aharonh/scan-jvm-versions-for-cve-2021-44228.py

## scan-jvm-versions-for-cve-2021-44228.py
# check if any JVMs in kubernetes cluster are vulnerable to CVE-2021-44228
# only checks java versions. use on your own responsibility.

from kubernetes import client, config
from kubernetes.stream import stream
import re

java_version_regex = re.compile('"(.*)"')

def is_java_version_vulnerable(java_version):
    vulnerable = False
    if java_version.startswith('1.6.'):
        if int(java_version.split('_')[1]) < 212:
            vulnerable = True
    elif java_version.startswith('1.7.'):
        if int(java_version.split('_')[1]) < 202:
            vulnerable = True
    elif java_version.startswith('1.8.'):
        if int(java_version.split('_')[1]) < 192:
            vulnerable = True
    elif java_version.startswith('11.0'):
        if int(java_version.split('.')[2]) < 2:
            vulnerable = True
    else:
        raise ValueError("unsupported java version")
    return vulnerable

config.load_kube_config()
v1 = client.CoreV1Api()
ret = v1.list_pod_for_all_namespaces(watch=False)
for pod in ret.items:
    pod_namespace = pod.metadata.namespace
    pod_name = pod.metadata.name
    for pod_container in pod.spec.containers:
        if pod.status.phase in ('Succeeded', 'Completed'):
            continue
        exec_command = [ 'java', '-version' ]
        try:
            resp = stream(v1.connect_get_namespaced_pod_exec, pod_name, pod_namespace, container=pod_container.name, command=exec_command, stderr=True, stdin=True, stdout=True, tty=False, _preload_content=False)
            while resp.is_open():
                resp.update(timeout=3)
                if resp.peek_stdout():
                    output = resp.read_stdout()
                    if output.startswith('OCI runtime exec failed'):
                        if 'executable file not found' in output:
                            break
                        else:
                            print("%s,%s,%s" % (pod_namespace, pod_name, pod_container.name))
                            print('some error occured %s' % output)
                            break
                if resp.peek_stderr():
                    error = resp.read_stderr()
                    if 'openjdk version' in error:
                        java_version = java_version_regex.search(error.partition("\n")[0]).group(1)
                        print("%s,%s,%s,%s,%s" % (pod_namespace, pod_name, pod_container.name, java_version, is_java_version_vulnerable(java_version)))
                        break
                    elif not error == '':
                        print("%s,%s,%s" % (pod_namespace, pod_name, pod_container.name))
                        print('some error occured %s' % error)
                        break
        except:
            print("something went wrong when checking the pod %s in namespace %s" % (pod_name, pod_namespace))
        resp.close()
	# check if any JVMs in kubernetes cluster are vulnerable to CVE-2021-44228
	# only checks java versions. use on your own responsibility.

	from kubernetes import client, config
	from kubernetes.stream import stream
	import re

	java_version_regex = re.compile('"(.*)"')

	def is_java_version_vulnerable(java_version):
	vulnerable = False
	if java_version.startswith('1.6.'):
	if int(java_version.split('_')[1]) < 212:
	vulnerable = True
	elif java_version.startswith('1.7.'):
	if int(java_version.split('_')[1]) < 202:
	vulnerable = True
	elif java_version.startswith('1.8.'):
	if int(java_version.split('_')[1]) < 192:
	vulnerable = True
	elif java_version.startswith('11.0'):
	if int(java_version.split('.')[2]) < 2:
	vulnerable = True
	else:
	raise ValueError("unsupported java version")
	return vulnerable

	config.load_kube_config()
	v1 = client.CoreV1Api()
	ret = v1.list_pod_for_all_namespaces(watch=False)
	for pod in ret.items:
	pod_namespace = pod.metadata.namespace
	pod_name = pod.metadata.name
	for pod_container in pod.spec.containers:
	if pod.status.phase in ('Succeeded', 'Completed'):
	continue
	exec_command = [ 'java', '-version' ]
	try:
	resp = stream(v1.connect_get_namespaced_pod_exec, pod_name, pod_namespace, container=pod_container.name, command=exec_command, stderr=True, stdin=True, stdout=True, tty=False, _preload_content=False)
	while resp.is_open():
	resp.update(timeout=3)
	if resp.peek_stdout():
	output = resp.read_stdout()
	if output.startswith('OCI runtime exec failed'):
	if 'executable file not found' in output:
	break
	else:
	print("%s,%s,%s" % (pod_namespace, pod_name, pod_container.name))
	print('some error occured %s' % output)
	break
	if resp.peek_stderr():
	error = resp.read_stderr()
	if 'openjdk version' in error:
	java_version = java_version_regex.search(error.partition("\n")[0]).group(1)
	print("%s,%s,%s,%s,%s" % (pod_namespace, pod_name, pod_container.name, java_version, is_java_version_vulnerable(java_version)))
	break
	elif not error == '':
	print("%s,%s,%s" % (pod_namespace, pod_name, pod_container.name))
	print('some error occured %s' % error)
	break
	except:
	print("something went wrong when checking the pod %s in namespace %s" % (pod_name, pod_namespace))
	resp.close()