diff --git a/CHANGELOG b/CHANGELOG
index 3e5adf9373d488e84f7c1c4f564db81dc9305eeb..6cf97490dd693e9739b082c52bc9ad07dec22c41 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -67,4 +67,19 @@
2022-01-25: BAKERY: added option --exclude-pattern
WATO: added option --exclude-pattern
METRICS: added metrics/graph/perfometer for files_affected
-
+2022-01-30: SCANNER: changed to version 2.9.1
+ BAKERY: added option --throttle
+ AGENT: added additional CVEs for Log4j 1
+ added WAR/CRIT based on CVSS score (0.1, 5.5)
+ added CVE Description/Comment to service details
+ changed defaults for WARN/CRIT of affected files form (1, 1) to (None, None)
+ WATO: added CVSS score and state_not_found option to per CVE check
+ changed defaults for files_affected to 10/30 (from 1/1)
+ enabled scan_logback and log4j_1 enabled by default for new agent plugin rules
+ INVENTORY: added entry's for 'CVE-2022-23307', 'CVE-2022-23305', 'CVE-2022-23302' and 'CVE-2019-17571'
+2022-02-05: BAKERY: added option -xmx
+ removed options --force-fix, --backup-path
+ AGENT: fixed missing comment in CVE data (THX to doc[at]snowheaven[dot]de)
+ WATO: added option -Xmx
+ removed options --force-fix and --backup-path
+
diff --git a/HOWTO.md b/HOWTO.md
index 853074982f2ed0d2b2fb81be400515b9003cc2ff..4b415fbca8aee2ee9abc6afb95b1c55803d244d5 100644
--- a/HOWTO.md
+++ b/HOWTO.md
@@ -381,8 +381,8 @@ It wil then add all files affected by this CVE to the service. The information i
| --scan-log4j1 | Scan for log4j 1 versions (CVE-2021-4104) |
| --scan-logback | Scan for logback (CVE-2021-42550) | |
| --scan-zip | Scan zip files (increase timeout) |
-| --force-fix | Fix files and backup -> Fix files. (Use at your own risk!) |
-| --backup-path | Fix files and backup -> Backup directory (must exist) |
+| --force-fix | Fix files and backup -> Fix files. (Use at your own risk!) | Option was removed |
+| --backup-path | Fix files and backup -> Backup directory (must exist) | Option was removed |
| --all-drives | Search method -> All drives | Windows only |
| --drives | Search method -> Drives to scan | Windows only |
| --no-symlink | Ignore symlinks | Linux only |
@@ -404,6 +404,9 @@ It wil then add all files affected by this CVE to the service. The information i
| --json-log-path | Append results to log file -> Log file format -> JSON |
| --silent | Silent output |
| --debug | Debug scanner |
+| --throttle | Throttle |
+| -Xmx | Max memory |
+| --trace | Trace scanner | Removed, produces to much data |
</details>
diff --git a/README.md b/README.md
index f491641e0338fa5a241ec877321a126dc075a0f6..7590a1a219a37a7a09121d85336fac75774de01c 100644
--- a/README.md
+++ b/README.md
@@ -6,14 +6,23 @@ Included in this package is the scanner for Linux and Windows. You will find the
The scanner (and so the plugin) can discover the following log4j issues
-- CVE-2021-44228
-- CVE-2021-4104
-- CVE-2021-42550
-- CVE-2021-45105
-- CVE-2021-45046
-- CVE-2021-44832 RCE
-
-You will find more information on the [Apache Log4j Security Vulnerabilities](https://logging.apache.org/log4j/2.x/security.html) page.
+- log4j 1.x
+ - CVE-2017-5645
+ - CVE-2019-17571
+ - CVE-2020-9488
+ - CVE-2021-4104
+ - CVE-2022-23302
+ - CVE-2022-23305
+ - CVE-2022-23307
+- log4j 2.x
+ - CVE-2021-44228
+ - CVE-2021-45046
+ - CVE-2021-45105
+ - CVE-2021-44832
+- logback
+ - CVE-2021-42550
+
+You will find more information on the [Apache Log4j 2 Security Vulnerabilities](https://logging.apache.org/log4j/2.x/security.html) page (Log4j 1 is no longer supportet, you can find information about Log4j 1 Security Vulnerabilities [here](https://logging.apache.org/log4j/1.2/index.html) on the logging.apache.org web page).
