{"id":775,"date":"2021-12-17T17:21:03","date_gmt":"2021-12-17T17:21:03","guid":{"rendered":"https:\/\/sites.rutgers.edu\/soc\/?page_id=775"},"modified":"2021-12-22T21:44:55","modified_gmt":"2021-12-22T21:44:55","slug":"log4j-windows-script","status":"publish","type":"page","link":"https:\/\/sites.rutgers.edu\/soc-archive\/log4j-alert\/log4j-windows-script\/","title":{"rendered":"Log4j: Windows Script"},"content":{"rendered":"
Windows: search for log4j*.jar and check implementation version <\/strong>(run as administrator on each windows machine (poSH v5.1))<\/h5>\n

Please note:\u00a0 This is intended as a quick search for traditionally installed software.\u00a0 It will not always find the issue in commercial software or where people have changed names of files.
\n
\n$File = 'D:\\ServerList\\EMweb_jar.txt'
\n$StartTime = (Get-Date).ToString(\"yyyyMMdd-HHmmss\")
\n$JarFilter = 'log4j*.jar'
\n$Transcript = \"C:\\Users\\Public\\Downloads\\Transcript$StartTime.txt\"
\nStart-Transcript -Path $Transcript
\n$ResultLocationSafe = \"C:\\Users\\Public\\Downloads\\Log4jScanSafe$StartTime.txt\"
\n$ResultLocationCheck = \"C:\\Users\\Public\\Downloads\\Log4jScanCheck$StartTime.txt\"
\n$Servers = Get-Content $File
\nWrite-Host $Servers -ForegroundColor Cyan
\nForEach ($Server in $Servers) {$Session = New-PSSession -ComputerName $Server
\n$ReturnRemoteJarList = Invoke-Command -Session $Session {Write-Host \"Searching $using:Server, $env:COMPUTERNAME\" -ForegroundColor Green
\n$HDs= (Get-WmiObject -Class Win32_logicaldisk -Filter \"DriveType = '3'\").DeviceID
\n[System.Reflection.Assembly]::LoadWithPartialName('System.IO.Compression.FileSystem')
\nWrite-Host \"Hard drive\/s to search through- $HDS\" -ForegroundColor Yellow
\nForEach ($HD in $HDs) {$TimeStamp = (Get-Date).ToString(\"yyyyMMdd-HHmmssmmm\")
\nWrite-Host \"Searching $HD drive, $TimeStamp\" -ForegroundColor Yellow
\n$JarFiles= Get-ChildItem -Path \"$HD\\\" -Filter $using:JarFilter -Recurse -ErrorAction SilentlyContinue -Force | %{$_.FullName}
\nForEach ($JarFile in $JarFiles) {$TempFolder = \"$env:TEMP\\$TimeStamp\"
\n[System.IO.Compression.ZipFile]::ExtractToDirectory(\"$JarFile\", \"$TempFolder\")
\n$JarVersion = (Select-String -Path \"$TempFolder\\META-INF\\MANIFEST.MF\" -Pattern \"Implementation-Version\") -replace '(?s)^.*Implementation-Version: ', ''
\nRemove-Item -Recurse -Force $TempFolder
\nif ($JarVersion -ge 2) {Write-Host \"$env:COMPUTERNAME, $JarFile, $JarVersion\" -ForegroundColor Red
\necho \"$env:COMPUTERNAME, $JarFile, $JarVersion\" >> $using:ResultLocationCheck}
\nelse {Write-Host \"$env:COMPUTERNAME, $JarFile, $JarVersion\" -ForegroundColor White
\necho \"$env:COMPUTERNAME, $JarFile, $JarVersion\" >> $using:ResultLocationSafe} } }
\nif (Test-Path $using:ResultLocationCheck){Write-Host \"$env:COMPUTERNAME's result was sent to $using:ResultLocationCheck on $env:COMPUTERNAME\" -ForegroundColor Cyan}
\nelse {Write-Host \"$using:JarFilter version 2+ was not found on $env:COMPUTERNAME.\" -ForegroundColor Green}
\n$RemoteJarList = Get-Content $using:ResultLocationCheck -ErrorAction SilentlyContinue
\nReturn $RemoteJarList
\nRemove-PSSession $Session}
\necho $ReturnRemoteJarList >> $ResultLocationCheck}
\nif (Test-Path $ResultLocationCheck){Write-Host \"All the log4j v2+ results were sent to $ResultLocationCheck on $env:COMPUTERNAME\" -ForegroundColor Cyan}
\nelse {Write-Host \"$JarFilter version 2+ was not found on the computer\/s from the list at $File\" -ForegroundColor Green}
\nStop-Transcript
\nExit
\n<\/code><\/p>\n

