Per this article I can check my systems for log4j using an sql query:
But how can I pulled the proof for this via the sql query?
SELECT
da.sites AS “Site_Name”,
da.ip_address AS “IP_Address”,
da.mac_address AS “MAC_Address”,
da.host_name AS “DNS_Hostname”,
ds.vendor AS “Vendor”,
ds.name AS “Software_Name”,
ds.family AS “Software_Family”,
ds.version AS “Software_Version”,
ds.software_class AS “Software_Class”
FROM
dim_asset_software das
JOIN
dim_software ds USING(software_id)
JOIN
dim_asset da ON da.asset_id = das.asset_id
WHERE
ds.software_class like’%’
AND
ds.name ilike ‘%log4j%’
ORDER BY
ds.name ASC
I also need to know this. Normally we can just report because it’s Application version xxx that’s affected but we are detecting on JAR files…I need to pull the filepaths manually. I am scanning thousands of systems so I know this will eventually get out of hand.
If Rapid7 can sort this out for us, we can automate reports daily instead of having to track through spreadsheets.
Troy posted a SQL query here that includes the proof, along with a lot of other info about the host and the vulnerability. Hopefully that provides you with a solid start, at least.