Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tobias_Moritz
Advisor

CVE-2021-44228 - Log4j vulnerability - Log4Shell

Jump to solution

Hello CheckMates,

I guess most of you have already seen the fresh CVE-2021-44228 - Log4j vulnerability - Log4Shell and thought about the impact it will have in the enterprise application landscape.

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

https://www.lunasec.io/docs/blog/log4j-zero-day/

Maybe we can use this thread to get a first statement from Check Point regarding their products (and later links to SKs) as well as discuss (probably IPS) mitigations.

52 Replies
Gaurav_Pandya
Advisor

One more thing.

Checkpoint Harmony protects below stuff which is related to log4j? 

  • Trojan:Win32/Capfetox.AA – detects attempted exploitation on the attacker machine
  • Trojan:Win64/DisguiseXMRigMiner – detection for coin mining post exploitation payloads
  • HackTool:Win32/Capfetox.A!dha – detects attempted exploitation on the attacker machine
  • VirTool:Win64/CobaltSrike.A, TrojanDropper:PowerShell/Cobacis.A – detects Cobalt Strike Beacon loaders

 

https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for...

 

0 Kudos
David_Charnon
Advisor

I just listed to SANS podcast on the exploit, they mentioned that client apps could also be vulnerable. Has Check Point confirmed that SmartConsole or CPUSE are not vulnerable?

0 Kudos
PhoneBoy
Admin
Admin

When we say "Security Gateway" and "Security Management" are not affected, things like this are included.

0 Kudos
_Val_
Admin
Admin

Hi @David_Charnon, I understand the concerns, but this question was asked and answered here multiple times👆🏻

0 Kudos
abihsot__
Advisor

Hi,

I understand the frustration, but those questions are coming because description is very generic. For example although "security gateway" is listed, would that include Mobile Access blade too?

 

0 Kudos
_Val_
Admin
Admin

As @PhoneBoy said above, 

"When we say "Security Gateway" and "Security Management" are not affected, things like this are included."

In simple terms, none of our products is using the affected library.

Also, here is another quote from the same sk176865: 

"The Check Point Infinity architecture is protected against this threat. We verified that this vulnerability does not affect our Infinity portfolio (including Quantum Gateways, SMART Management, Harmony Endpoint, Harmony Mobile, SMB, ThreatCloud and CloudGuard)."

0 Kudos
Tobias_Moritz
Advisor

I understand that many people are nervous now, as this is a serious threat (thats why I created this CheckMates thread on friday to have a space to discuss it).
Check Point told us multiple times, that they are unaffected with their product family and now Val shared the fact, that it is because they are not using the affected library.

I just did a fast check on a R80.40 SMS and can confirm that while a log4j-core-2.12.0.jar is laying there under /opt/CPuepm-R80.40/engine/lib/, it does not seem to be loaded.

Because I was pretty sure, that CP is using log4j in their products, I checked the loaded java processes. And there I could see, that they are using log4j 1.2.

This means they are right, that they are not affected by CVE-2021-44228, because this exploit does not work in log4j 1.2 without JMSAppender beeing used (and it does not look like it is).

However, log4j 1.2 is end of life since 2015 which means that there might be other risks.

As with other older software, Check Point uses inside of their products and which is not patched anymore by their original maintainers, we have to hope that Check Point R&D patches it themself or take other precausions, that security issues cannot be exploited.

Generally, I (and I think some other Check Mates would agree with me) would like it, if nobody uses software in their products, which is end of life by their maintainers. But we all know how the enterprise software industry works, right? This is not a Check Point only problem.

Details:

Click to Expand
[Expert@SMS-Example:0]# find / -name "log4j-core*.jar"
/opt/CPuepm-R80.40/engine/lib/log4j-core-2.12.0.jar

[Expert@SMS-Example:0]# ps -edalf | grep java
4 S admin 2595 1 0 80 0 - 1873700 futex_ Sep25 ? 01:10:22 /opt/CPshrd-R80.40/jre_64/bin/java -Xmx4096m -Xms128m -Xshar
4 S admin 7864 7767 0 80 0 - 1103890 futex_ Sep25 ? 09:49:53 /opt/CPshrd-R80.40/jre_64/bin/java -D_vSEC=TRUE -Xdump:direc
4 S admin 8195 7627 38 99 19 - 32722230 futex_ Sep25 ? 30-09:06:35 /opt/CPshrd-R80.40/jre_64/bin/java -D_solr=TRUE -Xdump:di
4 S admin 8213 7627 0 99 19 - 1190465 futex_ Sep25 ? 02:42:13 /opt/CPshrd-R80.40/jre_64/bin/java -D_RFL=TRUE -Xdump:direct
4 S admin 8238 7627 0 80 0 - 1464978 futex_ Sep25 ? 19:07:38 /opt/CPshrd-R80.40/jre_64/bin/java -D_smartview=TRUE -Xdump:
4 S admin 8724 7627 0 80 0 - 772185 futex_ Sep25 ? 00:00:41 /opt/CPshrd-R80.40/jre_64/bin/java -D_RepositoryManager=TRUE
4 S admin 12335 11940 0 80 0 - 662 pipe_w 10:52 pts/2 00:00:00 grep --color=auto java
4 S admin 14275 7627 2 80 0 - 3095046 futex_ Sep25 ? 1-21:49:08 /opt/CPshrd-R80.40/jre_64/bin/java -D_CPM=TRUE -Xaot:force
4 S admin 17841 1 0 80 0 - 1671 do_wai Oct06 ? 00:00:00 /bin/su -s /bin/sh -c /opt/CPshrd-R80.40/jre_64/bin/java -Dj
4 S cp_exte+ 17843 17841 0 80 0 - 856129 futex_ Oct06 ? 01:07:57 /opt/CPshrd-R80.40/jre_64/bin/java -Djava.io.tmpdir=/opt/CPs
4 S admin 20666 14275 2 80 0 - 2099273 futex_ Sep25 ? 1-18:42:12 /opt/CPshrd-R80.40/jre_64/bin/java -D_CPM_SOLR=TRUE -Xmx40

