SECURITY UPDATE: Log4j Vulnerability Hunting with Rubrik

by | Dec 20, 2021 | How to, News

Howdy everyone, Matt from Data Center Therapy here again.

Now that we are a couple of weeks into this log4j mess, the hits just keep on coming. I believe we are up to version 2.17 of the log4j library that is currently considered “fixed”, but at this point a lot of us are wondering a very key question: am I vulnerable; how do I know? I’m here to talk about a way our Rubrik customers can get a very straightforward answer to that.

Our Rubrik customers know just how powerful it is for protecting your data, ensuring its integrity, and even more interesting, doing interesting things with your backed up data AFTER you’ve protected it. A lot of other tools and processes typically have required yet another pass on your production data, putting extra load on your environment and in general being pretty difficult to manage and balance. Rubrik allows you to dive into that backed up data and perform further analysis on it, since hey, you already backed it up, right? Why not perform operations against that data in a read only basis to dig out what we need.

To that end, Rubrik has a super easy way to scan for any filename that exists in your entire organization. If you’ve backed it up, you can search against it. Rubrik has always been designed from the ground up to be API-first, and that principle really shines here. While the UI is one of my favorite for any company we partner with, in order to maintain simplicity for day to day usability, Rubrik has kept things in the UI to the most used functions. Meaning, if I want to search that global index via the GUI, I’m limited to objects (think VMs, databases, SLAs – all useful things), or files that have been backed up directly from a NAS share. Now that covers most of it. But what if I want to search files backed up inside a VM? Well, we can go to the VM and search each one individually, but that starts to get pretty time consuming once we start talking dozens or hundreds of VMs. So how can we automate this process?

Thanks to Jacob Robinson with Rubrik, we have our answer. Jacob posted a blog entry on Rubrik’s website where he cuts right to the quick and gives us some example commands to search for log4j – or any! – files. Here’s how it happens.

First, you create a temporary API access token within the Rubrik UI. Very quick and simple. Then you take that API token, and inject it into your preferred method of scripting this process. You can leverage the Rubrik CDM Python SDK, the PowerShell module, or, in this case, a good old HTTPS request leveraging CURL. We’re doing nothing more than a simple regex search against the global metadata catalog that Rubrik keeps on-appliance. Now, depending on the size of your environment, this search might take a bit of time. But when it’s complete, you’ll be treated with a list of files and the objects that contain them that are potential vulnerabilities. Assuming you’re protecting your entire environment with Rubrik (and why wouldn’t you be?), you’ve now got a one-line command to check to see where you might be vulnerable. That’s the power of APIs and Rubrik.

We’ve included the instructions down below as well as a few links for reference. Thanks for watching, everyone!


⌨️ Searching your Rubrik – API Commands ⌨️



curl -X POST “<CDM HOST>/api/internal/search/global” -H “accept: application/json” -H “Authorization: Bearer <API TOKEN>” -H “Content-Type: application/json” -d “{ \”regex\”: \”log4j-core\”}”


Connect-Rubrik <CDM_HOST> -token <API TOKEN>
Invoke-RubrikRESTCall -uri “https://<CDM HOST>/api/internal/search/global”-method POST -Body @{“regex” = “log4j-core”}


import rubrik_cdm
r = rubrik_cdm.Connect(“CDM HOST”, “API TOKEN”)
body = {}
body[‘regex’] = “log4j-core”“internal”, ‘/search/global’, body)


🔗 Resources 🔗