Comments (7)
Thanks for sharing this!
Is log4j-detector.jar at least finding the pom.properties in these cases (see the fix for #49)?
-- Warning: /var/tmp/e/elastic-apm-agent-1.28.2.jar does not contain Log4J bytecode, but claims it does (!/agent/META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties)
/var/tmp/e/elastic-apm-agent-1.28.2.jar contains Log4J-2.x >= 2.12.2 _SAFE_
from log4j-detector.
Fixed in v2021.12.22
from log4j-detector.
Elastic si using esclazz for shading. Do you know any other common shading extensions ?
from log4j-detector.
This one with extension ".classdata" seems to be from https://github.com/open-telemetry
This can be solved in logdetector to also search and set as vulnerable:
"JndiLookup.classdata"
"JndiLookup.esclazz"
Any more known shading extensions?
from log4j-detector.
Hi, no it does not show this. I've attached the specific jar as zip file.
The path in the jar to log4j-core classes is:
/inst/org/apache/logging/log4j/core
It does not have a pom.properties or a log4j versionnumber as far I can see.
The path to the JndiLoopup class is:
/inst/org/apache/logging/log4j/core/lookup/JndiLookup.classdata
It does have this mentioned in the MANIFEST.MF file. That could be used for checking?
Name: inst/org/apache/logging/log4j/core/lookup/JndiLookup.classdata
SHA-256-Digest: q9/ssPvnHk4Zmj0V0L94P8tf8RBybJm0qlq7SipLXMo=
The dependency used is:
com.microsoft.azure
applicationinsights-agent
3.0.3
https://mvnrepository.com/artifact/com.microsoft.azure/applicationinsights-agent/3.0.3
applicationinsights-agent-3.0.3.zip
Note: in 3.2.4 these log4j-core classes are not present anymore.
from log4j-detector.
Found this info on the applicationinsights-agent irt the log4j vulnerability:
https://github.com/microsoft/ApplicationInsights-Java/discussions/2008
from log4j-detector.
thx for the quick fix! Also confirmed in my local testing.
!/BOOT-INF/lib/applicationinsights-agent-3.0.3.jar contains Log4J-2.x >= 2.10.0 VULNERABLE
from log4j-detector.
Related Issues (20)
- Detection of potentially safe log4j 1.x after manual mitigation HOT 1
- fix --exclude example in README HOT 4
- java.util.zip.ZipException: invalid entry size (expected 0 but got 622 bytes) HOT 4
- version 2021.12.20 not redirecting output anymore (in Windows) HOT 1
- Simple test using sample files outputs no status HOT 10
- Detection of Log4j 1.x as vulnerable HOT 5
- great idea but can be enhanced
- Some archives are not detected when using Java 8
- Scan OSGI .kar and .par archives HOT 1
- Scan .car files HOT 1
- New log4j 2.17.0 CVE that can lead to RCE HOT 1
- log4j CVEs
- Output fixing / adjustment HOT 2
- IDEA: Show a _SAFE_ when nothing found
- Don't handle *.gwtar and other normal files ending with *ar as archives HOT 2
- Incomplete pathnames HOT 1
- Weird new File("blah") in nextByte HOT 3
- Exploded jar not detected under Windows
- reload4j raised as log4j-1.x vulnerability
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from log4j-detector.