Code Monkey home page Code Monkey logo

Comments (7)

juliusmusseau avatar juliusmusseau commented on June 3, 2024 1

Thanks for sharing this!

Is log4j-detector.jar at least finding the pom.properties in these cases (see the fix for #49)?

-- Warning: /var/tmp/e/elastic-apm-agent-1.28.2.jar does not contain Log4J bytecode, but claims it does (!/agent/META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties)
/var/tmp/e/elastic-apm-agent-1.28.2.jar contains Log4J-2.x   >= 2.12.2 _SAFE_

from log4j-detector.

juliusmusseau avatar juliusmusseau commented on June 3, 2024 1

Fixed in v2021.12.22

from log4j-detector.

HynekPetrak avatar HynekPetrak commented on June 3, 2024

Elastic si using esclazz for shading. Do you know any other common shading extensions ?

from log4j-detector.

MarkvanOsch avatar MarkvanOsch commented on June 3, 2024

This one with extension ".classdata" seems to be from https://github.com/open-telemetry

This can be solved in logdetector to also search and set as vulnerable:
"JndiLookup.classdata"
"JndiLookup.esclazz"

Any more known shading extensions?

from log4j-detector.

MarkvanOsch avatar MarkvanOsch commented on June 3, 2024

Hi, no it does not show this. I've attached the specific jar as zip file.

The path in the jar to log4j-core classes is:
/inst/org/apache/logging/log4j/core

It does not have a pom.properties or a log4j versionnumber as far I can see.

The path to the JndiLoopup class is:
/inst/org/apache/logging/log4j/core/lookup/JndiLookup.classdata

It does have this mentioned in the MANIFEST.MF file. That could be used for checking?
Name: inst/org/apache/logging/log4j/core/lookup/JndiLookup.classdata
SHA-256-Digest: q9/ssPvnHk4Zmj0V0L94P8tf8RBybJm0qlq7SipLXMo=

The dependency used is:
com.microsoft.azure
applicationinsights-agent
3.0.3
https://mvnrepository.com/artifact/com.microsoft.azure/applicationinsights-agent/3.0.3

applicationinsights-agent-3.0.3.zip

Note: in 3.2.4 these log4j-core classes are not present anymore.

from log4j-detector.

MarkvanOsch avatar MarkvanOsch commented on June 3, 2024

Found this info on the applicationinsights-agent irt the log4j vulnerability:

https://github.com/microsoft/ApplicationInsights-Java/discussions/2008

from log4j-detector.

MarkvanOsch avatar MarkvanOsch commented on June 3, 2024

thx for the quick fix! Also confirmed in my local testing.

!/BOOT-INF/lib/applicationinsights-agent-3.0.3.jar contains Log4J-2.x >= 2.10.0 VULNERABLE

from log4j-detector.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.