These days everyone is trying to identify devices that are vulnerable to the Log4Shell Vulnerability (CVE-2021-44228). If your only systems management tool is Microsoft Endpoint Configuration Manager this blog is for you.
You can of course create device collections based on installed programs, however log4j-core.jar files can be found in several locations in and outside the Program files folder. So in order to identify these files, we have to search for them on the entire disk. Here’s the script I prepared for that.
Note that I have intentionally limited the drive letters to a-e, adjust this if you know of systems with more drive letters.
You can find the script here: https://gist.github.com/alexverboon/0a7a32b8f1267f4a9ac34b5e1c5b1ba5
The script produces the following output.
Next, import the script into the Microsoft Endpoint Configuration Manager Script library. Then select a device collection and run the script.
Next, we are going to extract the Run Script results with PowerShell. I wrote about this method earlier in this blog post Extract ConfigMgr Script Status Results with PowerShell – Anything about IT (verboon.info)
Open PowerShell from the ConfigMgr console and then load the Export-CMScriptResults function that you copied from the blog post mentioned above or from here: Export-CMScriptResults (github.com)
We now have all the results in our PowerShell variable $log4 so we can further review the data
And as a little bonus, let’s compare the identified files with some log4j-core.jar file hash references available on GitHub
The above code snippets can be found here: https://gist.github.com/alexverboon/13a5defd8ebfac491ab9313491d995a4
If you have a match, it will show the output as following:
I hope you enjoyed this blog post, have a great day and good luck with identifying vulnerable devices.
Credits / References