---
### Download
diff --git a/agent_based/cve_2021_44228_log4j.py b/agent_based/cve_2021_44228_log4j.py
index 99617dfb212d963648e9f060db928d7fb496da42..58038823aaaa59c491fed05b400055e9457b0d86 100644
--- a/agent_based/cve_2021_44228_log4j.py
+++ b/agent_based/cve_2021_44228_log4j.py
@@ -24,6 +24,11 @@
# 2022-01-18: extended inventory report for additional log4j CVEs
# removed status_data inventory
# 2022-01-21: reworked report inventory plugin and per cve check
+# 2022-01-30: added additional CVEs for Log4j 1
+# added WAR/CRIT based on CVSS score (0.1, 5.5)
+# changed defaults for WARN/CRIT of affected files form (1, 1) to (None, None)
+# added Description/Comment to service details
+# 2022-02-05: fixed missing comment in CVE data (THX to doc[at]snowheaven[dot]de)
#
# sample agent output
@@ -99,15 +104,85 @@ class CVE_2021_44228_log4j:
cves: Dict[str, CVE]
+_cves = [
+ 'CVE-2019-17571', 'CVE-2020-9488', 'CVE-2021-4104', 'CVE-2022-23302', 'CVE-2022-23305', 'CVE-2022-23307',
+ 'CVE-2021-44832', 'CVE-2021-45105', 'CVE-2021-45046', 'CVE-2021-44228', 'CVE-2017-5645',
+ 'CVE-2021-42550',
+]
+
_log4_cves = {
'Log4j 1': {
+ 'CVE-2019-17571': {
+ 'fixed': [],
+ 'excluded': [],
+ 'affected': '1.2.17',
+ 'cvss_score': 7.5,
+ 'description': 'CVE-2019-17571 is a high severity issue targeting the SocketServer. Log4j includes a '
+ 'SocketServer that accepts serialized log events and deserializes them without verifying '
+ 'whether the objects are allowed or not. This can provide an attack vector that can be '
+ 'expoited.',
+ 'comment': 'Apache Log4j 1.2 reached end of life in August 2015. Migrate to Log4j 2',
+ },
+ 'CVE-2020-9488': {
+ 'fixed': [],
+ 'excluded': [],
+ 'affected': '1.2.17',
+ 'cvss_score': 4.3,
+ 'description': 'CVE-2020-9488 is a moderate severity issue with the SMTPAppender. Improper validation of '
+ 'certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS '
+ 'connection to be intercepted by a man-in-the-middle attack which could leak any log '
+ 'messages sent through that appender.',
+ 'comment': 'Apache Log4j 1.2 reached end of life in August 2015. Migrate to Log4j 2',
+ },
'CVE-2021-4104': {
- 'fixed': ['Apache Log4j 1.2 reached end of life in August 2015. Migrate to Log4j 2'],
+ 'fixed': [],
'excluded': [],
- 'affected': '1.2.99',
+ 'affected': '1.2.17',
'cvss_score': 7.5,
- 'Comment': 'Apache Log4j 1.2 reached end of life in August 2015. Migrate to Log4j 2'
+ 'description': 'CVE-2021-4104 is a high severity deserialization vulnerability in JMSAppender. JMSAppender '
+ 'uses JNDI in an unprotected manner allowing any application using the JMSAppender to be '
+ 'vulnerable if it is configured to reference an untrusted site or if the site referenced '
+ 'can be accesseed by the attacker. For example, the attacker can cause remote code '
+ 'execution by manipulating the data in the LDAP store.',
+ 'comment': 'Apache Log4j 1.2 reached end of life in August 2015. Migrate to Log4j 2',
+ },
+ 'CVE-2022-23302': {
+ 'fixed': [],
+ 'excluded': [],
+ 'affected': '1.2.17',
+ 'cvss_score': 6.0,
+ 'description': 'CVE-2022-23302 is a high severity deserialization vulnerability in JMSSink. JMSSink uses '
+ 'JNDI in an unprotected manner allowing any application using the JMSSink to be vulnerable '
+ 'if it is configured to reference an untrusted site or if the site referenced can be '
+ 'accesseed by the attacker. For example, the attacker can cause remote code execution by '
+ 'manipulating the data in the LDAP store.',
+ 'comment': 'Apache Log4j 1.2 reached end of life in August 2015. Migrate to Log4j 2',
},
+ 'CVE-2022-23305': {
+ 'fixed': [],
+ 'excluded': [],
+ 'affected': '1.2.17',
+ 'cvss_score': 6.8,
+ 'description': 'CVE-2022-23305 is a high serverity SQL injection flaw in JDBCAppender that allows the '
