Find and Fix Log4J-2 Vulnerability Using Snyk - Ubuntu 20.04 (Linux)

By

In this article, we are going to find and fix log4j-2 vulnerability using snyk and hands-on demo on how to scan and fix the project on Ubuntu 20.04(Linux).  

Disclaimer: The articles provided on HackWithV is purely for informational and educational purpose only, and for those who are willing and curious to know & learn about Cyber Security, Ethical Hacking, Software Development and IT Operations. Anytime the word "Hacking" that is used on this site shall be regarded as Ethical Hacking.

Table of Content


What is Log4J ? 

  • Log4j is a reliable, fast and flexible logging framework (APIs) written in Java, which is distributed under the Apache Software License. 
  • It has been ported to the C, C++, C#, Perl, Python, Ruby languages. 
  • It is highly configurable through external configuration files at runtime
  • It views the logging process in terms of levels of priorities and offers mechanisms to direct logging information to a great variety of destinations, such as a database, file, console, UNIX Syslog, etc. 
  • Log4j has three main components: 
    • Loggers: Responsible for capturing logging information. 
    • Appenders: Responsible for publishing logging information to various preferred destinations. 
    • Layouts: Responsible for formatting logging information in different styles. 


Log4J2 Vulnerability 

  • On December 9th, 2021, the world was made aware of a new vulnerability identified as CVE-2021-44228, affecting the Java logging package log4j

  • This vulnerability offers remote code trivial remote code execution on hosts engaging with software that utilizes this log4j version. 
  • Impacted versions:  log4j 2.0-beta9 to 2.14, even log4j 2.15

Hands-on 

    Snyk  

    • Snyk is a developer security platform for securing codedependenciescontainers, and infrastructure as code
    • Integrating directly into development tools, workflows, and automation pipelines. 
    • Snyk makes it easy for teams to findprioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. 
    • Here we are going to use this tool to find the log4j vulnerability in a project. 

    Requirements 

    • Operating System: Ubuntu 20.04.3 LTS
    • Tools: Terminal, wget, Snyk, git, maven 
    • Permission: Superuser


    Setup Sample Project  

    • Download a sample log4j project, commands: 
      • git clone https://github.com/vinaykagithapu/sample-log4j-project.git  
      • cd sample-log4j-project 
      • ls 


    Install Snyk  

    • Click here to install snyk on ubuntu 20.04 - Linux


    Scan the Project  

    • We can the scan the entire project using snyk, commands:
      • snyk test

    • Here we found that the project is using log4j version 2.8.2 which is vulnerable. 

    Monitor the Project 

    • We can continuously monitor the project for vulnerabilities using snyk, commands: 
      • snyk monitor 

    • Here snyk scanned vulnerabilities in the project and results shared to your snyk cloud database. 
    • Open the link in the browser and we will get updates of vulnerabilities in projects often.

    • We analyze the result and we patch the vulnerability according to recommendation and our requirement. 

    Patching the Vulnerability  

    • Updating the log4j 2.8.2 to log4j 2.16.0. But be careful while upgrading, it may affect the project.

    • Scan the project again, whether the log4j vulnerability is fixed or not.  

    Uninstall Snyk  

      • Click here to uninstall snyk on ubuntu 20.04 - Linux 

      Remove Sample Project   

      • Sample log4j project can be removed using commands: 
        • cd ..
        • rm -rf sample-log4j-project

      Cheat Sheet  



        Setup Sample Project 
        git clone https://github.com/vinaykagithapu/sample-log4j-project.git
        cd sample-log4j-project
        ls

        Scan the Project 
        snyk test

        Monitor the Project 
        snyk monitor

        Patching the Vulnerability
        gedit pom.xml

        Remove Sample Project 
        cd ..
        rm -rf sampe-log4j-project


        Conclusion 

        • A sample log4j project built and scanned for vulnerabilities using Snyk
        • Patched vulnerabilities and tested the patch using Snyk. 
        • Try it your own risk. HackWithV is not responsible for any damage.  

        If you face any problem, Let me know in the comments or you can directly reach me at help.hackwithv@gmail.com

         

        Be Aware, Be Secure.

        Thank You 🙏

         

        I'm a Cyber Security professional with expertise in Network, Application, Endpoint, Cloud Security, DevOps, and IT Ops. I have experience in various industries and am well-versed in relevant regulations and standards. My goal is to provide exceptional security solutions that protect organizations from evolving threats, while also streamlining workflows and improving collaboration between development, operations, and security teams through DevOps and IT Ops practices.

        Comments

        Post a Comment

        Popular posts from this blog

        Demo 1- How to Track Location by a Link

        By
        Image
        ↑ GPS: GPS stands for Global Positioning System . The Global Positioning System, originally NAVSTAR GPS, is a satellite-based radionavigation system owned by the United States government and operated by the United States Air Force. It is a global navigation satellite system (GNSS) that provides geolocation and time information to a GPS receiver anywhere on or near the Earth where there is an unobstructed line of sight to four or more GPS satellites. Obstacles such as mountains and buildings block the relatively weak GPS signals. Locator v1.0: Locator is a tool developed by "thelinuxchoice".This tool is implemented in Shell Scripting. This tool is implemented in Shell Scripting. Geolocator, Ip Tracker, Device Info by URL (Serveo and Ngrok). It uses tinyurl to obfuscate the Serveo link. Disclaimer:  Usage of Locator for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable lo
        Read more

        Snyk - Ubuntu 20.04 (Linux)

        By
        Image
        In this article, we are going to learn about Snyk, features, and hands-on demo on how to install, usage and uninstall on Ubuntu 20.04(Linux).   Disclaimer:   The articles provided on HackWithV is purely for informational and educational purpose only, and for those who are willing and curious to know & learn about Cyber Security, Ethical Hacking,  Software Development and  IT Operations. Anytime the word "Hacking" that is used on this site shall be regarded as Ethical Hacking. Table of Content What is Snyk ?   Jump to Features   Jump to Hands-On   Jump to Requirements   Jump to Download   Jump to Install   Jump to Usage   Jump to Uninstall    Jump to Cheat Sheet    Jump to    What is Snyk ?  Snyk is a developer security platform for securing code , dependencies , containers , and infrastructure as code .  Integra
        Read more

        Cracking VNC Password Using Hydra

        By
        Image
        Today we are going learn how to crack the password of VNC service using Hydra Tool.  Disclaimer: The articles provided on HackWithV is purely for informational and educational purpose only, and for those who are willing and curious to know & learn about Ethical Hacking, Security and Penetration Testing. Anytime the word "Hacking" that is used on this site shall be regarded as Ethical Hacking. What is VNC? Virtual Network Computing ( VNC ) is a graphical desktop-sharing system that uses the Remote Frame Buffer protocol ( RFB ) to remotely control another computer.  What is Hydra? Hydra is a parallelized login cracker which supports numerous protocols to attack. New modules are easy to add, beside that, i
        Read more