logpresso / cve-2021-44228-scanner Goto Github PK

Dear,

As per RHEL 6 glibc version is at 2.12, the current script complains about the down-level and won't run.

Is there any chance to incorporate RHEL 6 as well?

RHEL 6 ELS is still supported till June 30 2024.

Many thanks

Laszlo Pinter

Thanks guys, this is a great addition to mitigate this vulnerability. However, it does not find vulnerable .jar files in Spring Boot Fat Jars.

It does find the vulnerable .jar, though, when the Spring Boot Jar is exploded/unzipped.

[*] Found CVE-2021-44228 vulnerability in path-to\...\edge-service-1.38\BOOT-INF\lib\log4j-core-2.11.2.jar, log4j 2.11.2

Scanned 34 directories and 287 files
Found 1 vulnerable files
Completed in 0,25 seconds

Could you add support for jars built with the Spring Boot Maven Plugin? Documentation is here: https://docs.spring.io/spring-boot/docs/2.5.6/maven-plugin/reference/htmlsingle/#packaging.layers

May I ask you to describe the steps done to generate Windows and Linux binaries in Releases - or point to a place where it is described if I missed it?

Hi,

it would be great if we can specify the drives like:
log4j2-scan.exe --drives c,d,e
log4j2-scan.exe --drives all
and also export the finding to csv results like:
log4j2-scan.exe --export file.csv --vulnerable: all,onlyyes
and results like
hostname;path;vulnerable(yes/no)

something like this

I received this error line during scan:

scan error: zip END header not found

I used this very useful tool on many servers, all with basically the same basic software installed.

Immediately after starting its spams the output with

...
scan error: zip END header not found
scan error: zip END header not found
scan error: zip END header not found
scan error: zip END header not found
scan error: zip END header not found
scan error: zip END header not found
...

Any Idea where I could look in order to fix this?

System Info

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.3 LTS
Release:        20.04
Codename:       focal

Is it possible to exclude nfs filesystem? Urgent...

As stated on the header,

What was the tool used to build the .exe? Doesn't appear to be in the pom.xml

I have vulnerable jar in path "C:\Program Files\FlexNet Operations\release\flexnet.ear\flexnet.war\WEB-INF\lib", but scanner returns
error: Index 2 out of bounds for length 2

Scanned 1 directories and 160 files
Found 0 vulnerable files
Completed in 0.03 seconds

OS is windows server 2012 R2, if that helps

is it possible run the tool remotely on all my network pc? or only possible manually directly on the pc?

count the founds and return the count as a exitcode to the os.

Hi

I found if the jar has others, not only log4j-core

BOOT-INF/lib/log4j-to-slf4j-2.14.1.jar
BOOT-INF/lib/log4j-api-2.14.1.jar

this scan doesn't report anything

Scanned 21 directories and 17 files
Found 0 vulnerable files
Completed in 0.61 seconds

does this scan tool design for log4j-core only?

Some vulnerable versions, like log4j-core 2.13.3, are not found.

The version check, (major == 2 && minor <= 14 && patch <= 1), is wrong. It should be (major == 2 && (minor < 14 || (minor == 14 && patch <= 1))).

Can we expand the file traversal to unpack war files as well?

		if (path.toLowerCase().endsWith(".jar") || path.toLowerCase().endsWith(".war"))

Hi,

After using the fix parameter the class loader will find the bak file, created in the same directory, and could load the vulnerable jar again (not deterministic!). We have to ensure to move or remove the backed up files before restarting your Java service/application.

I will try to add a pull request for this.

With regards,
Michael

Is there a Linux i386 version?

The machine is old enough that display this issue, RHEL 6.10 but seems critical at the moment.

./log4j2-scan: /lib64/libc.so.6: version `GLIBC_2.14' not found (required by ./log4j2-scan)

Our company can't use this without a published (and hopefully permissive) license attached to the project.

MIT and apache are grand, if you're looking for suggestions.

Hey,

for some reason i have a problem on servers to start the .exe.
Im getting this error.

Are there any logs i can share?

