Comments (4)
The scanner inspects JAR Files whether they contains the file JndiLookup.class. If so, the bytecode of JndiManager.class is checked to see whether it is a log4j version >= 2.15.0
After removing the JndiLookup.class file, the scanner no longer issues an alarm
from scan4log4shell.
- This is my sample jar files.
[pi@centos7t01 github]$ ls -lrth /tmp/*.jar
-rw-r--r-- 1 pi pi 1.8M Dec 16 19:22 /tmp/log4j-core-2.16.0.jar
-rw-r--r-- 1 pi pi 1.5M Dec 16 19:22 /tmp/log4j-core-2.9.1.jar #<-- this one is patched via removal of jndiLookup.class
-rw-r--r-- 1 pi pi 1.5M Dec 16 19:22 /tmp/log4j-core-2.9.1.unpatched.jar
[pi@centos7t01 github]$
- the scan
[pi@centos7t01 github]$ scan4log4shell local /tmp
[i] Log4Shell CVE-2021-44228 Local Vulnerability Scan
[!] Hit: possibly vulnerable file identified: /tmp/log4j-core-2.9.1.unpatched.jar
[x] Error: /tmp/systemd-private-7546a27e96df49dcb087991ab7126f6b-colord.service-iJUNZ1: open /tmp/systemd-private-7546a27e96df49dcb087991ab7126f6b-colord\
.service-iJUNZ1: permission denied
[x] Error: /tmp/systemd-private-7546a27e96df49dcb087991ab7126f6`
<snipped>
- what I am hoping to to see is listing of good,patched, vulnerable log4j-core*.jar files listing the scan output.
- existing output doesn't display patched and good ones.
from scan4log4shell.
An info about patched versions is now available
from scan4log4shell.
Thanks for the addition.
- tested with version 0.13.0
[pi@centos7t01 scan4log4]$ ./scan4log4shell --version
scan4log4shell version 0.13.0
[pi@centos7t01 scan4log4]$ sudo ./scan4log4shell local /tmp/
[i] Log4Shell Local Vulnerability Scan
[!] Hit: possibly CVE-2021-45046 vulnerable file identified: /tmp/apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar
[!] Hit: possibly CVE-2021-45105 vulnerable file identified: /tmp/apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar
[!] Hit: possibly CVE-2021-44228 vulnerable file identified: /tmp/apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar
[!] Hit: possibly CVE-2021-45046 vulnerable file identified: /tmp/apache-log4j-2.9.1-bin.patched/apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar
[!] Hit: possibly CVE-2021-45105 vulnerable file identified: /tmp/apache-log4j-2.9.1-bin.patched/apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar
[i] Safe: possibly CVE-2021-44228 patched (no JndiLookup.class) file identified: /tmp/apache-log4j-2.9.1-bin.patched/apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar
[i] Completed scanning
[pi@centos7t01 scan4log4]$
from scan4log4shell.
Related Issues (6)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scan4log4shell.