Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect patched log4j-core-2*.jar ? #1

Closed
tjyang opened this issue Dec 17, 2021 · 4 comments
Closed

Detect patched log4j-core-2*.jar ? #1

tjyang opened this issue Dec 17, 2021 · 4 comments

Comments

@tjyang
Copy link
Contributor

tjyang commented Dec 17, 2021

Hi

Can this program adding ability to check the .class are taken out of older log4j-core-.jar ?

Patched *.jar = jndiLookup.class removal and set log4j2.formatMsgNoLookups=true
@hupe1980
Copy link
Owner

The scanner inspects JAR Files whether they contains the file JndiLookup.class. If so, the bytecode of JndiManager.class is checked to see whether it is a log4j version >= 2.15.0

After removing the JndiLookup.class file, the scanner no longer issues an alarm

@tjyang
Copy link
Contributor Author

tjyang commented Dec 17, 2021
edited
Loading

  • This is my sample jar files.
[pi@centos7t01 github]$ ls  -lrth /tmp/*.jar
-rw-r--r-- 1 pi pi 1.8M Dec 16 19:22 /tmp/log4j-core-2.16.0.jar
-rw-r--r-- 1 pi pi 1.5M Dec 16 19:22 /tmp/log4j-core-2.9.1.jar   #<-- this one is patched via removal of jndiLookup.class
-rw-r--r-- 1 pi pi 1.5M Dec 16 19:22 /tmp/log4j-core-2.9.1.unpatched.jar
[pi@centos7t01 github]$
  • the scan
[pi@centos7t01 github]$ scan4log4shell local /tmp
[i] Log4Shell CVE-2021-44228 Local Vulnerability Scan
[!] Hit: possibly vulnerable file identified: /tmp/log4j-core-2.9.1.unpatched.jar
[x] Error: /tmp/systemd-private-7546a27e96df49dcb087991ab7126f6b-colord.service-iJUNZ1: open /tmp/systemd-private-7546a27e96df49dcb087991ab7126f6b-colord\
.service-iJUNZ1: permission denied
[x] Error: /tmp/systemd-private-7546a27e96df49dcb087991ab7126f6`
<snipped>
  • what I am hoping to to see is listing of good,patched, vulnerable log4j-core*.jar files listing the scan output.
    • existing output doesn't display patched and good ones.

@hupe1980
Copy link
Owner

An info about patched versions is now available

@tjyang
Copy link
Contributor Author

tjyang commented Dec 22, 2021

Thanks for the addition.

  • tested with version 0.13.0
[pi@centos7t01 scan4log4]$ ./scan4log4shell --version
scan4log4shell version 0.13.0
[pi@centos7t01 scan4log4]$ sudo ./scan4log4shell local  /tmp/
[i] Log4Shell Local Vulnerability Scan
[!] Hit: possibly CVE-2021-45046 vulnerable file identified: /tmp/apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar
[!] Hit: possibly CVE-2021-45105 vulnerable file identified: /tmp/apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar
[!] Hit: possibly CVE-2021-44228 vulnerable file identified: /tmp/apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar
[!] Hit: possibly CVE-2021-45046 vulnerable file identified: /tmp/apache-log4j-2.9.1-bin.patched/apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar
[!] Hit: possibly CVE-2021-45105 vulnerable file identified: /tmp/apache-log4j-2.9.1-bin.patched/apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar
[i] Safe: possibly CVE-2021-44228 patched (no JndiLookup.class) file identified: /tmp/apache-log4j-2.9.1-bin.patched/apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar
[i] Completed scanning
[pi@centos7t01 scan4log4]$

@tjyang tjyang closed this as completed Dec 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tjyang @hupe1980