Recently (Dec 9, 2021), a critical vulnerability in the most used Apache Log4j logging library was found. This vulnerability can give an attacker full control of any impacted system. Please read here to know more about the vulnerability and here to know about VMware’s response.
While there are several efforts(such as patch, identifying the applications using log4j, etc) in progress to mitigate the risk, in the interim it is critical to protect the data center from attackers. In this blog post, we will see how to find Log4j attackers using vRealize network insight.
Overview:
Using the crowdsourced list of attackers’ IPs, we will check if there are any attempts to connect to the data center
Requirements:
- vRealize Network Insight / Cloud (Flows enabled)
- vRealize Network Insight Python SDK
- Script by Martijn Smit – Download
Usage:
Here’s how to run the script against an on-premises vRealize Network Insight:
# export PYTHONPATH=/your/path/tp/network-insight-sdk-python/swagger_client-py2.7.egg
# python3 vrni-log4j-flow-check.py --platform_ip yourvRNIPlatformIP --username yourUsername --password yourPassword
It’s also possible to run it against vRealize Network Insight Cloud with a Cloud Services Portal API token, check out the help section to find the right parameters:
# python3 vrni-log4j-flow-check.py --help
Next Steps:
If you find any connections from the attacker’s IP, terminate the connections immediately.
References: