February 04, 2022

How to Detect the Log4j Vulnerability on Linux Using VMware Carbon Black Cloud Vulnerability Assessment

In this article, you will learn how to assess your vulnerabilities in your Linux endpoints and workloads using VMware Carbon Black Cloud. You will also learn how to install a vulnerable application using a vulnerable log4j2-java library and detect it. Finally, we’ll walk through the command lines you can use on your Linux Ubuntu, and some pointers to our network protection against log4j using VMware NSX.

 

image-20220204134713-1

Malicious actors have taken notice and are increasingly targeting vulnerable Linux-based systems in multi-cloud environments to infiltrate corporate and government networks. Threat actors know that current malware countermeasures are mostly focused on addressing Windows-based threats, leaving many public and private cloud deployments vulnerable to Linux-based attacks. These public and private clouds are high-value targets for cybercriminals, providing access to critical infrastructure services and substantial computational resources.

As VMware Threat Analysis Unit reported, even more, ransomware families were observed gravitating to Linux-based malware, with the potential for additional attacks that could leverage the Log4j vulnerabilities.

The vulnerability assessment feature in VMware Carbon Black Cloud is a lightweight, continuous monitoring solution that can report vulnerabilities on Windows and Linux. Vulnerabilities are reported and prioritized in real-time thanks to our partnership with Kenna Security, so you always know the most critical vulnerabilities to patch first.

In December 2021, a vulnerability in the Apache log4j2 library was discovered and published in CVE-2021-44228. This vulnerability is critical with a risk score of 10, and it has affected many applications and many organizations.

image-20220204133200-1

Warning / Disclaimer: Don’t install vulnerable applications in production!

Install a vulnerable log4j library on Ubuntu Linux

VMware Carbon Black Cloud supports a lot of Linux distribution: RHEL, CentOS, Oracle, Suse, OpenSuse, Amazon Linux 2, Ubuntu, and Debian. For more details on supported Linux distribution, see the full list on the VMware Carbon Black Documentation web page. In this article we will focus on a few Ubuntu Linux distributions supported by VMware Carbon Black Cloud:

image-20220204113516-1
  • Ubuntu 18.04 LTS
  • Ubuntu 20.04 LTS
  • Ubuntu 21.04
  • Ubuntu 21.10

How to Determine your Linux Version

Using a standard Linux command line from the Linux Standard Base (LSB), you can determine the Linux version:

How to know if the log4j2 library is installed

In this screenshot, we can see that liblog4j2-java is not installed on this Linux, and 2 versions are available for Ubuntu 20.04:

  • Version 2.11.2-1, the original version of the library in Ubuntu 20.04. This version is vulnerable.
  • Version 2.17.1-0.20.04.1, the version in the “focal-security” repository. This version is patched and not vulnerable.

Note: Your repository URL may change depending on your location, in this screenshot, I am using Ubuntu repository located in France.

How to Install a Vulnerable Version of Log4j

Warning / Disclaimer: Don’t install vulnerable applications in production!

To install a specific version of a package, you need to specify the version in the install command line, for our use case, it will be:

image-20220204113516-4

Note 1: If you are accessing your Linux via a VMware Carbon Black Live Response session, you will need to use “apt install -y” instead of “apt install”, so you won’t have the prompt asking for “Do you want to continue? [Y/n]”.

Note 2: When you have a question with an answer in the capital, here “Y” and all others not in the capital, it means that “Y” is the default answer, so you can press “Enter”.

Mark the Library “On Hold”

To prevent an update of the library to the new version, you can mark it “on hold”:

image-20220204113516-5

Note: This method is very common on Linux, and is very helpful, for example, when administrating Kubernetes, to be sure to have consistent applications versions for kubelet, kubeadm, and kubectl.

Install a Vulnerable Application

A library is not running alone, and thus having a vulnerable library installed on a Linux doesn’t make a vulnerable Linux. If you only install this library VMware Carbon Black Cloud will not report any vulnerability.

You need to install an application using this vulnerable liblog4j2-java library.

For this, you can search for reverse dependencies, “What are the packages that depend on this vulnerable library”? And then install this application.

VMware Carbon Black Cloud Vulnerability Assessment

Check that you have the option “Vulnerability Management for Workloads” or “Vulnerability Management for Endpoints” in the top right corner of your VMware Carbon Black Cloud console.

“Workloads” means that Linux is running on a vSphere environment, and not on BareMetal or VMware Workstation/Fusion.

You can wait for VMware Carbon Black to reassess all your endpoints/workloads, and you will have the result in up to 24 hours, or you can click on the “Reassess” button to have a quicker result for a specific endpoint/workload.

You should see the following vulnerability in your VMware Carbon Black Cloud console:

image-20220204113516-8

And if you click on the small arrow near “Critical (10)”, you will have more details on this vulnerability:

  • Kenna risk score: 10
  • Easily exploitable: Yes
  • Malware exploitable: Yes
  • Active Internet breach: Yes
  • Access vector: Network

All those information is critical to decide if a service should be terminated or not, if a software should be prioritized for patching…

image-20220204113516-9

Uninstall This Vulnerability From Your System

When you have finished your evaluation, don’t forget to clean your Linux!

image-20220204113516-10

Linux Shell Command Lines

You can copy/paste the following lines used in this article on your Ubuntu:

# Check Ubuntu release
lsb_release -a

# Check if the package liblog4j2-java is already installed or not
dpkg -l liblog4j2-java

# If needed uninstall liblog4j2-java
apt-get remove -y --purge liblog4j2-java

# Install an old VULNERABLE liblog4j2-java library
# Ubuntu 18.04
​sudo apt install liblog4j2-java=2.10.0-2

# Ubuntu 20.04
sudo apt install liblog4j2-java=2.11.2-1

# Ubuntu 21.04 and 21.10
sudo apt install liblog4j2-java=2.13.3-1

# Mark this package “on hold", so it will not be upgraded:
sudo apt-mark hold liblog4j2-java

# Find some applications depending on liblog4j2-java, so it is a reverse dependency
apt-cache rdepends liblog4j2-java

# Install an application using liblog4j2-java and included it in Ubuntu, for example, jabref or igv:
sudo apt-get install -y jabref igv

# List packages marked “on hold”
apt-mark showhold

# Uninstall everything used in this article
sudo apt-get remove --purge liblog4j2-java jabref igv

 

By following the above steps, you should now be able to successfully assess your vulnerabilities in your Linux endpoints and workloads using VMware Carbon Black Cloud.

Don’t forget to patch your systems regularly!

References

Like to learn more? Watch this demo to understand how to detecting & preventing Log4Shell (CVE-2021-44228) with NSX-T 3.2

 

We've also listed a few other additional resources you might be interested in :

 

Filter Tags

Maturing your Security Carbon Black Cloud Endpoint Standard Workload Blog Advanced Linux Identify Risk

Stephane List

Read More from the Author

Staff Technical Marketing Architect, VMware Security Stéphane has over twenty years’ experience in opensource. He has worked in both development and sales role in France for large companies and startups. He has participated in the development of many different Linux project from mobile phone to firewalls. Now with 10 years’ experience in security, he is architect at VMware Carbon Black for Linux and containers security.