Log4Shell Remediation Visibility with JupiterOne and Log4Shell_Sentinel

By

If you're neck-deep in Log4Shell remediation and wanting the assurance of an automated process to ensure your hosts are patched and stay patched, the following approach may be helpful to you.

Identify Vulnerable Hosts

We found that ossie-git/log4shell_sentinel is a fast and accurate file-based scanner for vulnerable Log4J dependencies. JupiterOne Security team has wrapped this scanner with some additional scripts that ingest its output into the JupiterOne graph.

That project can be found here: https://github.com/JupiterOne/secops-automation-examples/tree/main/ingest-log4j-vulns

If Docker is available on your target hosts, this is the easiest way to use the tool. We provide an image on dockerhub that you can pull down via:

docker pull jupiterone/ingest-log4j-vulns:latest

Additionally, you may use this tool by:

See project README.md for more details.

You will want to set up the scanning/ingestion script to run periodically, say at least every hour.

Prioritize Your Remediation

Once one or more hosts are reporting into JupiterOne, head to the JupiterOne Insights app and import this JSON schema. It should create a dashboard that gives you insight into which hosts need patching, how many vulnerabilities are still unpatched, and how long these hosts have been unpatched:

Log4j Dashboard - JupiterOne

Patch Your Hosts, Monitor Insights

Use the above insights to help guide your remediation efforts. As you roll out patches, the scanning/ingestion script will verify them, and report each hosts' updated status to JupiterOne.

Watching the number of vulnerabilities fall is satisfying, and you'll have the confidence that regressions will not reoccur without your awareness.

Technical Notes

If you're using a different scanning tool, or this ingest-log4j-vulns project is otherwise not immediately helpful to you today, you may still find the approach taken here generally useful for cases where you want individual hosts to report periodically to the J1 graph.

The ingestion script uses the "Bulk Upload"/Sync Job API, and passes a unique scope for each host. This scope parameter is important: it ensures that multiple runs of the ingestion script will be idempotent, and that previous log4j_vulnerability Findings will be removed accurately from the graph once remediated. In our ingestion script we randomly generate a scope parameter for each host, persist it to the filesystem, and re-use on later runs of the script.

If you have more questions about this solution, or log4shell remediation in general, we have a dedicated channel, #rapid-response-log4shell, on our public slack. Please join us. 

Erich Smith
Erich Smith

Erich is the Principal Security Engineer at JupiterOne. An industry veteran of 20+ years, his background includes roles in software development, security, devops, systems administration, and compliance automation.

To hear more from Erich, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

Keep Reading

JupiterOne and AWS together help customers strengthen security posture
November 30, 2022
Blog
JupiterOne and AWS together help customers strengthen security posture

To help organizations of all sizes secure their cloud assets, JupiterOne announced a number of key initiatives with AWS this week at re:Invent.

How to visualize your data by use case with JupiterOne
November 23, 2022
Blog
How to visualize your data by use case with JupiterOne

The new Properties Panel and Managed Dashboards in the JupiterOne platform empower you to prioritize speed, efficiency, and organization!

Security will give up on users as a line of defense in 2023
November 23, 2022
Blog
Security will give up on users as a line of defense in 2023

In a recent debate on cybersecurity predictions for 2023, panelists disagreed on plenty. But they agreed: in 2023, security will give up on users as a line of defense

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.