Shaded Log4j class JndiLookup not found #63
Comments
|
Elastic si using esclazz for shading. Do you know any other common shading extensions ? |
|
This one with extension ".classdata" seems to be from https://github.com/open-telemetry This can be solved in logdetector to also search and set as vulnerable: Any more known shading extensions? |
|
Thanks for sharing this! Is log4j-detector.jar at least finding the pom.properties in these cases (see the fix for #49)? |
|
Hi, no it does not show this. I've attached the specific jar as zip file. The path in the jar to log4j-core classes is: It does not have a pom.properties or a log4j versionnumber as far I can see. The path to the JndiLoopup class is: It does have this mentioned in the MANIFEST.MF file. That could be used for checking? The dependency used is: applicationinsights-agent-3.0.3.zip Note: in 3.2.4 these log4j-core classes are not present anymore. |
|
Found this info on the applicationinsights-agent irt the log4j vulnerability: https://github.com/microsoft/ApplicationInsights-Java/discussions/2008 |
|
Fixed in v2021.12.22 |
|
thx for the quick fix! Also confirmed in my local testing. !/BOOT-INF/lib/applicationinsights-agent-3.0.3.jar contains Log4J-2.x >= 2.10.0 VULNERABLE |
I found a case where a shaded Log4j-core class JndiLookup was not found.
In this case in applicationinsights-agent 3.0.3 as an example.
With shading they also renamed the JndiLoopup.class to JndiLookup.classdata.
To confirm, I found this one with, and the regex also finding the .classdata file:
find . -regex ".*.jar" -type f | xargs -I{} grep JndiLookup.class "{}"
The text was updated successfully, but these errors were encountered: