log4j / log4shell - Zero Day and RCE

How to use Wazuh to find and report running software affected by log4j vulnerabilities. The script included here is a modified version of the script developed by the security company Intezer. In this version of the script the output is formatted to JSON and appended to Wazuh’s active responses log file.

Wodle Command configured to run periodic security scans in all required machines. Wazuh remote commands execution must be enabled in the Wazuh agent.

Bash script to be run via wodle command will find .jar extension in running processes, including Docker images.

The process ID, log4j version, JNDI enabled condition and process command line will be collected.

The output is formatted to JSON and appended to the agent’s active responses log file.