[Expert@SMS-Example:0]# cat /proc/2595/cmdline
/opt/CPshrd-R80.40/jre_64/bin/java-Xmx4096m-Xms128m-Xshareclasses:none-Dfile.encoding=UTF-8-Djetty.home=/opt/CPshrd-R80.40/jetty-Djava.io.tmpdir=/opt/CPsuite-R80.40/fw1/tmp-Djetty.state=/opt/CPsuite-R80.40/fw1/api/conf/jetty.state-DSTOP.PORT=8078-DSTOP.KEY=checkpointkey-Dlog4j.configuration=file:/opt/CPsuite-R80.40/fw1/api/conf/log4j.properties-Dtdlog.logDir=/opt/CPsuite-R80.40/fw1/log-Dtdlog.web_api.logFile=api.elg-Dtdlog.output.appender=elgfile-Dtdlog.web_api.csvFile=api.csv-Dtdlog.output.csv.appender=csvfile-Djetty.host=0.0.0.0-Dpath=/opt/CPsuite-R80.40/fw1/api/lib/web_api_jetty.jar:-Xdump:directory=/var/log/dump/usermode-Xdump:heap:events=gpf+user-Xdump:system:none-Xdump:system:events=gpf+abort+traceassert+corruptcache-Xdump:tool:none-Xdump:tool:events=gpf+abort+traceassert+corruptcache,priority=1,range=1..0,exec=javaCompress.sh WEB_API %pid-Xdump:tool:events=systhrow,filter=java/lang/OutOfMemoryError,priority=2,range=1..0,exec=javaCompress.sh WEB_API %pid-Xdump:tool:events=throw,filter=java/lang/OutOfMemoryError,priority=1,exec=kill -9 %pid-jar/opt/CPshrd-R80.40/jetty/start.jarOPTIONS=Server/opt/CPsuite-R80.40/fw1/api/conf/jetty.xml

[Expert@SMS-Example:0]# cat /proc/7864/cmdline
/opt/CPshrd-R80.40/jre_64/bin/java-D_vSEC=TRUE-Xdump:directory=/var/log/dump/usermode-Xdump:heap:events=gpf+user-Xdump:tool:none-Xdump:tool:events=gpf+abort+traceassert+corruptcache,priority=1,range=1..0,exec=javaCompress.sh vSEC %pid-Xdump:tool:events=systhrow,filter=java/lang/OutOfMemoryError,priority=1,range=1..0,exec=javaCompress.sh vSEC %pid-Xdump:tool:events=throw,filter=java/lang/OutOfMemoryError,exec=kill -9 %pid-Xaggressive-Xshareclasses:none-Xgc:scvTenureAge=1,noAdaptiveTenure-Dcpdiag=mainClass-Xmx1024m-Dfwdir=/opt/CPsuite-R80.40/fw1-Dlog4j.configuration=file:///opt/CPvsec-R80.40/lib/log4j.properties-cp/opt/CPvsec-R80.40/lib/*:/opt/CPsuite-R80.40/fw1/cpm-server/*:/opt/CPsuite-R80.40/fw1/VE/bin/*com.checkpoint.datacenter.Main127.0.0.1

[Expert@SMS-Example:0]# cat /proc/8195/cmdline
/opt/CPshrd-R80.40/jre_64/bin/java-D_solr=TRUE-Xdump:directory=/var/log/dump/usermode-Xdump:heap:events=gpf+user-Xdump:tool:none-Xdump:tool:events=gpf+abort+traceassert+corruptcache,priority=1,range=1..0,exec=javaCompress.sh solr %pid-Xdump:tool:events=systhrow,filter=java/lang/OutOfMemoryError,priority=1,range=1..0,exec=javaCompress.sh solr %pid-Xdump:tool:events=throw,filter=java/lang/OutOfMemoryError,exec=kill -9 %pid-Xaggressive-Xshareclasses:none-Xgc:scvTenureAge=1,noAdaptiveTenure-Xmx29420m-Xms256m-Dcp.ssl.tls.version=1-Dorg.terracotta.quartz.skipUpdateCheck=true-Xdump:system:none-Dlog4j.configuration=file:/opt/CPrt-R80.40/conf/solr.log4j.properties-Dpath=/opt/CPrt-R80.40/jars/aspectjrt-1.7.0.jar:/opt/CPrt-R80.40/jars/commons-io-2.3.jar:/opt/CPrt-R80.40/jars/commons-lang-2.6.jar:/opt/CPrt-R80.40/jars/cxf-core-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-java2ws-plugin-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-bindings-soap-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-bindings-xml-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-databinding-aegis-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-databinding-jaxb-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-frontend-jaxws-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-frontend-simple-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-javascript-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-transports-http-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-transports-http-jetty-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-ws-addr-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-ws-policy-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-wsdl-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-tools-common-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-tools-java2ws-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-tools-validator-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-tools-wsdlto-core-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-tools-wsdlto-databinding-jaxb-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-tools-wsdlto-frontend-jaxws-3.1.0.jar:/opt/CPrt-R80.40/jars/java_is.jar:/opt/CPrt-R80.40/jars/java_sic.jar:/opt/CPrt-R80.40/jars/jaxb-xjc-2.2.11.jar:/opt/CPrt-R80.40/jars/jetty_assist.jar:/opt/CPrt-R80.40/jars/stax2-api-3.1.4.jar:/opt/CPrt-R80.40/jars/woodstox-core-asl-4.4.1.jar:/opt/CPrt-R80.40/jars/wsdl4j-1.6.3.jar:/opt/CPrt-R80.40/jars/xmlschema-core-2.2.1.jar:/opt/CPsuite-R80.40/fw1/cpm-server/jackson-annotations-2.5.0.jar:/opt/CPsuite-R80.40/fw1/cpm-server/jackson-core-2.5.0.jar:/opt/CPsuite-R80.40/fw1/cpm-server/jackson-databind-2.5.0.jar:-Dsolr.log=/opt/CPrt-R80.40/log/solr.log-DSTOP.PORT=7210-DSTOP.KEY=log_infra-jarstart.jar/opt/CPrt-R80.40/conf/jetty.xml

[Expert@SMS-Example:0]# cat /proc/8213/cmdline
/opt/CPshrd-R80.40/jre_64/bin/java-D_RFL=TRUE-Xdump:directory=/var/log/dump/usermode-Xdump:heap:events=gpf+user-Xdump:tool:none-Xdump:tool:events=gpf+abort+traceassert+corruptcache,priority=1,range=1..0,exec=javaCompress.sh RFL %pid-Xdump:tool:events=systhrow,filter=java/lang/OutOfMemoryError,priority=1,range=1..0,exec=javaCompress.sh RFL %pid-Xdump:tool:events=throw,filter=java/lang/OutOfMemoryError,exec=kill -9 %pid-Xaggressive-Xshareclasses:none-Xgc:scvTenureAge=1,noAdaptiveTenure-Xmx1024m-Xms96m-Dcp.ssl.tls.version=1-Dorg.terracotta.quartz.skipUpdateCheck=true-Dupgrade.cores.count=-Dfile.encoding=UTF-8-DreportingServer.conf.dir=/opt/CPrt-R80.40/conf-Dlog4j.configuration=file:/opt/CPrt-R80.40/conf/rfl.log4j.properties-DReportingServer.log=/opt/CPrt-R80.40/log-cp/opt/CPrt-R80.40/jars/*com.checkpoint.core.LogCore-typejms

[Expert@SMS-Example:0]# cat /proc/8238/cmdline
/opt/CPshrd-R80.40/jre_64/bin/java-D_smartview=TRUE-Xdump:directory=/var/log/dump/usermode-Xdump:heap:events=gpf+user-Xdump:tool:none-Xdump:tool:events=gpf+abort+traceassert+corruptcache,priority=1,range=1..0,exec=javaCompress.sh smartview %pid-Xdump:tool:events=systhrow,filter=java/lang/OutOfMemoryError,priority=1,range=1..0,exec=javaCompress.sh smartview %pid-Xdump:tool:events=throw,filter=java/lang/OutOfMemoryError,exec=kill -9 %pid-Xaggressive-Xshareclasses:none-Xgc:scvTenureAge=1,noAdaptiveTenure-Xmx2048m-Xms512m-Djava.io.tmpdir=/opt/CPrt-R80.40/tmp-Dfile.encoding=UTF-8-DDedicatedServer=false-DIsMLM=false-DTaskExecThreads=4-Dlog4j.configuration=file:/opt/CPrt-R80.40/conf/smartview.log4j.properties-Dorg.terracotta.quartz.skipUpdateCheck=true-DRTDIR=/opt/CPrt-R80.40-Dpath=/opt/CPrt-R80.40/jars/aspectjrt-1.7.0.jar:/opt/CPrt-R80.40/jars/commons-io-2.3.jar:/opt/CPrt-R80.40/jars/commons-lang-2.6.jar:/opt/CPrt-R80.40/jars/cxf-core-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-java2ws-plugin-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-bindings-soap-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-bindings-xml-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-databinding-aegis-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-databinding-jaxb-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-frontend-jaxws-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-frontend-simple-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-javascript-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-transports-http-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-transports-http-jetty-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-ws-addr-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-ws-policy-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-rt-wsdl-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-tools-common-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-tools-java2ws-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-tools-validator-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-tools-wsdlto-core-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-tools-wsdlto-databinding-jaxb-3.1.0.jar:/opt/CPrt-R80.40/jars/cxf-tools-wsdlto-frontend-jaxws-3.1.0.jar:/opt/CPrt-R80.40/jars/java_is.jar:/opt/CPrt-R80.40/jars/java_sic.jar:/opt/CPrt-R80.40/jars/jaxb-api-2.2.7.jar:/opt/CPrt-R80.40/jars/jaxb-core-2.2.7.jar:/opt/CPrt-R80.40/jars/jaxb-impl-2.2.7.jar:/opt/CPrt-R80.40/jars/jaxb-xjc-2.2.11.jar:/opt/CPrt-R80.40/jars/neethi-3.0.3.jar:/opt/CPrt-R80.40/jars/rfl_sic.jar:/opt/CPrt-R80.40/jars/smartview-jetty.jar:/opt/CPrt-R80.40/jars/woodstox-core-asl-4.4.1.jar:/opt/CPrt-R80.40/jars/wsdl4j-1.6.3.jar:/opt/CPrt-R80.40/jars/xmlschema-core-2.2.1.jar:-DSTOP.PORT=8079-DSTOP.KEY=smartview-jarstart.jarOPTIONS=Server,resources,websocket/opt/CPrt-R80.40/conf/smartview-jetty.xml/opt/CPrt-R80.40/conf/smartview-service-jetty.xml

[Expert@SMS-Example:0]# cat /proc/8724/cmdline
/opt/CPshrd-R80.40/jre_64/bin/java-D_RepositoryManager=TRUE-Xdump:directory=/var/log/dump/usermode-Xdump:heap:events=gpf+user-Xdump:tool:none-Xdump:tool:events=gpf+abort+traceassert+corruptcache,priority=1,range=1..0,exec=javaCompress.sh RepositoryManager %pid-Xdump:tool:events=systhrow,filter=java/lang/OutOfMemoryError,priority=1,range=1..0,exec=javaCompress.sh RepositoryManager %pid-Xdump:tool:events=throw,filter=java/lang/OutOfMemoryError,exec=kill -9 %pid-Xaggressive-Xshareclasses:none-Xgc:scvTenureAge=1,noAdaptiveTenure-jarRepositoryManager.jar

[Expert@SMS-Example:0]# cat /proc/14275/cmdline
/opt/CPshrd-R80.40/jre_64/bin/java-D_CPM=TRUE-Xaot:forceaot-Xmx8192m-Xms192m-Xgcpolicy:optavgpause-Djava.io.tmpdir=/opt/CPsuite-R80.40/fw1/tmp-Xaggressive-Xshareclasses:none-Djava.security.krb5.conf=/opt/CPsuite-R80.40/fw1/conf/krb5.conf-Xjit:exclude={java/lang/invoke/MutableCallSiteDynamicInvokerHandle.invokeExact_thunkArchetype_X*},exclude={java/lang/invoke/GuardWithTestHandle.invokeExact_thunkArchetype_X*},exclude={java/lang/invoke/*.invokeExact_thunkArchetype_X*},exclude={com/checkpoint/management/dleserver/coresvc/internal/SchemaMgrSvcImpl.getClassInfo*},exclude={com/checkpoint/management/object_store/ObjectStoreSessionImpl.findFieldsBySearchQueryEx*}-Xdump:directory=/var/log/dump/usermode-Xdump:heap:events=gpf+user-Xdump:tool:none-Xdump:tool:events=user,priority=1,range=1..0,exec=javaCompress.sh CPMUSER %pid-Xdump:tool:events=gpf+abort+traceassert+corruptcache,priority=1,range=1..0,exec=javaCompress.sh CPM %pid-Xdump:tool:events=systhrow,filter=java/lang/OutOfMemoryError,priority=1,range=1..0,exec=javaCompress.sh CPM %pid-Xdump:tool:events=throw,filter=java/lang/OutOfMemoryError,priority=1,exec=kill -9 %pid-Dfile.encoding=UTF-8-cp/opt/CPshrd-R80.40/jars/solr-solrj-v4_8_1.jar:*com.checkpoint.management.cpm.Cpm-s

[Expert@SMS-Example:0]# cat /proc/17841/cmdline
/bin/su-s/bin/sh-c/opt/CPshrd-R80.40/jre_64/bin/java -Djava.io.tmpdir=/opt/CPsuite-R80.40/fw1/cpextensions/tmp -Dfile.encoding=UTF-8 -Djetty.state=/opt/CPsuite-R80.40/fw1/cpextensions/log/jetty.state -DSTOP.PORT=8087 -DSTOP.KEY=cpextensions_key -Dlog4j.configuration=file:/opt/CPsuite-R80.40/fw1/cpextensions/conf/cpextensions.log4j.properties -DCPEXTENSIONS_WITHIN_MANAGEMENT_SERVER=1 -DRULE_ASSISTANT_CONF_PATH=/opt/CPsuite-R80.40/fw1/cpextensions/conf -DWORKFLOW_CONF_PATH=/opt/CPsuite-R80.40/fw1/cpextensions/conf -DRULE_ASSISTANT_LOG_PATH=/opt/CPsuite-R80.40/fw1/cpextensions/log -DCP_EXTENSIONS_LOG_FILE=/opt/CPsuite-R80.40/fw1/cpextensions/log/cpextensions.elg -jar start.jar OPTIONS=Server,resources /opt/CPsuite-R80.40/fw1/cpextensions/conf/cpextensions-jetty-config.xmlcp_extensions

[Expert@SMS-Example:0]# cat /proc/17843/cmdline
/opt/CPshrd-R80.40/jre_64/bin/java-Djava.io.tmpdir=/opt/CPsuite-R80.40/fw1/cpextensions/tmp-Dfile.encoding=UTF-8-Djetty.state=/opt/CPsuite-R80.40/fw1/cpextensions/log/jetty.state-DSTOP.PORT=8087-DSTOP.KEY=cpextensions_key-Dlog4j.configuration=file:/opt/CPsuite-R80.40/fw1/cpextensions/conf/cpextensions.log4j.properties-DCPEXTENSIONS_WITHIN_MANAGEMENT_SERVER=1-DRULE_ASSISTANT_CONF_PATH=/opt/CPsuite-R80.40/fw1/cpextensions/conf-DWORKFLOW_CONF_PATH=/opt/CPsuite-R80.40/fw1/cpextensions/conf-DRULE_ASSISTANT_LOG_PATH=/opt/CPsuite-R80.40/fw1/cpextensions/log-DCP_EXTENSIONS_LOG_FILE=/opt/CPsuite-R80.40/fw1/cpextensions/log/cpextensions.elg-jarstart.jarOPTIONS=Server,resources/opt/CPsuite-R80.40/fw1/cpextensions/conf/cpextensions-jetty-config.xml

[Expert@SMS-Example:0]# cat /proc/20666/cmdline
/opt/CPshrd-R80.40/jre_64/bin/java-D_CPM_SOLR=TRUE-Xmx4096m-Xms64m-Xgcpolicy:optavgpause-Djava.io.tmpdir=/opt/CPsuite-R80.40/fw1/tmp-Xaggressive-Xshareclasses:none-Xdump:heap:events=gpf+user-Xdump:directory=/var/log/dump/usermode-Xdump:tool:none-Xdump:tool:events=gpf+abort+traceassert+corruptcache,priority=1,range=1..0,exec=javaCompress.sh CPM_SOLR %pid-Xdump:tool:events=systhrow,filter=java/lang/OutOfMemoryError,priority=1,range=1..0,exec=javaCompress.sh CPM_SOLR %pid-Xdump:tool:events=throw,filter=java/lang/OutOfMemoryError,priority=1,exec=kill -9 %pid-Dsolr.solr.home=/opt/CPsuite-R80.40/fw1/Solr/solr/-DNGM.SOLR.LOG.DIR=/opt/CPsuite-R80.40/fw1/log-Djava.util.logging.config.file=/opt/CPsuite-R80.40/fw1/Solr/etc/logging.properties-DSTART=/opt/CPsuite-R80.40/fw1/Solr/start.config-Djetty.home=/opt/CPsuite-R80.40/fw1/Solr/-DSTOP.KEY=checkpointkey-DSTOP.PORT=8982-Dpath=/opt/CPsuite-R80.40/fw1/cpm-server/java_is.jar:/opt/CPsuite-R80.40/fw1/cpm-server/java_sic.jar:/opt/CPshrd-R80.40/jars/jetty_assist.jar-jar/opt/CPsuite-R80.40/fw1/Solr/start.jar

[Expert@SMS-Example:0]#

[Expert@SMS-Example:0]# ls -l /proc/2595/fd/ | grep log4j
lr-x------. 1 admin root 64 Dec 14 10:52 92 -> /opt/CPshrd-R80.40/jetty/lib/ext/log4j-1.2.16.jar
lr-x------. 1 admin root 64 Dec 14 10:52 94 -> /opt/CPshrd-R80.40/jetty/lib/ext/slf4j-log4j12-1.6.6.jar