Hello, many thanks for the scanner. Do you already scan for JMS Appender class on log4j-1.x https://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/net/JMSAppender.html

Seems that log4j1 are also vulnerable, found this here:
https://research.kudelskisecurity.com/2021/12/10/log4shell-critical-severity-apache-log4j-remote-code-execution-being-actively-exploited-cve-2021-44228/

The following code snippet looks dangerous to me. When an exception is thrown the code continues in line 58, which leads to the fix being applied even though the user didn't approve by passing y.

I am going to open a pr with a possible fix.

Hi,
I downloaded the file for Any OS, and try to run it on the SunOS server.
But it didn't run, and just twinkle the cursor at the next line.

So I tried this command,

# java -jar logpresso-log4j2-scan-1.2.0.jar /path
# _
(↑ the cursor's twinkle)

Btw, I checked the "java" command works.
Is it any bug or sth?

Thanks.

When we run the command with --fix, it prompts for Y/N.

I'd like to have extra option to accept Y always.

could I have an extra option as --force?

Hello,

I did a PoC test for our environment using an older sqldeveloper lib folder.
It found only 1 out of 3 files to be vulnerable

I've extracted and checked the pom.properties for 3 files. In the screenshot below added the pom.properties content

• log4j-1.2-api.jar (not found)
• log4j-api.jar (not found)
• log4j-core.jar (found)
  

I went with the assumption that it might only print the latest one, which was not the case. After i deleted the log4j-core.jar file there was no vulnerability found. Is there maybe within the command something wrongfully configured ?

Hi there,

im not that deep into Open Suse etc. running the Scan from /tmp with the command "./log4j2-scan /" should scan every directory/file on the server correct ?

Hi,

woudl it be possible to ignore the $RECYCLE.BIN on every drive when using the tool on Windows ?

When there is a log4l file in that folder for sure its not used so thats a false positive.

can we run for docker images in order to identify issue?

RAR (Resource adapter ARchive) is a file type defined in Java EE spec, and it may contains Java code.

	private boolean isScanTarget(String path) {
		String loweredPath = path.toLowerCase();
		if (scanZip && loweredPath.endsWith(".zip"))
			return true;

		// ear = Java EE archive, aar = Android archive
		return loweredPath.endsWith(".jar") || loweredPath.endsWith(".war") || loweredPath.endsWith(".ear")
				|| loweredPath.endsWith(".aar");
	}

Please add || loweredPath.endsWith(".rar") to scan RAR files.

Hi,
It appears as though the software only handles one level of nested jar files.
We have a number of jar files (eg like those that come with "Matlab") that have nested jar files which also have nested jar files within.
Is it possible to make it recursively check all nested jar files?

I did update the previous issue I opened about symlinks, but that issue has already been closed and I don't think the update I made has been seen there. I have pulled, rebuilt, and re-tested. There are still issues with handling symlinks to jar files.

I have a bash script I'm using to cleanup, build, setup, and test. I'm looking for a way to attach it here, if I find one I'll do so. I don't have maven, tried installing it but it fails to build the scanner with maven plugin errors I don't want to spend time right now to resolve. . My java experience is from 2002 so I'm resorting to bash scripts for build and test.

find test -ls
  1049724      4 drwxrwxr-x   4 joi      joi          4096 Dec 14 10:33 test
  1053429      4 drwxrwxr-x   2 joi      joi          4096 Dec 14 10:45 test/dir\ with\ spaces
  1049569   1556 -rw-r--r--   1 joi      joi       1590537 Sep 10  2019 test/dir\ with\ spaces/log4j-core.jar
  1053443      4 drwxrwxr-x   2 joi      joi          4096 Dec 14 10:45 test/test-symlink
  1051275   1556 -rw-r--r--   1 joi      joi       1590537 Sep 10  2019 test/test-symlink/log4j-core.jar
  1053445      0 lrwxrwxrwx   1 joi      joi            14 Dec 14 10:34 test/test-symlink/mytestlink.jar -> log4j-core.jar

# verify bad jar is detected twice
java -jar scanner.jar test
Logpresso CVE-2021-44228 Vulnerability Scanner 1.3.0 (2021-12-15)
[*] Found CVE-2021-44228 vulnerability in /home/joi/working-dir/CVE-2021-44228-Scanner/test/dir with spaces/log4j-core.jar, log4j 2.11.2
[*] Found CVE-2021-44228 vulnerability in /home/joi/working-dir/CVE-2021-44228-Scanner/test/test-symlink/log4j-core.jar, log4j 2.11.2
[*] Found CVE-2021-44228 vulnerability in /home/joi/working-dir/CVE-2021-44228-Scanner/test/test-symlink/mytestlink.jar, log4j 2.11.2

Scanned 3 directories and 3 files
Found 3 vulnerable files
Completed in 0.03 seconds

Running with --fix creates a .bak file for all jars it thinks it detected, including the symlinks.

joi@desktop2004:~/working-dir/CVE-2021-44228-Scanner$ java -jar scanner.jar --fix test
This command will remove JndiLookup.class from log4j2-core binaries. Are you sure [y/N]? y
Logpresso CVE-2021-44228 Vulnerability Scanner 1.3.0 (2021-12-15)
[*] Found CVE-2021-44228 vulnerability in /home/joi/working-dir/CVE-2021-44228-Scanner/test/dir with spaces/log4j-core.jar, log4j 2.11.2
[*] Found CVE-2021-44228 vulnerability in /home/joi/working-dir/CVE-2021-44228-Scanner/test/test-symlink/log4j-core.jar, log4j 2.11.2
[*] Found CVE-2021-44228 vulnerability in /home/joi/working-dir/CVE-2021-44228-Scanner/test/test-symlink/mytestlink.jar, log4j 2.11.2

Fixed: /home/joi/working-dir/CVE-2021-44228-Scanner/test/dir with spaces/log4j-core.jar
Fixed: /home/joi/working-dir/CVE-2021-44228-Scanner/test/test-symlink/log4j-core.jar
Fixed: /home/joi/working-dir/CVE-2021-44228-Scanner/test/test-symlink/mytestlink.jar

Scanned 3 directories and 3 files
Found 3 vulnerable files
Fixed 3 vulnerable files
Completed in 1.12 seconds
joi@desktop2004:~/working-dir/CVE-2021-44228-Scanner$ find test -ls
  1049724      4 drwxrwxr-x   4 joi      joi          4096 Dec 14 10:33 test
  1053429      4 drwxrwxr-x   2 joi      joi          4096 Dec 14 10:48 test/dir\ with\ spaces
  1049569   1572 -rw-r--r--   1 joi      joi       1607573 Dec 14 10:48 test/dir\ with\ spaces/log4j-core.jar
  1051277   1556 -rw-rw-r--   1 joi      joi       1590537 Dec 14 10:48 test/dir\ with\ spaces/log4j-core.jar.bak
  1053443      4 drwxrwxr-x   2 joi      joi          4096 Dec 14 10:48 test/test-symlink
  1051275   1572 -rw-r--r--   1 joi      joi       1607573 Dec 14 10:48 test/test-symlink/log4j-core.jar
  1053445      0 lrwxrwxrwx   1 joi      joi            14 Dec 14 10:34 test/test-symlink/mytestlink.jar -> log4j-core.jar
  1053427   1572 -rw-rw-r--   1 joi      joi       1607573 Dec 14 10:48 test/test-symlink/mytestlink.jar.bak
  1052166   1556 -rw-rw-r--   1 joi      joi       1590537 Dec 14 10:48 test/test-symlink/log4j-core.jar.bak

I am at the office on Central Standard Time, and am willing to update and re-test if I am notified.

Hello,

Seems like on servers for Visual C++ Runtime is not installed the execution failed.

The deb package for liblog4j2-java install the jars in /usr/share/java/

/usr/share/java/log4j-core.jar
/usr/share/java/log4j-core-2.11.2.jar -> log4j-core.jar

Scanner detected and fixed both of them. The result that I now have is:
/usr/share/java/log4j-core.jar
/usr/share/java/log4j-core-2.11.2.jar.bak -> log4j-core.jar
/usr/share/java/log4j-core-2.11.2.jar -> log4j-core.jar

now the jar.bak file is a symlink back to the mitigated jar file.
There is no backup log4j-core.jar.bak file left after running --fix.

I tested with simply installing package liblog4j2-java, then running this scanner with --fix against /usr/share/java/ to see what it found.

