From 7d30321b222ecfa88b45e27808570491a2ded61a Mon Sep 17 00:00:00 2001 From: breadchris Date: Thu, 23 Dec 2021 13:50:11 -0500 Subject: [PATCH] generating hashes for the JndiLookup.class file to patch out --- tools/log4shell/analyze/analyze.go | 16 +- tools/log4shell/commands/patch.go | 2 +- tools/log4shell/constants/vulnerablehashes.go | 13 +- tools/log4shell/findings.json | 700 +----------------- tools/log4shell/log4j-library-hashes.json | 174 ++--- tools/log4shell/main.go | 2 +- tools/log4shell/scan/loadversions.go | 10 + tools/log4shell/scan/scanfile.go | 23 +- .../test/vulnerable-log4j2-versions/main.go | 2 +- tools/log4shell/types/vulnerablehashes.go | 5 + 10 files changed, 151 insertions(+), 796 deletions(-) diff --git a/tools/log4shell/analyze/analyze.go b/tools/log4shell/analyze/analyze.go index 4cd075f75..b3cdaaa2b 100644 --- a/tools/log4shell/analyze/analyze.go +++ b/tools/log4shell/analyze/analyze.go @@ -97,7 +97,7 @@ func fileNameToSemver(fileNameNoExt string) string { return semverVersion } -func getJndiLookupHash(zipReader *zip.Reader, filePath string) (fileName, fileHash string, err error) { +func GetJndiLookupHash(zipReader *zip.Reader, filePath string) (fileName, fileHash string, err error) { fileName = "org/apache/logging/log4j/core/lookup/JndiLookup.class" reader, err := zipReader.Open(fileName) @@ -163,10 +163,15 @@ func ProcessArchiveFile(zipReader *zip.Reader, reader io.Reader, filePath, fileN return } - jndiLookupFileName, jndiLookupFileHash, err := getJndiLookupHash(zipReader, filePath) - if err != nil { - jndiLookupFileName = "" - jndiLookupFileHash = "" + jndiLookupFileName := "" + jndiLookupFileHash := "" + + if versionIsInRange(fileNameNoExt, semverVersion, constants.JndiLookupPatchFileVersions) { + jndiLookupFileName, jndiLookupFileHash, err = GetJndiLookupHash(zipReader, filePath) + if err != nil { + jndiLookupFileName = "" + jndiLookupFileHash = "" + } } log.Log(). @@ -185,6 +190,7 @@ func ProcessArchiveFile(zipReader *zip.Reader, reader io.Reader, filePath, fileN JndiLookupHash: jndiLookupFileHash, Version: semverVersion, CVE: versionCve, + Severity: constants.CveSeverityLookup[versionCve], } return } diff --git a/tools/log4shell/commands/patch.go b/tools/log4shell/commands/patch.go index f9f8a2133..4c31b4bd5 100644 --- a/tools/log4shell/commands/patch.go +++ b/tools/log4shell/commands/patch.go @@ -117,7 +117,7 @@ func JavaArchivePatchCommand(c *cli.Context, globalBoolFlags map[string]bool) er } log.Debug(). Str("path", finding.Path). - Str("path", finding.Path). + Str("zipFilePath", finding.JndiLookupFileName). Msg("Found file to remove") } diff --git a/tools/log4shell/constants/vulnerablehashes.go b/tools/log4shell/constants/vulnerablehashes.go index 80aff5891..6092c83fc 100644 --- a/tools/log4shell/constants/vulnerablehashes.go +++ b/tools/log4shell/constants/vulnerablehashes.go @@ -23,6 +23,7 @@ import ( const ( Log4ShellCve = "CVE-2021-44228" CtxCve = "CVE-2021-45046" + RecursiveDosCve = "CVE-2021-45105" Log4j1RceCve = "CVE-2019-17571" ) @@ -30,9 +31,12 @@ var ( CveSeverityLookup = map[string]string { Log4ShellCve: "10.0", CtxCve: "9.0", + RecursiveDosCve: "7.5", Log4j1RceCve: "9.8", } + JndiLookupPatchFileVersions = semver.MustParseRange(">=2.0.0") + FileVersionChecks = []types.LibraryFileVersionCheck{ { Cve: Log4ShellCve, @@ -41,12 +45,17 @@ var ( }, { Cve: Log4ShellCve, - SemverRange: semver.MustParseRange(">=2.1.0 <=2.14.1"), + SemverRange: semver.MustParseRange(">=2.1.0 <2.15.0"), LibraryFile: "JndiManager.class", }, { Cve: CtxCve, - SemverRange: semver.MustParseRange("=2.15.0"), + SemverRange: semver.MustParseRange(">=2.15.0 <2.16.0"), + LibraryFile: "JndiManager.class", + }, + { + Cve: RecursiveDosCve, + SemverRange: semver.MustParseRange(">=2.16.0 <2.17.0"), LibraryFile: "JndiManager.class", }, { diff --git a/tools/log4shell/findings.json b/tools/log4shell/findings.json index 346b5875b..0f4df5fc1 100644 --- a/tools/log4shell/findings.json +++ b/tools/log4shell/findings.json @@ -1,708 +1,14 @@ { "vulnerable_libraries": [ { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-1.2.15/log4j-1.2.15.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "7b996623c05f1a25a57fb5b43c519c2ec02ec2e647c2b97b3407965af928c9a4", - "version": "1.2.15", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-1.2.16/log4j-1.2.16.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "688a3dadfb1c0a08fb2a2885a356200eb74e7f0f26a197d358d74f2faf6e8f46", - "version": "1.2.16", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-1.2.17/log4j-1.2.17.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "8ef0ebdfbf28ec14b2267e6004a8eea947b4411d3c30d228a7b48fae36431d74", - "version": "1.2.17", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-beta9-bin/log4j-core-2.0-beta9.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", - "version": "2.0.0-beta9, 2.0.0-rc1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-beta9-osgi-bin/log4j-core-osgi-reduced-2.0-beta9.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", - "version": "2.0.0-beta9, 2.0.0-rc1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-bin/log4j-core-2.0.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29", - "version": "2.0.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc1-bin/log4j-core-2.0-rc1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", - "version": "2.0.0-beta9, 2.0.0-rc1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc1-osgi-bin/log4j-core-osgi-reduced-2.0-rc1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", - "version": "2.0.0-beta9, 2.0.0-rc1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc2-bin/log4j-core-2.0-rc2.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2", - "version": "2.0.0-rc2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", - "version": "2.0.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0.2-bin/log4j-core-2.0.2.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c", - "version": "2.0.2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.1-bin/log4j-core-2.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", - "version": "2.1.0, 2.2.0, 2.3.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.10.0-bin/log4j-core-2.10.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", - "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.11.0-bin/log4j-core-2.11.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", - "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.11.1-bin/log4j-core-2.11.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", - "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.11.2-bin/log4j-core-2.11.2.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", - "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.12.0-bin/log4j-core-2.12.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de", - "version": "2.12.0, 2.12.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.12.1-bin/log4j-core-2.12.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de", - "version": "2.12.0, 2.12.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.12.2-bin/log4j-core-2.12.2.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "b1960d63a3946f9e16e1920624f37c152b58b98932ed04df99ed5d9486732afb", - "version": "2.12.2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.0-bin/log4j-core-2.13.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", - "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.1-bin/log4j-core-2.13.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", - "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.2-bin/log4j-core-2.13.2.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", - "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.3-bin/log4j-core-2.13.3.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", - "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6", - "version": "2.14.0, 2.14.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.14.1-bin/log4j-core-2.14.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6", - "version": "2.14.0, 2.14.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.15.0-bin/log4j-core-2.15.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "db07ef1ea174e000b379732681bd835cfede648a7971bf4e9a0d31981582d69e", - "version": "2.15.0", - "cve": "CVE-2021-45046", - "severity": "3.7" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.2-bin/log4j-core-2.2.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", - "version": "2.1.0, 2.2.0, 2.3.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.3-bin/log4j-core-2.3.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", - "version": "2.1.0, 2.2.0, 2.3.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.4-bin/log4j-core-2.4.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", - "version": "2.4.0, 2.4.1, 2.5.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.4.1-bin/log4j-core-2.4.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", - "version": "2.4.0, 2.4.1, 2.5.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.5-bin/log4j-core-2.5.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", - "version": "2.4.0, 2.4.1, 2.5.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.6-bin/log4j-core-2.6.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", - "version": "2.6.0, 2.6.1, 2.6.2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.6.1-bin/log4j-core-2.6.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", - "version": "2.6.0, 2.6.1, 2.6.2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.6.2-bin/log4j-core-2.6.2.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", - "version": "2.6.0, 2.6.1, 2.6.2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.7-bin/log4j-core-2.7.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", - "version": "2.7.0, 2.8.0, 2.8.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.8-bin/log4j-core-2.8.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", - "version": "2.7.0, 2.8.0, 2.8.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.8.1-bin/log4j-core-2.8.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", - "version": "2.7.0, 2.8.0, 2.8.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.8.2-bin/log4j-core-2.8.2.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "764b06686dbe06e3d5f6d15891250ab04073a0d1c357d114b7365c70fa8a7407", - "version": "2.8.2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.9.0-bin/log4j-core-2.9.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", - "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", - "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.1/dist/lib/log4j-1.2.1.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d", - "version": "1.2.1, 1.2.2, 1.2.3, 1.2.4", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.2/dist/lib/log4j-1.2.2.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d", - "version": "1.2.1, 1.2.2, 1.2.3, 1.2.4", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.3/dist/lib/log4j-1.2.3.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d", - "version": "1.2.1, 1.2.2, 1.2.3, 1.2.4", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.4/dist/lib/log4j-1.2.4.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d", - "version": "1.2.1, 1.2.2, 1.2.3, 1.2.4", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.5/dist/lib/log4j-1.2.5.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "ed5d53deb29f737808521dd6284c2d7a873a59140e702295a80bd0f26988f53a", - "version": "1.2.5", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.6/dist/lib/log4j-1.2.6.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "3ef93e9cb937295175b75182e42ba9a0aa94f9f8e295236c9eef914348efeef0", - "version": "1.2.6, 1.2.7, 1.2.9", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.7/dist/lib/log4j-1.2.7.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "3ef93e9cb937295175b75182e42ba9a0aa94f9f8e295236c9eef914348efeef0", - "version": "1.2.6, 1.2.7, 1.2.9", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.8/dist/lib/log4j-1.2.8.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "bee4a5a70843a981e47207b476f1e705c21fc90cb70e95c3b40d04a2191f33e9", - "version": "1.2.8", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.11/dist/lib/log4j-1.2.11.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "d778227b779f8f3a2850987e3cfe6020ca26c299037fdfa7e0ac8f81385963e6", - "version": "1.2.11", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.12/dist/lib/log4j-1.2.12.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "f3b815a2b3c74851ff1b94e414c36f576fbcdf52b82b805b2e18322b3f5fc27c", - "version": "1.2.12", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.13/dist/lib/log4j-1.2.13.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "fbda3cfc5853ab4744b853398f2b3580505f5a7d67bfb200716ef6ae5be3c8b7", - "version": "1.2.13, 1.2.14", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.14/dist/lib/log4j-1.2.14.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "fbda3cfc5853ab4744b853398f2b3580505f5a7d67bfb200716ef6ae5be3c8b7", - "version": "1.2.13, 1.2.14", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.9/dist/lib/log4j-1.2.9.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "3ef93e9cb937295175b75182e42ba9a0aa94f9f8e295236c9eef914348efeef0", - "version": "1.2.6, 1.2.7, 1.2.9", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar", + "path": "/home/breadchris/projects/lunasec-monorepo/tools/log4shell/test/vulnerable-log4j2-versions/apache/apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar", "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", "hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", "version": "2.0.1", "cve": "CVE-2021-44228", "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0-rc1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", - "version": "2.0.0-beta9, 2.0.0-rc1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0-rc2.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2", - "version": "2.0.0-rc2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", - "version": "2.0.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.2.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c", - "version": "2.0.2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29", - "version": "2.0.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", - "version": "2.1.0, 2.2.0, 2.3.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.10.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", - "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.11.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", - "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.11.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", - "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.11.2.