Skip to content

Commit

Permalink
include 1.2.17 in scanning log4j1
Browse files Browse the repository at this point in the history
  • Loading branch information
@breadchris
breadchris committed Dec 16, 2021
1 parent 65dbfe8 commit 2180554
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 1 deletion.
5 changes: 5 additions & 0 deletions tools/log4shell/Makefile
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
BINARY_NAME=log4shell
LIBRARY_HASHES=log4j-library-hashes.json

payload:
cd payloads/hotpatch-payload/ && \
Expand All @@ -7,8 +8,12 @@ payload:
cp payloads/hotpatch-payload/target/classes/Log4ShellHotpatch.class Log4ShellHotpatch.class

cli:
touch ${LIBRARY_HASHES}
go build -o ${BINARY_NAME} .

library-hashes: cli
./log4shell analyze --output ${LIBRARY_HASHES} test/vulnerable-log4j2-versions/apache test/vulnerable-log4j2-versions/target/dependency

build: payload cli
echo "built ${BINARY_NAME}"

Expand Down
2 changes: 1 addition & 1 deletion tools/log4shell/analyze/analyze.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ func isVersionACVE202145046Version(semverVersion string) bool {
func isVersionACVE201917571Version(semverVersion string) bool {
version, _ := semver.Make(semverVersion)

vulnerableRange, _ := semver.ParseRange(">=1.2.0 <1.2.17")
vulnerableRange, _ := semver.ParseRange(">=1.2.0 <=1.2.17")
if vulnerableRange(version) {
return true
}
Expand Down
7 changes: 7 additions & 0 deletions tools/log4shell/log4j-library-hashes.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,13 @@
"version": "1.2.16",
"cve": "CVE-2019-17571"
},
{
"path": "test/vulnerable-log4j2-versions/apache/apache-log4j-1.2.17/log4j-1.2.17.jar",
"file_name": "org/apache/log4j/net/SocketNode.class",
"hash": "8ef0ebdfbf28ec14b2267e6004a8eea947b4411d3c30d228a7b48fae36431d74",
"version": "1.2.17",
"cve": "CVE-2019-17571"
},
{
"path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-beta9-bin/log4j-core-2.0-beta9.jar",
"file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class",
Expand Down

0 comments on commit 2180554

Please sign in to comment.