Tools for finding and reproducing the CVE-2021-44228
find-vulnerabilities: determine heuristically whether a running JVM is vulnerable
confirm-vulnerabilities: determine with 100% accuracy whether a running JVM is vulnerable
Both of these tools scan all running JVM processes on a machine, and produce a CSV report about which processes may be / are vulnerable.
Which tool should I use?
Here are a few tradeoffs to help you determine which tool is right for your use case:
find-vulnerabilities is low-risk to run, but has the possibility of missing:
- Cases where a system property is not set on the CLI, e.g. at runtime
- Cases where the JVM has closed the file descriptor for the jar
- Non-standard / patched releases of
confirm-vulnerabilities uses the JVM Attach API which:
- May not work if an application explicitly disables this API
- May crash the running JVM due to JVM bugs
- May briefly slow down the running JVM while waiting for JVM pause
This project welcomes feedback and contributions; however, we might be slow to respond to or triage your requests. We appreciate your patience.
This project uses the MIT license.
Code of conduct
This project has adopted the Stripe Code of conduct.