# Finding Log4Shell with Rundeck
Rundeck prepared a blog about how a Rundeck Administrator might chase down an security vulnerability like the recent issues in Log4j. This learning article discusses some of the technical details covered in that article and expands on the ideas with steps to implementing a Rundeck Health Check to keep an eye out for vulnerable nodes.
You can read the full Blog article here (opens new window)
In this table are the two job exports from the demonstration video in the blog.
Disclaimer
These jobs are provided as examples only to illustrate a design pattern and are not intended to provide security for any environment. Since this was recorded LunaSec may have issued newer versions of the tool so be sure to adjust the jobs for the latest version.
You might also notice that when scanning Rundeck 3.4.8 (you did upgrade to the latest version right!!??) the tool prior to version 1.4 identifies a vulnerability in the Log4j 2.16 package as 2.14. We have confirmed this is a false positive in Log4Shell and is fixed in 1.4.0. Be assured Rundeck 3.4.8 is patched and protected from CVE-2021-44228 and CVE-2021-45046.
To add the job definitions to a project of your own follow these steps:
- Save the text below to a file called
installation.yaml
/scanner.yaml
respectively. - Navigate to the Jobs section of your Project.
- Click Job Actions > Upload Definition
- Choose the
installation.yaml
file and click Upload. (Repeat forscanner.yaml
) - Run the Scan Directory for Log4Shell job. (No need to run the install job first. The scanner job does that if it's missing.)
# Setting up a Health Check
Health Checks (availble in Process Automation) will run commands periodically to determine the health of a system. We can apply this to the Log4Shell situation and add a Health Check to see if a machine needs to be patched.
# Setup Steps
- Navigate to Health Checks in your Project.
- Click the Configure tab.
- Choose Add Health Check Plugin+ button.
- Choose Script Health Check
- Fill out the following fields:
- Node Filter:
.*
- Label:
Log4Shell
- Script: See below
- File Extension:
sh
- Regex Match:
(.*)
- Match Key:
OUTPUT
Health Check Script
if log4shell -v
then
if sudo log4shell s --json --no-follow-symlinks / 2>&1 | grep -q -E '(44228|45046)';
then
echo "UNHEALTHY";
exit 1;
else
echo "HEALTHY";
exit 0;
fi
else
echo "UNHEALTHY"
exit 1;
fi
Since log4shell always returns successful we are using if statements and a grep command to check for specific CVE values and returning the status needed for the Health Check. The script will also return UNHEALTHY if log4shell isn't installed.
:::
This exercise can be done in the Welcome Project after you have completed the Tutorial. To make sure the node find something on Node1 or Node2 download an older version of Log4j2 from the Apache archives (opens new window). Or run this AdHoc command against Node1. wget https://archive.apache.org/dist/logging/log4j/2.14.0/apache-log4j-2.14.0-bin.zip
:::