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", - "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.12.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de", - "version": "2.12.0, 2.12.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.12.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de", - "version": "2.12.0, 2.12.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.12.2.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "b1960d63a3946f9e16e1920624f37c152b58b98932ed04df99ed5d9486732afb", - "version": "2.12.2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", - "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", - "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.2.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", - "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.3.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", - "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.14.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6", - "version": "2.14.0, 2.14.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.14.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6", - "version": "2.14.0, 2.14.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.15.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "db07ef1ea174e000b379732681bd835cfede648a7971bf4e9a0d31981582d69e", - "version": "2.15.0", - "cve": "CVE-2021-45046", - "severity": "3.7" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.2.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", - "version": "2.1.0, 2.2.0, 2.3.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.3.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", - "version": "2.1.0, 2.2.0, 2.3.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.4.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", - "version": "2.4.0, 2.4.1, 2.5.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.4.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", - "version": "2.4.0, 2.4.1, 2.5.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.5.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", - "version": "2.4.0, 2.4.1, 2.5.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.6.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", - "version": "2.6.0, 2.6.1, 2.6.2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.6.2.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", - "version": "2.6.0, 2.6.1, 2.6.2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.6.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", - "version": "2.6.0, 2.6.1, 2.6.2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.7.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", - "version": "2.7.0, 2.8.0, 2.8.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.8.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", - "version": "2.7.0, 2.8.0, 2.8.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.8.2.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "764b06686dbe06e3d5f6d15891250ab04073a0d1c357d114b7365c70fa8a7407", - "version": "2.8.2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.8.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", - "version": "2.7.0, 2.8.0, 2.8.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.9.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", - "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.9.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", - "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", - "cve": "CVE-2021-44228", - "severity": "10.0" } ] } \ No newline at end of file diff --git a/tools/log4shell/log4j-library-hashes.json b/tools/log4shell/log4j-library-hashes.json index b4aa07123..9aeb4ef6d 100644 --- a/tools/log4shell/log4j-library-hashes.json +++ b/tools/log4shell/log4j-library-hashes.json @@ -8,7 +8,7 @@ "jndi_lookup_hash": "", "version": "1.2.15", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-1.2.16/log4j-1.2.16.jar", @@ -18,7 +18,7 @@ "jndi_lookup_hash": "", "version": "1.2.16", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-1.2.17/log4j-1.2.17.jar", @@ -28,7 +28,7 @@ "jndi_lookup_hash": "", "version": "1.2.17", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-beta9-bin/log4j-core-2.0-beta9.jar", @@ -38,7 +38,7 @@ "jndi_lookup_hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", "version": "2.0.0-beta9", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-beta9-osgi-bin/log4j-core-osgi-reduced-2.0-beta9.jar", @@ -48,7 +48,7 @@ "jndi_lookup_hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", "version": "2.0.0-beta9", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-bin/log4j-core-2.0.jar", @@ -58,7 +58,7 @@ "jndi_lookup_hash": "fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29", "version": "2.0.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc1-bin/log4j-core-2.0-rc1.jar", @@ -68,7 +68,7 @@ "jndi_lookup_hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", "version": "2.0.0-rc1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc1-osgi-bin/log4j-core-osgi-reduced-2.0-rc1.jar", @@ -78,7 +78,7 @@ "jndi_lookup_hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", "version": "2.0.0-rc1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc2-bin/log4j-core-2.0-rc2.jar", @@ -88,7 +88,7 @@ "jndi_lookup_hash": "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2", "version": "2.0.0-rc2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar", @@ -98,7 +98,7 @@ "jndi_lookup_hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", "version": "2.0.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0.2-bin/log4j-core-2.0.2.jar", @@ -108,7 +108,7 @@ "jndi_lookup_hash": "9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c", "version": "2.0.2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.1-bin/log4j-core-2.1.jar", @@ -118,7 +118,7 @@ "jndi_lookup_hash": "a768e5383990b512f9d4f97217eda94031c2fa4aea122585f5a475ab99dc7307", "version": "2.1.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.10.0-bin/log4j-core-2.10.0.jar", @@ -128,7 +128,7 @@ "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.10.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.11.0-bin/log4j-core-2.11.0.jar", @@ -138,7 +138,7 @@ "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.11.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.11.1-bin/log4j-core-2.11.1.jar", @@ -148,7 +148,7 @@ "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.11.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.11.2-bin/log4j-core-2.11.2.jar", @@ -158,7 +158,7 @@ "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.11.2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.12.0-bin/log4j-core-2.12.0.jar", @@ -168,7 +168,7 @@ "jndi_lookup_hash": "5c104d16ff9831b456e4d7eaf66bcf531f086767782d08eece3fb37e40467279", "version": "2.12.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.12.1-bin/log4j-core-2.12.1.jar", @@ -178,7 +178,7 @@ "jndi_lookup_hash": "5c104d16ff9831b456e4d7eaf66bcf531f086767782d08eece3fb37e40467279", "version": "2.12.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.12.2-bin/log4j-core-2.12.2.jar", @@ -188,7 +188,7 @@ "jndi_lookup_hash": "febbc7867784d0f06934fec59df55ee45f6b24c55b17fff71cc4fca80bf22ebb", "version": "2.12.2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.0-bin/log4j-core-2.13.0.jar", @@ -198,7 +198,7 @@ "jndi_lookup_hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", "version": "2.13.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.1-bin/log4j-core-2.13.1.jar", @@ -208,7 +208,7 @@ "jndi_lookup_hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", "version": "2.13.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.2-bin/log4j-core-2.13.2.jar", @@ -218,7 +218,7 @@ "jndi_lookup_hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", "version": "2.13.2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.3-bin/log4j-core-2.13.3.jar", @@ -228,7 +228,7 @@ "jndi_lookup_hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", "version": "2.13.3", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar", @@ -238,7 +238,7 @@ "jndi_lookup_hash": "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f", "version": "2.14.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.14.1-bin/log4j-core-2.14.1.jar", @@ -248,7 +248,7 @@ "jndi_lookup_hash": "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f", "version": "2.14.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.15.0-bin/log4j-core-2.15.0.jar", @@ -258,7 +258,7 @@ "jndi_lookup_hash": "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f", "version": "2.15.0", "cve": "CVE-2021-45046", - "severity": "" + "severity": "9.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.2-bin/log4j-core-2.2.jar", @@ -268,7 +268,7 @@ "jndi_lookup_hash": "a768e5383990b512f9d4f97217eda94031c2fa4aea122585f5a475ab99dc7307", "version": "2.2.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.3-bin/log4j-core-2.3.jar", @@ -278,7 +278,7 @@ "jndi_lookup_hash": "a768e5383990b512f9d4f97217eda94031c2fa4aea122585f5a475ab99dc7307", "version": "2.3.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.4-bin/log4j-core-2.4.jar", @@ -288,7 +288,7 @@ "jndi_lookup_hash": "a534961bbfce93966496f86c9314f46939fd082bb89986b48b7430c3bea903f7", "version": "2.4.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.4.1-bin/log4j-core-2.4.1.jar", @@ -298,7 +298,7 @@ "jndi_lookup_hash": "a534961bbfce93966496f86c9314f46939fd082bb89986b48b7430c3bea903f7", "version": "2.4.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.5-bin/log4j-core-2.5.jar", @@ -308,7 +308,7 @@ "jndi_lookup_hash": "a534961bbfce93966496f86c9314f46939fd082bb89986b48b7430c3bea903f7", "version": "2.5.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.6-bin/log4j-core-2.6.jar", @@ -318,7 +318,7 @@ "jndi_lookup_hash": "e8ffed196e04f81b015f847d4ec61f22f6731c11b5a21b1cfc45ccbc58b8ea45", "version": "2.6.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.6.1-bin/log4j-core-2.6.1.jar", @@ -328,7 +328,7 @@ "jndi_lookup_hash": "e8ffed196e04f81b015f847d4ec61f22f6731c11b5a21b1cfc45ccbc58b8ea45", "version": "2.6.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.6.2-bin/log4j-core-2.6.2.jar", @@ -338,7 +338,7 @@ "jndi_lookup_hash": "e8ffed196e04f81b015f847d4ec61f22f6731c11b5a21b1cfc45ccbc58b8ea45", "version": "2.6.2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.7-bin/log4j-core-2.7.jar", @@ -348,7 +348,7 @@ "jndi_lookup_hash": "cee2305065bb61d434cdb45cfdaa46e7da148e5c6a7678d56f3e3dc8d7073eae", "version": "2.7.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.8-bin/log4j-core-2.8.jar", @@ -358,7 +358,7 @@ "jndi_lookup_hash": "66c89e2d5ae674641138858b571e65824df6873abb1677f7b2ef5c0dd4dbc442", "version": "2.8.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.8.1-bin/log4j-core-2.8.1.jar", @@ -368,7 +368,7 @@ "jndi_lookup_hash": "66c89e2d5ae674641138858b571e65824df6873abb1677f7b2ef5c0dd4dbc442", "version": "2.8.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.8.2-bin/log4j-core-2.8.2.jar", @@ -378,7 +378,7 @@ "jndi_lookup_hash": "d4ec57440cd6db6eaf6bcb6b197f1cbaf5a3e26253d59578d51db307357cbf15", "version": "2.8.2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.9.0-bin/log4j-core-2.9.0.jar", @@ -388,7 +388,7 @@ "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.9.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar", @@ -398,7 +398,7 @@ "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.9.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.1/dist/lib/log4j-1.2.1.jar", @@ -408,7 +408,7 @@ "jndi_lookup_hash": "", "version": "1.2.1", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.2/dist/lib/log4j-1.2.2.jar", @@ -418,7 +418,7 @@ "jndi_lookup_hash": "", "version": "1.2.2", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.3/dist/lib/log4j-1.2.3.jar", @@ -428,7 +428,7 @@ "jndi_lookup_hash": "", "version": "1.2.3", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.4/dist/lib/log4j-1.2.4.jar", @@ -438,7 +438,7 @@ "jndi_lookup_hash": "", "version": "1.2.4", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.5/dist/lib/log4j-1.2.5.jar", @@ -448,7 +448,7 @@ "jndi_lookup_hash": "", "version": "1.2.5", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.6/dist/lib/log4j-1.2.6.jar", @@ -458,7 +458,7 @@ "jndi_lookup_hash": "", "version": "1.2.6", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.7/dist/lib/log4j-1.2.7.jar", @@ -468,7 +468,7 @@ "jndi_lookup_hash": "", "version": "1.2.7", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.8/dist/lib/log4j-1.2.8.jar", @@ -478,7 +478,7 @@ "jndi_lookup_hash": "", "version": "1.2.8", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.11/dist/lib/log4j-1.2.11.jar", @@ -488,7 +488,7 @@ "jndi_lookup_hash": "", "version": "1.2.11", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.12/dist/lib/log4j-1.2.12.jar", @@ -498,7 +498,7 @@ "jndi_lookup_hash": "", "version": "1.2.12", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.13/dist/lib/log4j-1.2.13.jar", @@ -508,7 +508,7 @@ "jndi_lookup_hash": "", "version": "1.2.13", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.14/dist/lib/log4j-1.2.14.jar", @@ -518,7 +518,7 @@ "jndi_lookup_hash": "", "version": "1.2.14", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.9/dist/lib/log4j-1.2.9.jar", @@ -528,7 +528,7 @@ "jndi_lookup_hash": "", "version": "1.2.9", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0-rc1.jar", @@ -538,7 +538,7 @@ "jndi_lookup_hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", "version": "2.0.0-rc1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0-rc2.jar", @@ -548,7 +548,7 @@ "jndi_lookup_hash": "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2", "version": "2.0.0-rc2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.1.jar", @@ -558,7 +558,7 @@ "jndi_lookup_hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", "version": "2.0.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.2.jar", @@ -568,7 +568,7 @@ "jndi_lookup_hash": "9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c", "version": "2.0.2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.jar", @@ -578,7 +578,7 @@ "jndi_lookup_hash": "fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29", "version": "2.0.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.1.jar", @@ -588,7 +588,7 @@ "jndi_lookup_hash": "a768e5383990b512f9d4f97217eda94031c2fa4aea122585f5a475ab99dc7307", "version": "2.1.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.10.0.jar", @@ -598,7 +598,7 @@ "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.10.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.11.0.jar", @@ -608,7 +608,7 @@ "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.11.