+ 'data being logged to modify the behavior of the component. By design, the JDBCAppender in '
+ 'Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be '
+ 'inserted are converters from PatternLayout. The message converter, %m, is likely to always '
+ 'be included. This allows attackers to manipulate the SQL by entering crafted strings into '
+ 'input fields or headers of an application that are logged allowing unintended SQL queries '
+ 'to be executed.',
+ 'comment': 'Apache Log4j 1.2 reached end of life in August 2015. Migrate to Log4j 2',
+ },
+ 'CVE-2022-23307': {
+ 'fixed': [],
+ 'excluded': [],
+ 'affected': '1.2.17',
+ 'cvss_score': 10.0,
+ 'description': 'CVE-2022-23307 is a critical severity against the chainsaw component in Log4j 1.x. This is '
+ 'the same issue corrected in CVE-2020-9493 fixed in Chainsaw 2.1.0 but Chainsaw was '
+ 'included as part of Log4j 1.2.x.',
+ 'comment': 'Apache Log4j 1.2 reached end of life in August 2015. Migrate to Log4j 2',
+ },
+
},
'Log4j 2': {
'CVE-2021-44832': {
@@ -115,36 +190,75 @@ _log4_cves = {
'excluded': ['2.3.2', '2.12.4'],
'affected': '2.17.0',
'cvss_score': 6.6,
+ 'description': 'Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 '
+ 'and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with '
+ 'permission to modify the logging configuration file can construct a malicious configuration'
+ ' using a JDBC Appender with a data source referencing a JNDI URI which can execute remote '
+ 'code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2'
+ ' versions 2.17.1, 2.12.4, and 2.3.2.',
+ 'comment': '',
},
'CVE-2021-45105': {
'fixed': ['2.3.1', '2.12.3', '2.17.0'],
'excluded': ['2.12.3'],
'affected': '2.16.0',
'cvss_score': 5.9,
+ 'description': 'Apache Log4j2 versions 2.0-alpha1 through 2.16.0, excluding 2.12.3, did not protect from '
+ 'uncontrolled recursion from self-referential lookups. When the logging configuration uses '
+ 'a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), '
+ 'attackers with control over Thread Context Map (MDC) input data can craft malicious input '
+ 'data that contains a recursive lookup, resulting in a StackOverflowError that will '
+ 'terminate the process. This is also known as a DOS (Denial of Service) attack.',
+ 'comment': '',
},
'CVE-2021-45046': {
'fixed': ['2.3.1', '2.12.3', '2.17.0'],
'excluded': ['2.12.2'],
'affected': '2.15.0',
'cvss_score': 9.0,
+ 'description': 'It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete '
+ 'in certain non-default configurations. When the logging configuration uses a non-default '
+ 'Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control'
+ ' over Thread Context Map (MDC) input data can craft malicious input data using a JNDI '
+ 'Lookup pattern, resulting in an information leak and remote code execution in some '
+ 'environments and local code execution in all environments; remote code execution has been '
+ 'demonstrated on MacOS, Fedora, Arch Linux, and Alpine Linux.',
+ 'comment': '',
},
'CVE-2021-44228': {
'fixed': ['2.3.1', '2.12.3', '2.17.0'],
'excluded': [],
'affected': '2.14.1',
'cvss_score': 10.0,
+ 'description': 'In Apache Log4j2 versions up to and including 2.14.1 (excluding security releases 2.3.1, '
+ '2.12.2 and 2.12.3), the JNDI features used in configurations, log messages, and parameters '
+ 'do not protect against attacker-controlled LDAP and other JNDI related endpoints. An '
+ 'attacker who can control log messages or log message parameters can execute arbitrary code '
+ 'loaded from LDAP servers when message lookup substitution is enabled.',
+ 'comment': '',
},
'CVE-2020-9488': {
'fixed': ['2.12.3', '2.13.2'],
'excluded': [],
'affected': '2.13.1',
+ 'description': 'Improper validation of certificate with host mismatch in Log4j2 SMTP appender. This could '
