17/inside-the-code-how-the-log4shell-exploit-works/
Red Hat detector
version 1.2 release 2021-12-20
version 1.3 release 2022-01-10
The Best Resources For Ansible
Certifications
Video Course
Printed Book
eBooks
Ansible by Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps
Ansible Cookbook: A Comprehensive Guide to Unleashing the Power of Ansible via Best Practices, Troubleshooting, and Linting Rules with Luca Berton
Ansible For Windows By Examples: 50+ Automation Examples For Windows System Administrator And DevOps
Ansible For Linux by Examples: 100+ Automation Examples For Linux System Administrator and DevOps
Ansible Linux Filesystem By Examples: 40+ Automation Examples on Linux File and Directory Operation for Modern IT Infrastructure
Ansible For Security by Examples: 100+ Automation Examples to Automate Security and Verify Compliance for IT Modern Infrastructure
Ansible Tips and Tricks: 10+ Ansible Examples to Save Time and Automate More Tasks
Ansible Linux Users & Groups By Examples: 20+ Automation Examples on Linux Users and Groups Operation for Modern IT Infrastructure
Ansible For PostgreSQL by Examples: 10+ Examples To Automate Your PostgreSQL database
Ansible For Amazon Web Services AWS By Examples: 10+ Examples To Automate Your AWS Modern Infrastructure
Ansible Automation Platform By Example: A step-by-step guide for the most common user scenarios
demo
A real-life demo of how to automate the Red Hat Detector Log4Shell Remote Code Execution Log4j (CVE-2021–44228) on Linux with Ansible playbook.
code
- vars.yml
# Red Hat detector: https://access.redhat.com/security/vulnerabilities/RHSB-2021-009
sh_detector: "cve-2021-44228--2021-12-20-1836.sh"
sh_signature: 'cve-2021-44228--2021-12-20-1836.sh.asc'
detector_baseurl: 'https://access.redhat.com/sites/default/files/'
detector_path: "/var/"
detector_dir: "/tmp/cve-2021-44228/"
detector_run_dir: 'tmp'
detector_options: '-n -d --no-progress --scan {{ detector_path }}'
gpg_keyid: '7514F77D8366B0D9'
gpg_public_key: 'gpg --keyserver pgp.mit.edu --recv {{ gpg_keyid }}'
clean_run_before: true
delete_after: false
verify_gpg: true
- log4j-cve-2021–44228.yml
---
- name: detector for Apache Log4j (CVE-2021-44228)
hosts: all
become: true
tasks:
- include_vars: vars.yml
- name: dependency present
ansible.builtin.package:
name: unzip
state: present
update_cache: true
- name: create detector directory
ansible.builtin.file:
path: '{{ detector_dir }}'
state: directory
- name: download detector file(s)
ansible.builtin.get_url:
url: "{{ detector_baseurl }}{{ item }}"
dest: "{{ detector_dir }}{{ item }}"
mode: '0755'
owner: root
group: root
with_items:
- '{{ sh_detector }}'
- '{{ sh_signature }}'
- name: gpg public key
ansible.builtin.shell: '{{ gpg_public_key }}'
when: verify_gpg == true
- name: gpg verify detector
ansible.builtin.shell: 'gpg --verify {{ detector_dir }}{{ sh_signature }} {{ detector_dir }}{{ sh_detector }}'
when: verify_gpg == true
- name: remove any detector run directory
ansible.builtin.file:
path: '{{ detector_dir }}{{ detector_run_dir }}'
state: absent
when: clean_run_before == true
- name: create detector run directory
ansible.builtin.file:
path: '{{ detector_dir }}{{ detector_run_dir }}'
state: directory
- name: run detector/scanner
ansible.builtin.shell: '{{ detector_dir }}{{ sh_detector }} {{ detector_options }} --tmp {{ detector_dir }}{{ detector_run_dir }}'
- name: files in detector run directory
ansible.builtin.find:
paths: '{{ detector_dir }}{{ detector_run_dir }}'
register: vulnerable
- name: print vulnerable path(s) found
ansible.builtin.debug:
var: vulnerable
- name: remove detector directory
ansible.builtin.file:
path: '{{ detector_dir }}'
state: absent
when: delete_after == true
execution
PLAY [detector for Apache Log4j (CVE-2021-44228)] ******************************
TASK [Gathering Facts] *********************************************************
ok: [demo]
TASK [include_vars] ************************************************************
ok: [demo]
TASK [dependency present] ******************************************************
ok: [demo]
TASK [create detector directory] ***********************************************
ok: [demo]
TASK [download detector file(s)] ***********************************************
ok: [demo] => (item=cve-2021-44228--2021-12-20-1836.sh)
ok: [demo] => (item=cve-2021-44228--2021-12-20-1836.sh.asc)
TASK [gpg public key] **********************************************************
changed: [demo]
TASK [gpg verify detector] *****************************************************
changed: [demo]
TASK [remove any detector run directory] ***************************************
changed: [demo]
TASK [create detector run directory] *******************************************
changed: [demo]
TASK [run detector/scanner] ****************************************************
changed: [demo]
TASK [files in detector run directory] ************
ok: [demo]
TASK [print vulnerable path(s) found] ******************************************
ok: [demo] => {
"vulnerable": {
"changed": false,
"examined": 1,
"failed": false,
"files": [],
"matched": 0,
"msg": "All paths examined",
"skipped_paths": {}
}
}
TASK [remove detector directory] ***********************************************
skipping: [demo]
PLAY RECAP *********************************************************************
demo : ok=12 changed=5 unreachable=0 failed=0 skipped=1 rescued=0 ignored=0
Ansible Galaxy role
Code also available as Ansible Galaxy role lucab85.ansible_role_log4shell:
ansible-galaxy install lucab85.ansible_role_log4shell
Recap
Now you know how to automate the Detector Log4Shell Remote Code Execution Log4j (CVE-2021–44228) on Linux with Ansible. Subscribe to the YouTube channel, Medium, Website, Twitter, and Substack to not miss the next episode of the Ansible Pilot.
Academy
Learn the Ansible automation technology with some real-life examples in my
My book Ansible By Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps
Donate
Want to keep this project going? Please donate