Title
#kolide
maxwhite

maxwhite

12/13/2021, 6:39 PM
Hello! I was wondering, do you plan on detecting things such as the latest log4j CVE, for example? It could be done by querying java software/library versions, but it might be out of your scope...
s

seph

12/13/2021, 6:45 PM
To be honest, I'm not sure. Depends a lot on what people need. My impression is that the most critical targets, are servers. And generally speaking, we're focused on endpoints. So how meaningful is it to query the installed java version?
maxwhite

maxwhite

12/13/2021, 6:56 PM
Well I stumbled upon this article: https://www.uptycs.com/blog/remediating-log4j-using-osquery-a-quick-reference-guide-of-tables-and-actions and I am currently using Kolide to query such indicators just to be safe, so my question was more if that could be "built in". Regarding server vs. endpoint, I know and endpoint could be vulnerable if an older version of Minecraft were installed for example 👾 But I guess it is more a punctual need and you could not start tracking every software vulnerability out-there 🙂
s

seph

12/13/2021, 7:02 PM
Yes, I agree this one does seem like a pretty punctual need. I keep getting stuck on it feeling very far from something to detect on an endpoint. Looking at that link, most of the suggestions feel very oriented around detecting problems in your server fleet. Which feels valuable, yes, but not clearly applicable. (Also note much of that is looking for whether the feature is disabled, not whether the underlying process is vulnerable)
zwass

zwass

12/14/2021, 12:05 AM
We were discussing in https://osquery.slack.com/archives/C01DXJL16D8/p1639432009368300?thread_ts=1639196602.341300&cid=C01DXJL16D8 and I came up with a live query that could be helpful for detecting possible vulnerable processes.
s

seph

12/14/2021, 1:31 AM
I like Zach's query. Though I'll note that it's looking for running jars, and then scanning them with yara. I think it's much harder if you're looking for any jar on the filesystem.
1:31 AM
(Which is part of why I think this is hard to grapple with on an endpoint.)
zwass

zwass

12/14/2021, 1:40 AM
Yeah, scanning the whole system is going to be pretty rough.