[Expert@SMS-Example:0]# ps -edalf | grep java
4 S admin 2595 1 0 80 0 - 1873700 futex_ Sep25 ? 01:10:22 /opt/CPshrd-R80.40/jre_64/bin/java -Xmx4096m -Xms128m -Xshar
4 S admin 7864 7767 0 80 0 - 1103890 futex_ Sep25 ? 09:49:56 /opt/CPshrd-R80.40/jre_64/bin/java -D_vSEC=TRUE -Xdump:direc
4 S admin 8195 7627 38 99 19 - 32746342 futex_ Sep25 ? 30-09:10:46 /opt/CPshrd-R80.40/jre_64/bin/java -D_solr=TRUE -Xdump:di
4 S admin 8213 7627 0 99 19 - 1190465 futex_ Sep25 ? 02:42:14 /opt/CPshrd-R80.40/jre_64/bin/java -D_RFL=TRUE -Xdump:direct
4 S admin 8238 7627 0 80 0 - 1464978 futex_ Sep25 ? 19:07:42 /opt/CPshrd-R80.40/jre_64/bin/java -D_smartview=TRUE -Xdump:
4 S admin 8724 7627 0 80 0 - 772185 futex_ Sep25 ? 00:00:41 /opt/CPshrd-R80.40/jre_64/bin/java -D_RepositoryManager=TRUE
4 S admin 14275 7627 2 80 0 - 3095046 futex_ Sep25 ? 1-21:49:28 /opt/CPshrd-R80.40/jre_64/bin/java -D_CPM=TRUE -Xaot:force
4 S admin 15413 11940 0 80 0 - 662 pipe_w 11:01 pts/2 00:00:00 grep --color=auto java
4 S admin 17841 1 0 80 0 - 1671 do_wai Oct06 ? 00:00:00 /bin/su -s /bin/sh -c /opt/CPshrd-R80.40/jre_64/bin/java -Dj
4 S cp_exte+ 17843 17841 0 80 0 - 856129 futex_ Oct06 ? 01:07:57 /opt/CPshrd-R80.40/jre_64/bin/java -Djava.io.tmpdir=/opt/CPs
4 S admin 20666 14275 2 80 0 - 2099284 futex_ Sep25 ? 1-18:42:30 /opt/CPshrd-R80.40/jre_64/bin/java -D_CPM_SOLR=TRUE -Xmx40

[Expert@SMS-Example:0]# ls -l /proc/7864/fd/ | grep log4j
lr-x------. 1 admin root 64 Dec 13 23:30 194 -> /opt/CPsuite-R80.40/fw1/cpm-server/slf4j-log4j12-1.6.1.jar
lr-x------. 1 admin root 64 Dec 13 23:30 254 -> /opt/CPsuite-R80.40/fw1/cpm-server/log4j-1.2.15.jar

[Expert@SMS-Example:0]# ls -l /proc/8195/fd/ | grep log4j
lr-x------. 1 admin root 64 Dec 13 23:30 125 -> /opt/CPrt-R80.40/jars/slf4j-log4j12-1.6.1.jar
lr-x------. 1 admin root 64 Dec 13 23:30 214 -> /opt/CPrt-R80.40/jars/log4j-1.2.15.jar
lr-x------. 1 admin root 64 Dec 13 23:30 234 -> /opt/CPshrd-R80.40/jetty/lib/ext/log4j-1.2.16.jar
lr-x------. 1 admin root 64 Dec 13 23:30 236 -> /opt/CPshrd-R80.40/jetty/lib/ext/slf4j-log4j12-1.6.6.jar
lr-x------. 1 admin root 64 Dec 13 23:30 273 -> /opt/CPrt-R80.40/tmp/solr-webapp/webapp/WEB-INF/lib/log4j-1.2.16.jar
lr-x------. 1 admin root 64 Dec 13 23:30 647 -> /opt/CPrt-R80.40/tmp/log_indexer_proxy-webapp/webapp/WEB-INF/lib/log4j-1.2.15.jar
lr-x------. 1 admin root 64 Dec 13 23:30 651 -> /opt/CPrt-R80.40/tmp/log_indexer_proxy-webapp/webapp/WEB-INF/lib/slf4j-log4j12-1.6.1.jar

[Expert@SMS-Example:0]# ls -l /proc/8213/fd/ | grep log4j
lr-x------. 1 admin root 64 Dec 14 10:52 167 -> /opt/CPrt-R80.40/jars/log4j-1.2.15.jar
lr-x------. 1 admin root 64 Dec 13 23:30 70 -> /opt/CPrt-R80.40/jars/slf4j-log4j12-1.6.1.jar

[Expert@SMS-Example:0]# ls -l /proc/8238/fd/ | grep log4j
lr-x------. 1 admin root 64 Dec 14 10:52 135 -> /opt/CPshrd-R80.40/jetty/lib/ext/log4j-1.2.16.jar
lr-x------. 1 admin root 64 Dec 14 10:52 137 -> /opt/CPshrd-R80.40/jetty/lib/ext/slf4j-log4j12-1.6.6.jar
lr-x------. 1 admin root 64 Dec 14 10:52 231 -> /opt/CPrt-R80.40/tmp/jetty-127.0.0.1-8082-smartview.war-_smartview-any-/webapp/WEB-INF/lib/log4j-1.2.15.jar
lr-x------. 1 admin root 64 Dec 14 10:52 242 -> /opt/CPrt-R80.40/tmp/jetty-127.0.0.1-8082-smartview.war-_smartview-any-/webapp/WEB-INF/lib/slf4j-log4j12-1.7.6.jar
lr-x------. 1 admin root 64 Dec 13 23:30 361 -> /opt/CPrt-R80.40/tmp/jetty-127.0.0.1-8084-smartview-service.war-_smartview-any-/webapp/WEB-INF/lib/log4j-1.2.15.jar
lr-x------. 1 admin root 64 Dec 13 23:30 370 -> /opt/CPrt-R80.40/tmp/jetty-127.0.0.1-8084-smartview-service.war-_smartview-any-/webapp/WEB-INF/lib/slf4j-log4j12-1.6.1.jar

