Find and Fix Log4J-2 Vulnerability Using Snyk - Ubuntu 20.04 (Linux)
In this article, we are going to find and fix log4j-2 vulnerability using snyk and hands-on demo on how to scan and fix the project on Ubuntu 20.04(Linux).
Disclaimer: The articles provided on HackWithV is purely for informational and educational purpose only, and for those who are willing and curious to know & learn about Cyber Security, Ethical Hacking, Software Development and IT Operations. Anytime the word "Hacking" that is used on this site shall be regarded as Ethical Hacking.
Table of Content
- What is Log4J ? Jump to
- Log4J2 Vulnerability Jump to
- Hands-On Jump to
- Synk Jump to
- Requirements Jump to
- Setup Sample Project Jump to
- Install Snyk Jump to
- Scan the Project Jump to
- Monitor the Project Jump to
- Patching the Vulnerability Jump to
- Uninstall Snyk Jump to
- Remove Sample Project Jump to
- Cheat Sheet Jump to
What is Log4J ?
- Log4j is a reliable, fast and flexible logging framework (APIs) written in Java, which is distributed under the Apache Software License.
- It has been ported to the C, C++, C#, Perl, Python, Ruby languages.
- It is highly configurable through external configuration files at runtime.
- It views the logging process in terms of levels of priorities and offers mechanisms to direct logging information to a great variety of destinations, such as a database, file, console, UNIX Syslog, etc.
- Log4j has three main components:
- Loggers: Responsible for capturing logging information.
- Appenders: Responsible for publishing logging information to various preferred destinations.
- Layouts: Responsible for formatting logging information in different styles.
Log4J2 Vulnerability
- On December 9th, 2021, the world was made aware of a new vulnerability identified as CVE-2021-44228, affecting the Java logging package log4j.
- This vulnerability offers remote code trivial remote code execution on hosts engaging with software that utilizes this log4j version.
- Impacted versions: log4j 2.0-beta9 to 2.14, even log4j 2.15
Hands-on
Snyk
- Snyk is a developer security platform for securing code, dependencies, containers, and infrastructure as code.
- Integrating directly into development tools, workflows, and automation pipelines.
- Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code.
- Here we are going to use this tool to find the log4j vulnerability in a project.
Requirements
- Operating System: Ubuntu 20.04.3 LTS
- Tools: Terminal, wget, Snyk, git, maven
- Permission: Superuser
Setup Sample Project
- Download a sample log4j project, commands:
- git clone https://github.com/vinaykagithapu/sample-log4j-project.git
- cd sample-log4j-project
- ls
Install Snyk
- Click here to install snyk on ubuntu 20.04 - Linux
Scan the Project
- We can the scan the entire project using snyk, commands:
- snyk test
- Here we found that the project is using log4j version 2.8.2 which is vulnerable.
Monitor the Project
- We can continuously monitor the project for vulnerabilities using snyk, commands:
- snyk monitor
- Here snyk scanned vulnerabilities in the project and results shared to your snyk cloud database.
- Open the link in the browser and we will get updates of vulnerabilities in projects often.
- We analyze the result and we patch the vulnerability according to recommendation and our requirement.
Patching the Vulnerability
- Updating the log4j 2.8.2 to log4j 2.16.0. But be careful while upgrading, it may affect the project.
Uninstall Snyk
- Click here to uninstall snyk on ubuntu 20.04 - Linux
Remove Sample Project
Cheat Sheet
Setup Sample Project
git clone
https://github.com/vinaykagithapu/sample-log4j-project.gitcd sample-log4j-project ls Scan the Project snyk test Monitor the Project snyk monitor Patching the Vulnerability gedit pom.xml Remove Sample Project cd .. rm -rf sampe-log4j-project |
Conclusion
- A sample log4j project built and scanned for vulnerabilities using Snyk
- Patched vulnerabilities and tested the patch using Snyk.
- Try it your own risk. HackWithV is not responsible for any damage.
If you face any problem, Let me know in the comments or you can directly reach
me at help.hackwithv@gmail.com
Comments
Post a Comment