+ 'allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak '
+ 'any log messages sent through that appender. The reported issue was caused by an error in '
+ 'SslConfiguration. Any element using SslConfiguration in the Log4j Configuration is also '
+ 'affected by this issue. This includes HttpAppender, SocketAppender, and SyslogAppender. '
+ 'Usages of SslConfiguration that are configured via system properties are not affected.',
'cvss_score': 3.7,
+ 'comment': '',
},
'CVE-2017-5645': {
'fixed': ['2.8.2'],
'excluded': [],
'affected': '2.8.1',
'cvss_score': 7.5,
+ 'description': 'When using the TCP socket server or UDP socket server to receive serialized log events '
+ 'from another application, a specially crafted binary payload can be sent that, when '
+ 'deserialized, can execute arbitrary code.',
+ 'comment': '',
},
},
'Logback': {
@@ -152,7 +266,11 @@ _log4_cves = {
'fixed': ['1.2.9'],
'excluded': [],
'affected': '1.2.7',
- 'cvss_score': 6.6,
+ 'cvss_score': 8.5,
+ 'description': 'In logback version 1.2.7 and prior versions, an attacker with the required privileges to '
+ 'edit configurations files could craft a malicious configuration allowing to execute '
+ 'arbitrary code loaded from LDAP servers.',
+ 'comment': '',
},
},
}
@@ -464,7 +582,7 @@ def _add_log4j_cves(version: str, product: str) -> Dict[str, str]:
if version == 'N/A':
additional_cves[cve] = 'unknown, missing version'
elif (_get_affected(version, cves[cve]['affected']) is True) and (version not in cves[cve]['excluded']):
- additional_cves[cve] = f'Affected, fixed in: {", ".join(cves[cve]["fixed"])}'
+ additional_cves[cve] = f'Affected' # , fixed in: {", ".join(cves[cve]["fixed"])}
else:
additional_cves[cve] = 'not affected'
@@ -483,14 +601,6 @@ def parse_inv_cve_2021_44228_log4j_report(string_table: StringTable):
section.update({
'affected': {
- 'CVE-2021-45105': [],
- 'CVE-2021-45046': [],
- 'CVE-2021-44832': [],
- 'CVE-2021-44228': [],
- 'CVE-2021-42550': [],
- 'CVE-2020-9488': [],
- 'CVE-2017-5645': [],
- 'CVE-2021-4104': [],
}
})
@@ -510,19 +620,17 @@ def parse_inv_cve_2021_44228_log4j_report(string_table: StringTable):
if file_entry:
to_append += f', ({file_entry})'
- for cve in [
- 'CVE-2021-44832',
- 'CVE-2021-45105',
- 'CVE-2021-45046',
- 'CVE-2021-44228',
- 'CVE-2021-42550',
- 'CVE-2020-9488',
- 'CVE-2017-5645',
- 'CVE-2021-4104',
- ]:
- if report.get(cve):
- if report[cve].lower().startswith('affected') or report[cve].lower().startswith('unknown'):
- section['affected'][cve].append(to_append)
+ for key in report.keys():
+ if key.startswith('CVE-'):
+ if report[key].lower().startswith('affected') or report[key].lower().startswith('unknown'):
+ if section['affected'].get(key):
+ section['affected'][key]['files'].append(to_append)
+ else:
+ section['affected'].update({
+ key: {
+ 'cve': _log4_cves[_product][key],
+ 'files': [to_append]
+ }})
for error in section.get('errors', []):
error['time'] = _get_ISO861_time(error['created_at']) # 2022-01-11 20:06:41+0100, convert to ISO8601
@@ -586,31 +694,55 @@ register.inventory_plugin(
def discovery_cve_2021_44228_log4j_cves(params, section: Dict) -> DiscoveryResult:
- for cve in section['affected'].keys():
- if len(section['affected'][cve]) or params['add_empty_cves'] is True:
+ if params['add_empty_cves']:
+ for cve in _cves:
yield Service(item=cve)
+ else:
+ for cve in section['affected'].keys():
+ if len(section['affected'][cve]):
+ yield Service(item=cve)
def check_cve_2021_44228_log4j_cves(item, params, section: Dict) -> CheckResult:
try:
cve = section['affected'][item]
except KeyError:
- yield Result(state=State.UNKNOWN, summary=f'{item} not found in agent data.')
+ yield Result(state=State(params['state_not_found']), summary='Not found in agent data.')
