Skip to content

google/log4jscanner

main
Switch branches/tags
Code

Latest commit

In Go 1.19 the standard library's archive/zip package will
automatically and silently handle a prefixed zip file.
The log4jscanner package expects to handle the offset itself.
To let log4jscanner work with both Go 1.18 and 1.19,
change it to read the offset first, before using the archive/zip
package.

Tested by running tests with both Go 1.18 and Go tip.
Without this change, Go tip fails with
--- FAIL: TestAutoMitigateExecutable (0.00s)
    --- FAIL: TestAutoMitigateExecutable/helloworld-executable (0.00s)
        rewrite_test.go:247: expected offset for executable testdata/helloworld-executable: got=0
    --- FAIL: TestAutoMitigateExecutable/vuln-class-executable (0.00s)
        rewrite_test.go:247: expected offset for executable testdata/vuln-class-executable: got=0
FAIL
FAIL	github.com/google/log4jscanner/jar	34.541s
3648656

Git stats

Files

Permalink
Failed to load latest commit information.

log4jscanner

Go Reference

A log4j vulnerability filesystem scanner and Go package for analyzing JAR files.

Installing

Pre-compiled binaries are available as release assets.

To install from source with an existing Go v1.17+ installation, either use go install:

go install github.com/google/log4jscanner@latest

Or build from the repo directly:

git clone https://github.com/google/log4jscanner.git
cd log4jscanner
go build -o log4jscanner

Command line tool

This project includes a scanner that walks directory, printing any detected JARs to stdout.

$ log4jscanner ./jar/testdata
./jar/testdata/bad_jar_in_jar.jar
./jar/testdata/log4j-core-2.1.jar
./jar/testdata/log4j-core-2.12.1.jar
./jar/testdata/log4j-core-2.14.0.jar
./jar/testdata/log4j-core-2.15.0.jar
./jar/testdata/vuln-class.jar

Optionally, the --rewrite flag can actively remove the vulnerable class from detected JARs in-place.

$ zipinfo /tmp/vuln-class.jar | grep Jndi
-rw-r--r--  3.0 unx     2937 bx defN 20-Nov-06 14:03 lookup/JndiLookup.class
-rw-r--r--  3.0 unx     5029 bx defN 20-Nov-06 14:03 net/JndiManager.class
-rw-r--r--  3.0 unx      249 bx defN 20-Nov-06 14:03 net/JndiManager$1.class
-rw-r--r--  3.0 unx     1939 bx defN 20-Nov-06 14:03 net/JndiManager$JndiManagerFactory.class
$ log4jscanner --rewrite /tmp
/tmp/vuln-class.jar
$ zipinfo /tmp/vuln-class.jar | grep Jndi
-rw-r--r--  3.0 unx     5029 bx defN 20-Nov-06 14:03 net/JndiManager.class
-rw-r--r--  3.0 unx      249 bx defN 20-Nov-06 14:03 net/JndiManager$1.class
-rw-r--r--  3.0 unx     1939 bx defN 20-Nov-06 14:03 net/JndiManager$JndiManagerFactory.class

On MacOS, you can scan the entire data directory with:

$ sudo log4jscanner /System/Volumes/Data

The scanner can also skip directories by passing glob patterns. On Linux, you may choose to scan the entire root filesystem, but skip site-specific paths (e.g. the /data/* directory). By default log4jscanner will not scan magic filesystems, such as /proc and /sys.

$ sudo log4jscanner --skip '/data/*' /

For heavy customization, such as reporting to external endpoints, much of the tool's logic is exposed through the jar.Walker API.

Package

Parsing logic is available through the jar package, and can be used to scan assets stored in other code repositories. Because JARs use the ZIP format, this package operates on archive/zip.Reader.

import (
	"archive/zip"
	// ...

	"github.com/google/log4jscanner/jar"
)

func main() {
	rc, err := zip.OpenReader(pathToJARFile)
	if err != nil {
		if errors.Is(err, zip.ErrFormat) {
			// File isn't a ZIP file.
			return
		}
		log.Fatalf("opening class: %v", err)
	}
	defer rc.Close()

	if !jar.IsJAR(&rc.Reader) {
		// ZIP file isn't a JAR file.
		return
	}

	result, err := jar.Parse(&rc.Reader)
	if err != nil {
		log.Fatalf("parsing zip file: %v", err)
	}
	if result.Vulnerable {
		fmt.Println("File is vulnerable")
	}
}

See the examples/ directory for full programs.

False positives

False positives have been observed for the scanner. Use caution when rewriting JARs automatically or taking other mitigations based on scan results.

If you do hit a false positive, please open an issue.

Note: This scanner purposefully flags the patched versions of log4j for Java 6 and Java 7 as vulnerable.

Contributors

We unfortunately had to squash the history when open sourcing. The following contributors were instrumental in this project's development:

About

A log4j vulnerability filesystem scanner and Go package for analyzing JAR files.

Resources

License

Code of conduct

Stars

Watchers

Forks

Packages

No packages published