The Log4j vulnerabilities that emerged recently pose a significant cybersecurity threat, potentially exposing organizations worldwide to malicious attacks. These vulnerabilities can be exploited by cybercriminals to execute harmful code remotely, leading to severe security breaches. Identifying where these vulnerable Log4j libraries exist within an organization’s infrastructure is the first critical step in mitigating this risk.
For organizations grappling with this challenge, CrowdStrike, a leader in cybersecurity and incident response, has released a free tool: the CrowdStrike Archive Scan Tool (CAST). This tool is designed to simplify and expedite the process of scanning systems for vulnerable Log4j libraries, even when they are deeply embedded within archive files.
The CrowdStrike Archive Scan Tool (CAST) is engineered to efficiently scan specified directories for a range of archive file types including JAR, WAR, ZIP, and EAR files. Once these archives are identified, CAST performs an in-depth scan, comparing file checksums against a comprehensive database of approximately 6,500 SHA256 checksums associated with known vulnerable Log4j releases. This meticulous approach ensures that no instance of the vulnerable library is overlooked, regardless of its location within nested archives.
Using CAST is straightforward. Users simply download the executable binary appropriate for their environment and run it against the directories or files they wish to examine.
CAST generates a JSON output file detailing any identified vulnerable Log4j libraries. This report provides organizations with the crucial insight needed to understand the scope of their Log4j exposure, enabling them to prioritize patching efforts on the most critical systems first, using the latest security updates provided by Apache.
It is important to note that the CrowdStrike Archive Scan Tool is intended for use by IT professionals. For organizations without in-house IT security expertise, resources are available to assist in utilizing CAST and addressing potential vulnerabilities.
To access and download the CrowdStrike Archive Scan Tool, please visit the following resources:
- GitHub for the CAST tool: https://github.com/CrowdStrike/CAST
- Download the CAST tool for your environment: https://github.com/CrowdStrike/CAST/releases
Basic usage instructions for the CAST tool are as follows:
-
Download the CAST tool binary to a temporary directory on your server.
-
Ensure the tool has execute permissions in your server environment.
-
Run the tool with the “version” verb to check the installed version:
[path to temp directory]/cast versionExample output:
version: 0.5.1, commit: d8d184fc49315e19f0d37015ed95ae500b2cca1d, date: 2021-12-22T19:41:22Z, builtBy: unknown -
To understand the scan options, use the “scan -h” command:
[path to temp directory]/cast scan -hThis will display the available scan options, such as
-maxmemto limit memory usage and-recursionto control archive recursion depth. -
Execute a scan against specific files or directories. For example:
[path to temp directory]/cast scan -maxmem 1000000 -recursion 1 ~/tmp/zzz.zip /tmp ./This command scans the
zzz.zipfile, the/tmpdirectory, and the current directory.
The JSON output from CAST will highlight detected vulnerabilities, similar to this example:
{“container”:”~/tmp/zzz.zip”,”member”:{“path”:”/log4j-core-2.13.3.jar/org/apache/logging/log4j/core/net/JndiManager.class”,”size”:4885,”modified”:”2020-05-10T12:08:46Z”},”sha256″:”c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078″}{“container”:”~/tmp/zzz.zip”,”member”:{“path”:”/log4j-core-2.13.3.jar/org/apache/logging/log4j/core/util/NetUtils.class”,”size”:4315,”modified”:”2020-05-10T12:08:44Z”},”sha256″:”f96e82093706592b7c9009c1472f588fc2222835ea808ee2fa3e47185a4eba70″}By leveraging the CrowdStrike Archive Scan Tool, organizations can efficiently and effectively identify Log4j vulnerabilities within their systems, taking a proactive step towards securing their environments against potential exploits.