return
yield from check_levels(
- value=len(cve),
+ value=len(cve.get('files', '')),
label='Affected files',
render_func=lambda v: str(v),
levels_upper=params['files_affected'],
metric_name='files_affected',
)
+ if cve['cve'].get('cvss_score'):
+ yield from check_levels(
+ value=cve['cve']['cvss_score'],
+ label='CVSS Score',
+ render_func=lambda v: str(v),
+ levels_upper=params['cvss_score'] if cve.get('files') else None,
+ )
+
+ if cve['cve'].get('fixed'):
+ yield Result(state=State.OK, summary=f'Fixed in: {", ".join(cve["cve"]["fixed"])}')
+ else:
+ yield Result(state=State.WARN, summary=f'not fixed')
+
+ if cve['cve'].get('description'):
+ yield Result(state=State.OK, notice=f'\n{cve["cve"]["description"]}')
+
+ if cve['cve'].get('comment'):
+ yield Result(state=State.OK, notice=f'\n{cve["cve"]["comment"]}')
+
yield Result(state=State.OK, notice=f'\nlist of file affected by {item}:')
- if cve:
- yield Result(state=State.OK, notice='\n'.join(cve))
+ if cve.get('files'):
+ yield Result(state=State.OK, notice='\nProduct, Version, File')
+ yield Result(state=State.OK, notice='\n'.join(cve['files']))
else:
- yield Result(state=State.OK, notice='\n no affected files found')
+ yield Result(state=State.OK, notice='\nno affected files found')
register.check_plugin(
@@ -624,7 +756,9 @@ register.check_plugin(
discovery_function=discovery_cve_2021_44228_log4j_cves,
check_function=check_cve_2021_44228_log4j_cves,
check_default_parameters={
- 'files_affected': (1, 1),
+ 'files_affected': (None, None),
+ 'cvss_score': (0.1, 5.5),
+ 'state_not_found': 3,
},
check_ruleset_name='cve_2021_44228_log4_cves',
)
diff --git a/agents/bakery/cve_2021_44228_log4j.py b/agents/bakery/cve_2021_44228_log4j.py
index a7b024f4a33e1affaddd5eb509086d830728b0b6..b57840bcb100f69c444ac0b986975665b79ed4de 100755
--- a/agents/bakery/cve_2021_44228_log4j.py
+++ b/agents/bakery/cve_2021_44228_log4j.py
@@ -18,16 +18,20 @@
# added PLUGIN_TIMEOUT to the linux config (fix scanner got not killed on timeout by the agent)
# 2022-01-05: added PLUGIN_TIMEOUT to the windows config (to match the linux variant)
# 2022-01-11: added option to add json report to inventory
-# 2022-01-14: reorganised append to log (--csv-log-path/--json-log-path) and add report to inventory options (-report-path)
+# 2022-01-14: reorganised append to log (--csv-log-path/--json-log-path)
+# and add report to inventory options (-report-path)
# 2022-01-25: added option --exclude-pattern
-#
+# 2022-01-30: added option --throttle
+# 2022-02-05: added option -xmx
+# removed options --force-fix, --backup-path
+
from pathlib import Path
from typing import List
from cmk.base.cee.plugins.bakery.bakery_api.v1 import FileGenerator, OS, Plugin, PluginConfig, register
-bakery_version = '20220125.v0.1.0'
+bakery_version = '20220130.v0.1.1'
def get_cve_2021_44228_log4j_files(conf: List[any]) -> FileGenerator:
@@ -121,12 +125,12 @@ def get_cve_2021_44228_log4j_files(conf: List[any]) -> FileGenerator:
options.pop('append_to_log')
if options.get('fix_files'):
- backup_dir = options["fix_files"]["backup_dir"].strip(' ').strip("'").strip('"')
- options_array.append(f'--backup-path "{backup_dir}"')
- if options['fix_files'].get('not_exclude_backup') is None:
- options_array.append(f'--exclude "{backup_dir}"')
- if options['fix_files'].get('force_fix'):
- options_array.append(f'--force-fix')
+ # backup_dir = options["fix_files"]["backup_dir"].strip(' ').strip("'").strip('"')
+ # options_array.append(f'--backup-path "{backup_dir}"')
+ # if options['fix_files'].get('not_exclude_backup') is None:
+ # options_array.append(f'--exclude "{backup_dir}"')
+ # if options['fix_files'].get('force_fix'):
+ # options_array.append(f'--force-fix')
options.pop('fix_files')
if options.get('exclude_paths'):
@@ -150,6 +154,14 @@ def get_cve_2021_44228_log4j_files(conf: List[any]) -> FileGenerator:
options_array.append(f'--exclude-file-config {config_path}cve_2021_44228_log4j_exclude_files.cfg')
options.pop('exclude_file_config')
+ if options.get('throttle'):
+ options_array.append(f'--throttle {options["throttle"]}')
+ options.pop('throttle')
+
+ if options.get('xmx'):
+ options_array.append(f'-Xmx{options["xmx"]}M')
+ options.pop('xmx')
+
for value in options.values():
options_array.append(value)
diff --git a/agents/plugins/log4j2-scan.linux b/agents/plugins/log4j2-scan.linux