[Expert@SMS-Example:0]# ls -l /proc/8724/fd/ | grep log4j

[Expert@SMS-Example:0]# ls -l /proc/14275/fd/ | grep log4j
lr-x------. 1 admin root 64 Dec 13 23:30 183 -> /opt/CPsuite-R80.40/fw1/cpm-server/slf4j-log4j12-1.6.1.jar
lr-x------. 1 admin root 64 Dec 13 23:30 243 -> /opt/CPsuite-R80.40/fw1/cpm-server/log4j-1.2.15.jar

[Expert@SMS-Example:0]# ls -l /proc/17841/fd/ | grep log4j

[Expert@SMS-Example:0]# ls -l /proc/17843/fd/ | grep log4j
lr-x------. 1 cp_extensions bin 64 Dec 14 10:52 90 -> /opt/CPshrd-R80.40/jetty/lib/ext/log4j-1.2.16.jar
lr-x------. 1 cp_extensions bin 64 Dec 14 10:52 92 -> /opt/CPshrd-R80.40/jetty/lib/ext/slf4j-log4j12-1.6.6.jar

[Expert@SMS-Example:0]# ls -l /proc/20666/fd/ | grep log4j
lr-x------. 1 admin root 64 Dec 14 10:52 129 -> /opt/CPsuite-R80.40/fw1/Solr/solr-webapp/webapp/WEB-INF/lib/log4j-1.2.16.jar
lr-x------. 1 admin root 64 Dec 14 10:52 81 -> /opt/CPsuite-R80.40/fw1/Solr/lib/ext/log4j-1.2.16.jar
lr-x------. 1 admin root 64 Dec 14 10:52 83 -> /opt/CPsuite-R80.40/fw1/Solr/lib/ext/slf4j-log4j12-1.7.6.jar

[Expert@SMS-Example:0]# lsof | grep log4j
java 2595 admin 92r REG 253,0 481535 117574685 /opt/CPshrd-R80.40/jetty/lib/ext/log4j-1.2.16.jar
java 2595 admin 94r REG 253,0 9711 117574687 /opt/CPshrd-R80.40/jetty/lib/ext/slf4j-log4j12-1.6.6.jar
java 7864 admin 194r REG 253,0 9753 295479 /opt/CPsuite-R80.40/fw1/cpm-server/slf4j-log4j12-1.6.1.jar
java 7864 admin 254r REG 253,0 391834 295473 /opt/CPsuite-R80.40/fw1/cpm-server/log4j-1.2.15.jar
java 8195 admin 125r REG 253,0 9753 168344187 /opt/CPrt-R80.40/jars/slf4j-log4j12-1.6.1.jar
java 8195 admin 214r REG 253,0 391834 168344157 /opt/CPrt-R80.40/jars/log4j-1.2.15.jar
java 8195 admin 234r REG 253,0 481535 117574685 /opt/CPshrd-R80.40/jetty/lib/ext/log4j-1.2.16.jar
java 8195 admin 236r REG 253,0 9711 117574687 /opt/CPshrd-R80.40/jetty/lib/ext/slf4j-log4j12-1.6.6.jar
java 8195 admin 273r REG 253,0 481535 33579560 /opt/CPrt-R80.40/tmp/solr-webapp/webapp/WEB-INF/lib/log4j-1.2.16.jar
java 8195 admin 647r REG 253,0 396624 34167338 /opt/CPrt-R80.40/tmp/log_indexer_proxy-webapp/webapp/WEB-INF/lib/log4j-1.2.15.jar
java 8195 admin 651r REG 253,0 10023 34167342 /opt/CPrt-R80.40/tmp/log_indexer_proxy-webapp/webapp/WEB-INF/lib/slf4j-log4j12-1.6.1.jar
java 8213 admin 70r REG 253,0 9753 168344187 /opt/CPrt-R80.40/jars/slf4j-log4j12-1.6.1.jar
java 8213 admin 167r REG 253,0 391834 168344157 /opt/CPrt-R80.40/jars/log4j-1.2.15.jar
java 8238 admin 135r REG 253,0 481535 117574685 /opt/CPshrd-R80.40/jetty/lib/ext/log4j-1.2.16.jar
java 8238 admin 137r REG 253,0 9711 117574687 /opt/CPshrd-R80.40/jetty/lib/ext/slf4j-log4j12-1.6.6.jar
java 8238 admin 231r REG 253,0 396624 67270368 /opt/CPrt-R80.40/tmp/jetty-127.0.0.1-8082-smartview.war-_smartview-any-/webapp/WEB-INF/lib/log4j-1.2.15.jar
java 8238 admin 242r REG 253,0 9139 67270380 /opt/CPrt-R80.40/tmp/jetty-127.0.0.1-8082-smartview.war-_smartview-any-/webapp/WEB-INF/lib/slf4j-log4j12-1.7.6.jar
java 8238 admin 361r REG 253,0 396624 185026096 /opt/CPrt-R80.40/tmp/jetty-127.0.0.1-8084-smartview-service.war-_smartview-any-/webapp/WEB-INF/lib/log4j-1.2.15.jar
java 8238 admin 370r REG 253,0 10023 185026105 /opt/CPrt-R80.40/tmp/jetty-127.0.0.1-8084-smartview-service.war-_smartview-any-/webapp/WEB-INF/lib/slf4j-log4j12-1.6.1.jar
java 14275 admin 183r REG 253,0 9753 295479 /opt/CPsuite-R80.40/fw1/cpm-server/slf4j-log4j12-1.6.1.jar
java 14275 admin 243r REG 253,0 391834 295473 /opt/CPsuite-R80.40/fw1/cpm-server/log4j-1.2.15.jar
java 17843 cp_extensions 90r REG 253,0 481535 117574685 /opt/CPshrd-R80.40/jetty/lib/ext/log4j-1.2.16.jar
java 17843 cp_extensions 92r REG 253,0 9711 117574687 /opt/CPshrd-R80.40/jetty/lib/ext/slf4j-log4j12-1.6.6.jar
java 20666 admin 81r REG 253,0 481535 201367044 /opt/CPsuite-R80.40/fw1/Solr/lib/ext/log4j-1.2.16.jar
java 20666 admin 83r REG 253,0 8869 201367046 /opt/CPsuite-R80.40/fw1/Solr/lib/ext/slf4j-log4j12-1.7.6.jar
java 20666 admin 129r REG 253,0 481535 134561293 /opt/CPsuite-R80.40/fw1/Solr/solr-webapp/webapp/WEB-INF/lib/log4j-1.2.16.jar

