From e867b7ba5b0adfce3f7b24d634db50c8a6cf7008 Mon Sep 17 00:00:00 2001 From: breadchris Date: Thu, 23 Dec 2021 16:07:20 -0500 Subject: [PATCH] update wording in blog to be more clear that the cli is not an archive --- ...-12-12-log4j-zero-day-mitigation-guide.mdx | 30 ++++++++++++------- tools/log4shell/Dockerfile | 2 +- 2 files changed, 20 insertions(+), 12 deletions(-) diff --git a/docs/blog/2021-12-12-log4j-zero-day-mitigation-guide.mdx b/docs/blog/2021-12-12-log4j-zero-day-mitigation-guide.mdx index fb60dde9f..8d169d3de 100644 --- a/docs/blog/2021-12-12-log4j-zero-day-mitigation-guide.mdx +++ b/docs/blog/2021-12-12-log4j-zero-day-mitigation-guide.mdx @@ -67,21 +67,29 @@ It works by scanning for hashes of [known vulnerable log4j classes](https://gith If you have a vulnerable version of a log4j in your built Java project, the hash will match a one of the hashes in the list. -**[Download from GitHub](https://github.com/lunasec-io/lunasec/releases/)** +**Download from [GitHub](https://github.com/lunasec-io/lunasec/releases/)** or from the command line: -_Make sure you download the right version for your Operating System and CPU architecture._ Once downloaded, you can extract -it and run the `log4shell` command in your terminal. The tool can scan individual files or whole directories. +```shell title="Download Linux CLI" +curl -OL https://github.com/lunasec-io/lunasec/releases/download/v1.4.1-log4shell/log4shell_1.4.1-log4shell_Linux_x86_64 +``` +```shell title="Download OSX CLI" +curl -OL https://github.com/lunasec-io/lunasec/releases/download/v1.4.1-log4shell/log4shell_1.4.1-log4shell_Darwin_x86_64 +``` +_Make sure you download the right version for your Operating System and CPU architecture._ Once downloaded, run the `log4shell` +command in your terminal. The tool can scan individual files or whole directories. **Linux** -```shell title="Example Linux Command" +```shell title="Install Linux CLI" +cp log4shell_1.4.1-log4shell_Linux_x86_64 /usr/local/bin/log4shell +chmod +x /usr/local/bin/log4shell log4shell scan your-project-dir/ ``` **OSX** -```shell title="Example OSX Commands" -# Replace `` with your path, eg: `~/Downloads` +```shell title="Install OSX CLI" +# Replace `` with your path, eg: `~/Downloads`, if you have downloaded it by visiting the Releases page cp /log4shell_1.4.1-log4shell_Darwin_x86_64 /usr/local/bin/log4shell chmod +x /usr/local/bin/log4shell log4shell scan your-project-dir @@ -91,6 +99,7 @@ log4shell scan your-project-dir ```shell title="Example Windows Command" log4shell.exe scan your-project-dir/ ``` + Because the tool contains exploit strings needed for the `livepatch` command, it might be falsely recognized as malware by some virus scanners on Windows. Please add an exception for it. @@ -253,13 +262,12 @@ default and removes the message lookup feature. We recommend you upgrade, if possible. For most people, this is the final and correct solution to the issue. -:::caution Version 2.15.0 still may be vulnerable -Log4j version `2.15.0` which was previously thought to be secure has been found to still have a [limited vulnerability](https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f), -that could result in a DOS (but not RCE), users must update to `>= 2.16.0`. -::: - :::caution Version 2.16.0 vulnerable to DOS +~~Log4j version `2.15.0` which was previously thought to be secure has been found to still have a [limited vulnerability](https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f), +that could result in a DOS (but not RCE), users must update to `>= 2.16.0`.~~ + If you have updated Log4j to version `2.16.0`, a Denial of Service (DOS) attack is still present in [certain logging circumstances](https://logging.apache.org/log4j/2.x/security.html). +Please update to `>=2.17.0` ::: ### Option 2: Enable `formatMsgNoLookups` diff --git a/tools/log4shell/Dockerfile b/tools/log4shell/Dockerfile index a9d62947f..2623480cb 100644 --- a/tools/log4shell/Dockerfile +++ b/tools/log4shell/Dockerfile @@ -14,7 +14,7 @@ WORKDIR /build COPY . /build COPY --from=java-build /build/hotpatch-payload/target/classes/Log4ShellHotpatch.class /build -RUN go build -o log4shell . +RUN CGO_ENABLED=0 go build -o log4shell . FROM alpine