Example output:<\/h5>\n

PS C:\\Users\\thn17-adm> cat D:\\ServerList\\EMweb_jar.txt
\n*****.rad.rutgers.edu
\n*****.rad.rutgers.edu
\n*****.rad.rutgers.edu<\/p>\n

PS C:\\Users\\thn17-adm> cat C:\\Users\\Public\\Downloads\\Log4jScanCheck20211218-185253.txt
\nGAC Version Location PSComputerName
\n— ——- ——– ————–
\nTrue v4.0.30319 C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.IO.Compression.FileSystem\\v4.0_4.0.0.0__b77a5c561934… em-web1-tst.rad.rutgers.edu
\nGAC Version Location PSComputerName
\n— ——- ——– ————–
\nTrue v4.0.30319 C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.IO.Compression.FileSystem\\v4.0_4.0.0.0__b77a5c561934… shp-cfapp-prd-asb.rad.rutgers.edu
\nSHP-CFAPP-PRD-A, C:\\ColdFusion2018\\cfusion\\hf-updates\\hf-2018-00012-328566\\backup\\lib\\log4j-api-2.9.0.jar, 2.9.0
\nSHP-CFAPP-PRD-A, C:\\ColdFusion2018\\cfusion\\hf-updates\\hf-2018-00012-328566\\backup\\lib\\log4j-core-2.9.0.jar, 2.9.0
\nSHP-CFAPP-PRD-A, C:\\ColdFusion2018\\cfusion\\hf-updates\\hf-2018-00012-328566\\backup\\lib\\log4j-to-slf4j-2.9.1.jar, 2.9.1
\nSHP-CFAPP-PRD-A, C:\\ColdFusion2018\\cfusion\\hf-updates\\hf-2018-00013-329786\\backup\\lib\\log4j-api-2.13.3.jar, 2.13.3
\nSHP-CFAPP-PRD-A, C:\\ColdFusion2018\\cfusion\\hf-updates\\hf-2018-00013-329786\\backup\\lib\\log4j-core-2.13.3.jar, 2.13.3
\nSHP-CFAPP-PRD-A, C:\\ColdFusion2018\\cfusion\\hf-updates\\hf-2018-00013-329786\\backup\\lib\\log4j-to-slf4j-2.13.3.jar, 2.13.3
\nSHP-CFAPP-PRD-A, C:\\ColdFusion2018\\cfusion\\lib\\log4j-api-2.16.0.jar, 2.16.0
\nSHP-CFAPP-PRD-A, C:\\ColdFusion2018\\cfusion\\lib\\log4j-core-2.16.0.jar, 2.16.0
\nSHP-CFAPP-PRD-A, C:\\ColdFusion2018\\cfusion\\lib\\log4j-to-slf4j-2.16.0.jar, 2.16.0
\nGAC Version Location PSComputerName
\n— ——- ——– ————–
\nTrue v4.0.30319 C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.IO.Compression.FileSystem\\v4.0_4.0.0.0__b77a5c561934… em-web2-tst.rad.rutgers.edu<\/p>\n","protected":false},"excerpt":{"rendered":"