index 3e91d9632d8f13725004194a1192a421aaa07137..a3f6196c20ebeaa1dcfd6298ee4086a5a5697cb8 100755
Binary files a/agents/plugins/log4j2-scan.linux and b/agents/plugins/log4j2-scan.linux differ
diff --git a/agents/plugins/log4j2-scan.windows b/agents/plugins/log4j2-scan.windows
index eac513c4542318b52a7b87d05f1911b2acdc1ce9..adabebaa534d48264d37bbdc80e5d18712520490 100755
Binary files a/agents/plugins/log4j2-scan.windows and b/agents/plugins/log4j2-scan.windows differ
diff --git a/cve_2021_44228_log4j.mkp b/cve_2021_44228_log4j.mkp
index 6e39113054c394ab7bc77adedcce0cd6aefd8ca7..951be024e36156317a1223c555261bf7bd910134 100644
Binary files a/cve_2021_44228_log4j.mkp and b/cve_2021_44228_log4j.mkp differ
diff --git a/packages/cve_2021_44228_log4j b/packages/cve_2021_44228_log4j
index f347e92d842c75fab5fc1a7eb5ea9fb14ce36a02..02381e58875cafcf8f56a84c1752470aeae1eae0 100644
--- a/packages/cve_2021_44228_log4j
+++ b/packages/cve_2021_44228_log4j
@@ -33,7 +33,7 @@
'name': 'cve_2021_44228_log4j',
'num_files': 11,
'title': 'CVE-2021-44228-log4j scanner plugin',
- 'version': '20220125.v0.1.0',
+ 'version': '20220205.v0.1.2',
'version.min_required': '2.0.0',
'version.packaged': '2021.09.20',
'version.usable_until': None}
\ No newline at end of file
diff --git a/web/plugins/metrics/cve_2021_44228_log4j.py b/web/plugins/metrics/cve_2021_44228_log4j.py
index 982334d4604e4fbe0f97c39490d4c083ac62ecdf..39f4ca513546a3fee6a6bc76232a3b8cc2a84e48 100644
--- a/web/plugins/metrics/cve_2021_44228_log4j.py
+++ b/web/plugins/metrics/cve_2021_44228_log4j.py
@@ -133,6 +133,6 @@ perfometer_info.append(
'segments': [
'files_affected',
],
- 'total': 50,
+ 'total': 200,
},
)
diff --git a/web/plugins/views/inv_cve_2021_22448_log4j.py b/web/plugins/views/inv_cve_2021_22448_log4j.py
index 84929664ad986ff797f6c2c6c55e308ddba41fed..82c2f07e54395ca16f75b061ad2cde3e837c189c 100644
--- a/web/plugins/views/inv_cve_2021_22448_log4j.py
+++ b/web/plugins/views/inv_cve_2021_22448_log4j.py
@@ -12,7 +12,7 @@
# 2022-01-07: added short names
# 2022-01-18: added additional CVEs
# 2022-01-22: added entry's for 'CVE-2021-42550' and 'CVE-2021-4104'
-#
+# 2022-01-30: added entry's for 'CVE-2022-23307'. 'CVE-2022-23305', 'CVE-2022-23302' and 'CVE-2019-17571'
from cmk.gui.i18n import _
from cmk.gui.plugins.views import (
@@ -45,16 +45,26 @@ inventory_displayhints.update({
'view': 'invcve202144228log4jsummary_of_host',
},
'.software.cve_2021_44228_log4j.summary:*.index': {'title': _('Index'), },
- '.software.cve_2021_44228_log4j.summary:*.files_vulnerable': {'title': _('Files vulnerable'), 'short': _('Vulnerable'), },
- '.software.cve_2021_44228_log4j.summary:*.files_potential_vulnerable': {'title': _('Files potentially vulnerable'), 'short': _('Potentially'), },
- '.software.cve_2021_44228_log4j.summary:*.files_mitigated': {'title': _('Files mitigated'), 'short': _('Mitigated'), },
+ '.software.cve_2021_44228_log4j.summary:*.files_vulnerable': {
+ 'title': _('Files vulnerable'), 'short': _('Vulnerable'),
+ },
+ '.software.cve_2021_44228_log4j.summary:*.files_potential_vulnerable': {
+ 'title': _('Files potentially vulnerable'), 'short': _('Potentially'),
+ },
+ '.software.cve_2021_44228_log4j.summary:*.files_mitigated': {
+ 'title': _('Files mitigated'), 'short': _('Mitigated'),
+ },
'.software.cve_2021_44228_log4j.summary:*.files_scanned': {'title': _('Files scanned'), 'short': _('Files'), },
'.software.cve_2021_44228_log4j.summary:*.files_skipped': {'title': _('Files skipped'), 'short': _('Skipped'), },
- '.software.cve_2021_44228_log4j.summary:*.directories_scanned': {'title': _('Directories scanned'), 'short': _('Directories'), },
+ '.software.cve_2021_44228_log4j.summary:*.directories_scanned': {
+ 'title': _('Directories scanned'), 'short': _('Directories'),
+ },
'.software.cve_2021_44228_log4j.summary:*.run_time': {'title': _('Run time'), },
'.software.cve_2021_44228_log4j.summary:*.last_run': {'title': _('Last run'), },
'.software.cve_2021_44228_log4j.summary:*.errors': {'title': _('Errors'), },
- '.software.cve_2021_44228_log4j.summary:*.scanner_version': {'title': _('logresso scanner version'), 'short': _('Scanner version'), },
+ '.software.cve_2021_44228_log4j.summary:*.scanner_version': {
+ 'title': _('logresso scanner version'), 'short': _('Scanner version'),