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.11.1.jar", @@ -618,7 +618,7 @@ "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.11.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.11.2.jar", @@ -628,7 +628,7 @@ "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.11.2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.12.0.jar", @@ -638,7 +638,7 @@ "jndi_lookup_hash": "5c104d16ff9831b456e4d7eaf66bcf531f086767782d08eece3fb37e40467279", "version": "2.12.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.12.1.jar", @@ -648,7 +648,7 @@ "jndi_lookup_hash": "5c104d16ff9831b456e4d7eaf66bcf531f086767782d08eece3fb37e40467279", "version": "2.12.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.12.2.jar", @@ -658,7 +658,7 @@ "jndi_lookup_hash": "febbc7867784d0f06934fec59df55ee45f6b24c55b17fff71cc4fca80bf22ebb", "version": "2.12.2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.0.jar", @@ -668,7 +668,7 @@ "jndi_lookup_hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", "version": "2.13.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.1.jar", @@ -678,7 +678,7 @@ "jndi_lookup_hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", "version": "2.13.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.2.jar", @@ -688,7 +688,7 @@ "jndi_lookup_hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", "version": "2.13.2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.3.jar", @@ -698,7 +698,7 @@ "jndi_lookup_hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", "version": "2.13.3", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.14.0.jar", @@ -708,7 +708,7 @@ "jndi_lookup_hash": "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f", "version": "2.14.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.14.1.jar", @@ -718,7 +718,7 @@ "jndi_lookup_hash": "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f", "version": "2.14.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.15.0.jar", @@ -728,7 +728,7 @@ "jndi_lookup_hash": "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f", "version": "2.15.0", "cve": "CVE-2021-45046", - "severity": "" + "severity": "9.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.2.jar", @@ -738,7 +738,7 @@ "jndi_lookup_hash": "a768e5383990b512f9d4f97217eda94031c2fa4aea122585f5a475ab99dc7307", "version": "2.2.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.3.jar", @@ -748,7 +748,7 @@ "jndi_lookup_hash": "a768e5383990b512f9d4f97217eda94031c2fa4aea122585f5a475ab99dc7307", "version": "2.3.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.4.1.jar", @@ -758,7 +758,7 @@ "jndi_lookup_hash": "a534961bbfce93966496f86c9314f46939fd082bb89986b48b7430c3bea903f7", "version": "2.4.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.4.jar", @@ -768,7 +768,7 @@ "jndi_lookup_hash": "a534961bbfce93966496f86c9314f46939fd082bb89986b48b7430c3bea903f7", "version": "2.4.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.5.jar", @@ -778,7 +778,7 @@ "jndi_lookup_hash": "a534961bbfce93966496f86c9314f46939fd082bb89986b48b7430c3bea903f7", "version": "2.5.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.6.1.jar", @@ -788,7 +788,7 @@ "jndi_lookup_hash": "e8ffed196e04f81b015f847d4ec61f22f6731c11b5a21b1cfc45ccbc58b8ea45", "version": "2.6.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.6.2.jar", @@ -798,7 +798,7 @@ "jndi_lookup_hash": "e8ffed196e04f81b015f847d4ec61f22f6731c11b5a21b1cfc45ccbc58b8ea45", "version": "2.6.2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.6.jar", @@ -808,7 +808,7 @@ "jndi_lookup_hash": "e8ffed196e04f81b015f847d4ec61f22f6731c11b5a21b1cfc45ccbc58b8ea45", "version": "2.6.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.7.jar", @@ -818,7 +818,7 @@ "jndi_lookup_hash": "cee2305065bb61d434cdb45cfdaa46e7da148e5c6a7678d56f3e3dc8d7073eae", "version": "2.7.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.8.1.jar", @@ -828,7 +828,7 @@ "jndi_lookup_hash": "66c89e2d5ae674641138858b571e65824df6873abb1677f7b2ef5c0dd4dbc442", "version": "2.8.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.8.2.jar", @@ -838,7 +838,7 @@ "jndi_lookup_hash": "d4ec57440cd6db6eaf6bcb6b197f1cbaf5a3e26253d59578d51db307357cbf15", "version": "2.8.2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.8.jar", @@ -848,7 +848,7 @@ "jndi_lookup_hash": "66c89e2d5ae674641138858b571e65824df6873abb1677f7b2ef5c0dd4dbc442", "version": "2.8.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.9.0.jar", @@ -858,7 +858,7 @@ "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.9.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.9.1.jar", @@ -868,7 +868,7 @@ "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.9.