[Expert@SMS-Example:0]# lsof | grep log4j-core-2.12.0.jar
_Val_
Admin
Admin

Appreciate thoroughness here, @Tobias_Moritz.

For the matter of non-supported Open Source libraries, Check Point is responsible for maintaining and securing the whole set of products, those libraries included.

I can also assure you, there is a very serious effort put into security reviews, and although not without flaws, we do make extraordinary efforts to fix any security issues found.

0 Kudos
APT_Protection
Explorer

Hi,

thanks Tobias for your analysis! I wanted to ask a similar question...

For me it also looks like that the JMSAppender.class isn't configured any special.

@_Val_Could you give or will Checkpoint give a official statement regarding CVE-2021-4104?

https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx

br

Ronny

0 Kudos
_Val_
Admin
Admin

@APT_Protection I am still checking with the relevant teams, but my best guess is, not vulnerable either. That said, once I have full official report, I will share. 

0 Kudos
_Val_
Admin
Admin

@APT_Protection and all, thanks for your patience. The official answer is, none of our products are vulnerable for CVE-2021-4104. 

0 Kudos
Peggy_Lee
Participant

Hi 

While Check Point is not vulnerable, may I ask if Check Point is going to release a signature for it?   If so, is there ETA?   

Thanks. 

0 Kudos
PhoneBoy
Admin
Admin

It's not clear from the CVE that this can be exploited remotely over the network, thus IPS wouldn't necessarily apply.

0 Kudos
Peggy_Lee
Participant

Thank you for the reply.   May I ask if there is any info and signature available for CVE-2021-45105 ?   Thanks

0 Kudos
_Val_
Admin
Admin

Without a known exploit it is not easy to get a signature. We are looking into this.

0 Kudos
Axel_Engeland
Participant

Harmony Endpoint Management is using the 2.12. libraries though.

Harmony Endpoint also needs connectivity for the clients, so depending on your setup it may be accessible from the internet.

[Expert@SMS:0]# pgrep java | xargs -n 1 lsof -p | grep log4j.*2.12.*
java nnnn cpep_user 68r REG 253,2 64752 67212955 /opt/CPuepm-R81.10/engine/lib/log4j-1.2-api-2.12.0.jar
java nnnn cpep_user 69r REG 253,2 273454 67212956 /opt/CPuepm-R81.10/engine/lib/log4j-api-2.12.0.jar
java nnnn cpep_user 70r REG 253,2 1667294 67212957 /opt/CPuepm-R81.10/engine/lib/log4j-core-2.12.0.jar
java nnnn cpep_user 71r REG 253,2 12653 67212958 /opt/CPuepm-R81.10/engine/lib/log4j-jcl-2.12.0.jar

 

_Val_
Admin
Admin

@Axel_Engeland  Same as other management products, not vulnerable.

And yes, I double-checked this with R&D. We use IBM version of Java, which is not vulnerable.

Martin_Seeger
Collaborator

There is an updated version of the exploit available that is supposed to work with ANY version of Java:

Márcio Almeida on Twitter: "Just added support to LDAP Serialized Payloads in the JNDI-Exploit-Kit. ...

IBM Java is not explicitly mentioned there, but in communication inside our task force with the we recommend against assuming protection due to the Java version.

_Val_
Admin
Admin

I do not believe it is relevant. See above (quoting myself): "In simple terms, none of our products is using the affected library."

0 Kudos
K_montalvo
Advisor
0 Kudos
Kevin_Orrison
Collaborator

Just curious. Has anyone made a SmartEvent view yet to easier parse through logs?

0 Kudos
Matt_Ricketts
Employee
Employee

The built in Threat Prevention view will show this within the top protections, assuming there are enough hits to make it to the list. Alternative, you could add "log4j" to your query search.

 

0 Kudos
Kevin_Orrison
Collaborator

Yes, this is basically what I have been doing. I was more asking about a view that might include things like IoCs.

0 Kudos
(1)