+ },
'.software.cve_2021_44228_log4j.summary:*.scan_options': {'title': _('Scan options'), },
'.software.cve_2021_44228_log4j.summary:*.script_version': {'title': _('Script version'), },
'.software.cve_2021_44228_log4j.summary:*.bakery_version': {'title': _('Bakery version'), },
@@ -72,6 +82,9 @@ inventory_displayhints.update({
# 'hostname',
'path',
'entry',
+ 'CVE-2022-23307',
+ 'CVE-2022-23305',
+ 'CVE-2022-23302',
'CVE-2021-45105',
'CVE-2021-45046',
'CVE-2021-44832',
@@ -79,6 +92,7 @@ inventory_displayhints.update({
'CVE-2021-42550',
'CVE-2021-4104',
'CVE-2020-9488',
+ 'CVE-2019-17571',
'CVE-2017-5645',
'error',
],
@@ -100,10 +114,14 @@ inventory_displayhints.update({
'.software.cve_2021_44228_log4j.report:*.CVE-2021-45046': {'title': _('CVE-2021-45046'), },
'.software.cve_2021_44228_log4j.report:*.CVE-2021-44832': {'title': _('CVE-2021-44832'), },
'.software.cve_2021_44228_log4j.report:*.CVE-2021-44228': {'title': _('CVE-2021-44228'), },
- '.software.cve_2021_44228_log4j.report:*.CVE-2020-9488' : {'title': _('CVE-2020-9488'), },
- '.software.cve_2021_44228_log4j.report:*.CVE-2017-5645' : {'title': _('CVE-2017-5645'), },
+ '.software.cve_2021_44228_log4j.report:*.CVE-2020-9488': {'title': _('CVE-2020-9488'), },
+ '.software.cve_2021_44228_log4j.report:*.CVE-2017-5645': {'title': _('CVE-2017-5645'), },
'.software.cve_2021_44228_log4j.report:*.CVE-2021-42550': {'title': _('CVE-2021-42550'), },
'.software.cve_2021_44228_log4j.report:*.CVE-2021-4104': {'title': _('CVE-2021-4104'), },
+ '.software.cve_2021_44228_log4j.report:*.CVE-2019-17571': {'title': _('CVE-2019-17571'), },
+ '.software.cve_2021_44228_log4j.report:*.CVE-2022-23302': {'title': _('CVE-2022-23302'), },
+ '.software.cve_2021_44228_log4j.report:*.CVE-2022-23305': {'title': _('CVE-2022-23305'), },
+ '.software.cve_2021_44228_log4j.report:*.CVE-2022-23307': {'title': _('CVE-2022-23307'), },
})
@@ -119,4 +137,4 @@ declare_invtable_view(
'.software.cve_2021_44228_log4j.report:',
_('CVE Scanner for log4j report'),
_('CVE Scanner for log4j report'),
-)
\ No newline at end of file
+)
diff --git a/web/plugins/wato/cve_2021_44228_log4j.py b/web/plugins/wato/cve_2021_44228_log4j.py
index 92062782e71e4d6e6280668004c98a58c561780a..057470e6663cd84db99f114fd57f4253d7fd9280 100644
--- a/web/plugins/wato/cve_2021_44228_log4j.py
+++ b/web/plugins/wato/cve_2021_44228_log4j.py
@@ -26,6 +26,12 @@
# to 'log4j CVE scanner (CVE-2021-44228-log4j)'
# enabled 'attach_report_to_output' in "reporting" by default for new rules
# 2022-01-25: added option --exclude-pattern
+# 2022-01-30: added CVSS score and state_not_found option to per CVE check
+# changed defaults for files_affected to 10/30 (from 1/1)
+# scan_logback and log4j_1 enabled by default for new agent plugin rules
+# 2022-02-05: added option -Xmx
+# removed options --force-fix and --backup-path
+#
from cmk.gui.i18n import _
from cmk.gui.valuespec import (
@@ -66,7 +72,7 @@ from cmk.gui.cee.plugins.wato.agent_bakery.rulespecs.utils import (
RulespecGroupMonitoringAgentsAgentPlugins,
)
-bakery_plugin_version = '20220125.v0.0.7'
+bakery_plugin_version = '20220205.v0.0.9'
# #########################################################################################################
#
@@ -232,14 +238,31 @@ rulespec_registry.register(
def _valuespec_cve_2021_44228_log4_cves():
return Dictionary(
elements=[
+ ('cvss_score',
+ Tuple(
+ title=_('CVSS score'),
+ help=_('Upper levels for CVSS score.'),
+ elements=[
+ Integer(title=_('Warning at'), minvalue=0, unit=_('CVSS score'), default_value=0.1),
+ Integer(title=_('Critical at'), minvalue=0, unit=_('CVSS score'), default_value=5.5),
+ ])),
('files_affected',
Tuple(
title=_('Files affected'),
help=_('Upper levels for # of affected files found.'),
elements=[
- Integer(title=_('Warning at'), minvalue=0, unit=_('Files'), default_value=1),
- Integer(title=_('Critical at'), minvalue=0, unit=_('Files'), default_value=1),
+ Integer(title=_('Warning at'), minvalue=0, unit=_('Files'), default_value=10),
+ Integer(title=_('Critical at'), minvalue=0, unit=_('Files'), default_value=30),
])),
+ ('state_not_found',
+ MonitoringState(
+ default_value=3,
+ title=_('State on item not found'),
+ help=_(
+ 'Monitoring state if an item is missing from agent output. This might happen if there is no '
+ 'affected file any more.'