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" } ] } \ No newline at end of file diff --git a/tools/log4shell/main.go b/tools/log4shell/main.go index c75de92af..de269f903 100644 --- a/tools/log4shell/main.go +++ b/tools/log4shell/main.go @@ -93,7 +93,7 @@ func main() { Commands: []*cli.Command{ { Name: "analyze", - Usage: "Scan known vulnerable Log4j dependencies and create a mapping of JndiLookup.class hash to version.", + Usage: "Note: This command is not used for scanning for vulnerable libraries, use the `scan` command. Analyze known vulnerable Log4j dependencies and create a mapping of JndiLookup.class hash to version.", Before: setGlobalBoolFlags, Flags: []cli.Flag{ &cli.StringFlag{ diff --git a/tools/log4shell/scan/loadversions.go b/tools/log4shell/scan/loadversions.go index 296c5be47..67f16bc35 100644 --- a/tools/log4shell/scan/loadversions.go +++ b/tools/log4shell/scan/loadversions.go @@ -80,16 +80,26 @@ func LoadVersionHashesFromBytes(versionHashesContent []byte) (hashLookup types.V newVersion += ", " + vulnerableLibrary.Version } + existingLookup.VulnerableFileHashLookup[vulnerableLibrary.JndiLookupHash] = types.VulnerableFile{ + FileName: vulnerableLibrary.JndiLookupFileName, + } + hashLookup[vulnerableLibrary.Hash] = types.VulnerableHash{ Name: vulnerableLibrary.Path + "::" + vulnerableLibrary.FileName, Version: newVersion, CVE: vulnerableLibrary.CVE, + VulnerableFileHashLookup: existingLookup.VulnerableFileHashLookup, } } else { hashLookup[vulnerableLibrary.Hash] = types.VulnerableHash{ Name: vulnerableLibrary.Path + "::" + vulnerableLibrary.FileName, Version: vulnerableLibrary.Version, CVE: vulnerableLibrary.CVE, + VulnerableFileHashLookup: map[string]types.VulnerableFile{ + vulnerableLibrary.Hash: { + vulnerableLibrary.JndiLookupFileName, + }, + }, } } } diff --git a/tools/log4shell/scan/scanfile.go b/tools/log4shell/scan/scanfile.go index dc0291d81..892abeabe 100644 --- a/tools/log4shell/scan/scanfile.go +++ b/tools/log4shell/scan/scanfile.go @@ -16,6 +16,7 @@ package scan import ( "archive/zip" + "github.com/lunasec-io/lunasec/tools/log4shell/analyze" "github.com/lunasec-io/lunasec/tools/log4shell/constants" "github.com/lunasec-io/lunasec/tools/log4shell/types" "github.com/lunasec-io/lunasec/tools/log4shell/util" @@ -64,11 +65,27 @@ func identifyPotentiallyVulnerableFile( Msg("No severity provided for CVE") } + jndiLookupFileName, jndiLookupFileHash, err := analyze.GetJndiLookupHash(zipReader, path) + if err == nil { + if _, ok := vulnerableFile.VulnerableFileHashLookup[jndiLookupFileHash]; !ok { + log.Warn(). + Str("path", path). + Str("jndiLookupFileName", jndiLookupFileName). + Str("jndiLookupHash", jndiLookupFileHash). + Msg("Discovered JndiLookup.class file is not a known vulnerable file. Patching this file out might have some unintended side effects.") + } + } else { + jndiLookupFileName = "" + jndiLookupFileHash = "" + } + log.Log(). Str("severity", severity). Str("path", path). - Str("fileName", fileName). - Str("hash", fileHash). + Str("versionIndicatorFileName", fileName). + Str("versionIndicatorHash", fileHash). + Str("jndiLookupFileName", jndiLookupFileName). + Str("jndiLookupHash", jndiLookupFileHash). Str("versionInfo", vulnerableFile.Version). Str("cve", vulnerableFile.CVE). Msg("Identified vulnerable path") @@ -86,6 +103,8 @@ func identifyPotentiallyVulnerableFile( Path: absolutePath, FileName: fileName, Hash: fileHash, + JndiLookupFileName: jndiLookupFileName, + JndiLookupHash: jndiLookupFileHash, Version: vulnerableFile.Version, CVE: vulnerableFile.CVE, Severity: severity, diff --git a/tools/log4shell/test/vulnerable-log4j2-versions/main.go b/tools/log4shell/test/vulnerable-log4j2-versions/main.go index 895b83fa6..e42bac9f9 100644 --- a/tools/log4shell/test/vulnerable-log4j2-versions/main.go +++ b/tools/log4shell/test/vulnerable-log4j2-versions/main.go @@ -30,7 +30,7 @@ import ( ) var ( - versions = []string{"2.16.0","2.15.0","2.14.1","2.14.0","2.13.3","2.13.2","2.13.1","2.13.0","2.12.2","2.12.1","2.12.0","2.11.2","2.11.1","2.11.0","2.10.0","2.9.1","2.9.0","2.8.2","2.8.1","2.8","2.7","2.6.2","2.6.1","2.6","2.5","2.4.1","2.4","2.3","2.2","2.1","2.0.2","2.0.1","2.0","2.0-rc2","2.0-rc1"} + versions = []string{"2.17.0","2.16.0","2.15.0","2.14.1","2.14.0","2.13.3","2.13.2","2.13.1","2.13.0","2.12.2", "2.12.1","2.12.0","2.11.2","2.11.1","2.11.0","2.10.0","2.9.1","2.9.0","2.8.2","2.8.1","2.8","2.7","2.6.2","2.6.1","2.6","2.5","2.4.1","2.4","2.3","2.2","2.1","2.0.2","2.0.1","2.0","2.0-rc2","2.0-rc1"} ) type ArtifactId struct { diff --git a/tools/log4shell/types/vulnerablehashes.go b/tools/log4shell/types/vulnerablehashes.go index 3f17d9a64..e4f00b3b6 100644 --- a/tools/log4shell/types/vulnerablehashes.go +++ b/tools/log4shell/types/vulnerablehashes.go @@ -16,10 +16,15 @@ package types import "github.com/blang/semver/v4" +type VulnerableFile struct { + FileName string `json:"file_name"` +} + type VulnerableHash struct { Name string `json:"name"` Version string `json:"version"` CVE string `json:"cve"` + VulnerableFileHashLookup map[string]VulnerableFile } type VulnerableHashLookup map[string]VulnerableHash