Windows: search for log4j*.jar and check implementation version (run as administrator on each windows machine (poSH v5.1)) Please note:\u00a0 This is intended as a quick search for traditionally installed software.\u00a0 … Read More<\/a><\/p>\n","protected":false},"author":112,"featured_media":0,"parent":750,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-775","page","type-page","status-publish","hentry"],"acf":[],"yoast_head":"\nLog4j: Windows Script - Security Operations Center<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/sites.rutgers.edu\/soc-archive\/log4j-alert\/log4j-windows-script\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Log4j: Windows Script - Security Operations Center\" \/>\n<meta property=\"og:description\" content=\"Windows: search for log4j*.jar and check implementation version (run as administrator on each windows machine (poSH v5.1)) Please note:\u00a0 This is intended as a quick search for traditionally installed software.\u00a0 … Read More\" \/>\n<meta property=\"og:url\" content=\"https:\/\/sites.rutgers.edu\/soc-archive\/log4j-alert\/log4j-windows-script\/\" \/>\n<meta property=\"og:site_name\" content=\"Security Operations Center\" \/>\n<meta property=\"article:modified_time\" content=\"2021-12-22T21:44:55+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/sites.rutgers.edu\/soc-archive\/log4j-alert\/log4j-windows-script\/\",\"url\":\"https:\/\/sites.rutgers.edu\/soc-archive\/log4j-alert\/log4j-windows-script\/\",\"name\":\"Log4j: Windows Script - Security Operations Center\",\"isPartOf\":{\"@id\":\"https:\/\/sites.rutgers.edu\/soc-archive\/#website\"},\"datePublished\":\"2021-12-17T17:21:03+00:00\",\"dateModified\":\"2021-12-22T21:44:55+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/sites.rutgers.edu\/soc-archive\/log4j-alert\/log4j-windows-script\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/sites.rutgers.edu\/soc-archive\/log4j-alert\/log4j-windows-script\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/sites.rutgers.edu\/soc-archive\/log4j-alert\/log4j-windows-script\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/sites.rutgers.edu\/soc-archive\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Alert: Apache Log4J Utility Vulnerability\",\"item\":\"https:\/\/sites.rutgers.edu\/soc-archive\/log4j-alert\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Log4j: Windows Script\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/sites.rutgers.edu\/soc-archive\/#website\",\"url\":\"https:\/\/sites.rutgers.edu\/soc-archive\/\",\"name\":\"Security Operations Center\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/sites.rutgers.edu\/soc-archive\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Log4j: Windows Script - Security Operations Center","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/sites.rutgers.edu\/soc-archive\/log4j-alert\/log4j-windows-script\/","og_locale":"en_US","og_type":"article","og_title":"Log4j: Windows Script - Security Operations Center","og_description":"Windows: search for log4j*.jar and check implementation version (run as administrator on each windows machine (poSH v5.1)) Please note:\u00a0 This is intended as a quick search for traditionally installed software.\u00a0 … Read More","og_url":"https:\/\/sites.rutgers.edu\/soc-archive\/log4j-alert\/log4j-windows-script\/","og_site_name":"Security Operations Center","article_modified_time":"2021-12-22T21:44:55+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/sites.rutgers.edu\/soc-archive\/log4j-alert\/log4j-windows-script\/","url":"https:\/\/sites.rutgers.edu\/soc-archive\/log4j-alert\/log4j-windows-script\/","name":"Log4j: Windows Script - Security Operations Center","isPartOf":{"@id":"https:\/\/sites.rutgers.edu\/soc-archive\/#website"},"datePublished":"2021-12-17T17:21:03+00:00","dateModified":"2021-12-22T21:44:55+00:00","breadcrumb":{"@id":"https:\/\/sites.rutgers.edu\/soc-archive\/log4j-alert\/log4j-windows-script\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/sites.rutgers.edu\/soc-archive\/log4j-alert\/log4j-windows-script\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/sites.rutgers.edu\/soc-archive\/log4j-alert\/log4j-windows-script\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/sites.rutgers.edu\/soc-archive\/"},{"@type":"ListItem","position":2,"name":"Alert: Apache Log4J Utility Vulnerability","item":"https:\/\/sites.rutgers.edu\/soc-archive\/log4j-alert\/"},{"@type":"ListItem","position":3,"name":"Log4j: Windows Script"}]},{"@type":"WebSite","@id":"https:\/\/sites.rutgers.edu\/soc-archive\/#website","url":"https:\/\/sites.rutgers.edu\/soc-archive\/","name":"Security Operations Center","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/sites.rutgers.edu\/soc-archive\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/sites.rutgers.edu\/soc-archive\/wp-json\/wp\/v2\/pages\/775"}],"collection":[{"href":"https:\/\/sites.rutgers.edu\/soc-archive\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/sites.rutgers.edu\/soc-archive\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/sites.rutgers.edu\/soc-archive\/wp-json\/wp\/v2\/users\/112"}],"replies":[{"embeddable":true,"href":"https:\/\/sites.rutgers.edu\/soc-archive\/wp-json\/wp\/v2\/comments?post=775"}],"version-history":[{"count":17,"href":"https:\/\/sites.rutgers.edu\/soc-archive\/wp-json\/wp\/v2\/pages\/775\/revisions"}],"predecessor-version":[{"id":817,"href":"https:\/\/sites.rutgers.edu\/soc-archive\/wp-json\/wp\/v2\/pages\/775\/revisions\/817"}],"up":[{"embeddable":true,"href":"https:\/\/sites.rutgers.edu\/soc-archive\/wp-json\/wp\/v2\/pages\/750"}],"wp:attachment":[{"href":"https:\/\/sites.rutgers.edu\/soc-archive\/wp-json\/wp\/v2\/media?parent=775"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}