+ )
+ )),
])
@@ -369,20 +392,46 @@ _base_options_config_fix_files = (
_base_options_config_interval = (
'interval',
Integer(
- title=_('Scan interval (min 600s)'),
+ title=_('Scan interval'),
minvalue=600,
unit=_('s'),
default_value=86400,
help=_('This is the interval witch the scanner runs. Default is 86400s (one day). Minimum is 600s (10min)'),
),
+)
+_base_options_config_throttle = (
+ 'throttle',
+ Integer(
+ title=_('Throttle'),
+ minvalue=1,
+ unit=_('Files/s'),
+ default_value=100000,
+ help=_(
+ 'Number of files the scanner is allowed to scan per second. Will lower numbers you can reduce the CPU '
+ 'usage of the logpresso scanner. Remember to increase scanner timeout accordingly.'
+ ),
+ ),
+)
+
+_base_options_config_xmx = (
+ 'xmx',
+ Integer(
+ title=_('Max memory'),
+ minvalue=10,
+ unit=_('MB'),
+ default_value=100,
+ help=_(
+ 'Limits the memory usage of the scanner to the configured amount of mega bytes (Min value: 10MB.)'
+ ),
+ ),
)
_base_options_config_timeout = (
'timeout',
Integer(
- title=_('Scanner timeout (min 60s)'),
- # minvalue=60,
+ title=_('Scanner timeout'),
+ minvalue=60,
unit=_('s'),
default_value=300,
help=_('This is the maximum run time for the scanner. Default is 300s (5min). Minimum is 60s (1min)'),
@@ -791,7 +840,7 @@ def _valuespec_agent_config_cve_2021_44228_log4j():
_base_options_config_scan_logback,
_base_options_config_log4j_1,
_base_options_config_scan_zip,
- _base_options_config_fix_files,
+ # _base_options_config_fix_files,
_base_option_config_exclude_paths,
_base_option_config_exclude_files,
_base_option_config_exclude_fs,
@@ -802,11 +851,13 @@ def _valuespec_agent_config_cve_2021_44228_log4j():
_base_options_config_silent,
_base_options_config_interval,
_base_options_config_timeout,
+ _base_options_config_throttle,
+ _base_options_config_xmx,
_base_options_config_debug,
# _base_options_config_trace, # run takes to long, produces to much output
],
required_keys=['search_in'],
- default_keys=['silent', 'reporting'],
+ default_keys=['scan_logback', 'log4j_1', 'silent', 'reporting'],
)),
('windows',
_('Deploy Windows CVE-2021-44228-log4j agent plugin'),
@@ -860,7 +911,7 @@ def _valuespec_agent_config_cve_2021_44228_log4j():
_base_options_config_scan_logback,
_base_options_config_log4j_1,
_base_options_config_scan_zip,
- _base_options_config_fix_files,
+ # _base_options_config_fix_files,
_base_option_config_exclude_paths,
_base_option_config_exclude_files,
# _base_option_config_exclude_fs, # filesystem type on windows?
@@ -871,11 +922,13 @@ def _valuespec_agent_config_cve_2021_44228_log4j():
_base_options_config_silent,
_base_options_config_interval,
_base_options_config_timeout,
+ _base_options_config_throttle,
+ _base_options_config_xmx,
_base_options_config_debug,
# _base_options_config_trace, # run takes to long, produces to much output
],
required_keys=['search_in'],
- default_keys=['silent', 'reporting'],
+ default_keys=['scan_logback', 'log4j_1', 'silent', 'reporting'],
)),
(None, _('Do not deploy the CVE-2021-44228-log4j agent plugin')),
],