Hi,

using the fix option on locked files shows:
Found x vulnerable files
Fixed x vulnerable files
Completed in ... seconds

But it does not succeed, if the target file is locked / open file. At least for users running Windows OS.
Should return an error message. File locked instead.

Thanks

Hi,

It is (or will be) common to scan for "/" (as by #25) to be on the safe side -- on windows more like "all of the attached disks", which is much less applicable.

NFS mountpoints (and/or other network filesystems or USB backup drive or whatsoever) could be slow and/or duplicating the effort.

It could be good to have an option to either:

1. don't trascend the filesystem (see -xdev option for find). So the admin can specify the path, and will scan only the given mountpoint.
2. don't proceed on given filesystems and path. see /etc/updatedb.conf for reference (PRUNEPATHS & PRUNEFS options)
3. simply get a list of path to be excluded on the command line (eg --prunepath /dev --prunepath /mnt [...]) so again the admin can determine what path will be excluded.

What do you think about it?

Hey, could you provide the source code for this, so that we can build it ourselves? Random binaries from the internet are not much better than the CVE itself. Thanks for your effort though!

Can you make a --silentmode
only console output on found and at the end of the scan.

--all-drives
Scan all drives on Windows

This option scans local drives and networkshares wich generates massive networkload.
"--all-local-drives" could save some networks.

Hi there,

i have some findings like this

[*] Found CVE-2021-44228 vulnerability in D:\install\Log4J_Patche\UTI\log4j_2.15.0\log4j-core-2.15.0.jar, log4j 2.15.0

Version 2.15.0 is the most actual version in which the exploit is already fixxed. This should be excluded from the scan.

This might be a perfect opportunity to find and update old v1.x versions, so how bout adding a option to display all v1.x and v2.x versions?

I try to use latest release (1.4.0) and define the maven pom.xml:

<!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core -->
<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-core</artifactId>
    <version>2.11.1</version>
</dependency>

but no vulnerable can be found in result

It would be reassuring to Windows admins if Scanner could be triggered with a -v or similar option that would provide some feedback while massive filesystems are being scanned. One possibility would be a status message that prints the current Scanned/Found/Fixed messages every 10,000 files.

Folks tend to cancel apps they think are hung or crashed because they aren't getting any output.

Though this is really specific to Unix, really need an option to exclude by filesystem type.

This is because we have numerous servers with network drives with various mount points.

We need to exclude all network drives (nfs, cifs, etc).

Exclusion by path name is difficult to utilize.

Would you be able to show or explain to me how you created the linux native executable.

The scanner should be limited to real filesystems, scanning /proc or /sys can lead to infinite recursion and the scan never completing.

Bonus points if we can pass a flag to skip network shares also.

Any way of compiling an x86 32bit version of this tool?

After upgrading to new newest version, the vulnerability count no longer seems to be keeping track.

An option to exclude (multiple) folders would be nice, like "C:/Users". Not having an option like that would mean that it scans the same SharePoint for multiple users. Maybe the same option can be added to include multiple folders / drives instead of just one.

Hi,

thank you publishing this awesome tool!

Would you mind adding support for CVE-2019-17571?
Log4j version 1.2 installations are suffering from a similar issue and it would be great if your scanner could detect both issues.

When running a scan I run the following comand:
java -jar log4j2-scan.jar /Users//Desktop/SourceCode/

the scan then results in:
Scanned 3949 directories and 9260 files
Found 0 vulnerable files
Completed in 0.62 seconds

However when I run it with --trace it shows that ALL the files are being skipped. even the .java files

Am I doing something wrong or misusing the tool?

If would be helpful to include the path where the scan was started.

Now:

jlellis@graylog-cmi-008:~$ java -jar scanner-1.3.2.jar /usr/share/java
Logpresso CVE-2021-44228 Vulnerability Scanner 1.3.2 (2021-12-15)

Scanned 1 directories and 2 files
Found 0 vulnerable files
Completed in 0.00 seconds

Suggested:

jlellis@graylog-cmi-008:~$ java -jar scanner-1.3.2.jar /usr/share/java
Logpresso CVE-2021-44228 Vulnerability Scanner 1.3.2 (2021-12-15)
Scanning /usr/share/java

Scanned 1 directories and 2 files
Found 0 vulnerable files
Completed in 0.00 seconds