Comments (6)
Additional note: This problem is also not specific to WAR files. I encountered the same problem on various hosts also when using the tool on JAR files, or paths with JAR files in them.
from log4j-detector.
Also, the tool says "No vulnerable Log4J 2.x samples found in supplied paths: ..." even if there were errors.
Please kindly reconsider this. A tool should NOT say that everything is okay when there were errors (e.g. in my case, it didn't check ANY of the files successfully, but still summarizes that there are no vulnerabilities)! That seems dangerous to me.
from log4j-detector.
Here's the full exception, including call stack.
-- Problem: /opt/tomcat/webapps/awi/WEB-INF/bundle/webui-logback.jar!/lib/logback-core-1.2.3.jar - java.io.EOFException: Unexpected end of ZLIB input stream
java.io.EOFException: Unexpected end of ZLIB input stream
at java.util.zip.InflaterInputStream.fill(Unknown Source)
at java.util.zip.InflaterInputStream.read(Unknown Source)
at java.util.zip.ZipInputStream.read(Unknown Source)
at java.util.zip.ZipInputStream.closeEntry(Unknown Source)
at java.util.zip.ZipInputStream.getNextEntry(Unknown Source)
at com.mergebase.log4j.Log4JDetector.findLog4jRecursive(Log4JDetector.java:205)
at com.mergebase.log4j.Log4JDetector.findLog4jRecursive(Log4JDetector.java:282)
at com.mergebase.log4j.Log4JDetector.scan(Log4JDetector.java:439)
at com.mergebase.log4j.Log4JDetector.analyze(Log4JDetector.java:499)
at com.mergebase.log4j.Log4JDetector.analyze(Log4JDetector.java:494)
at com.mergebase.log4j.Log4JDetector.analyze(Log4JDetector.java:494)
at com.mergebase.log4j.Log4JDetector.analyze(Log4JDetector.java:494)
at com.mergebase.log4j.Log4JDetector.analyze(Log4JDetector.java:494)
at com.mergebase.log4j.Log4JDetector.main(Log4JDetector.java:81)
from log4j-detector.
Fixed in v2021.12.16.
Re: ". A tool should NOT say that everything is okay when there were errors" - I will create a new ticket to track this idea.
from log4j-detector.
p.s. I now leave the pre-built binaries (including older versions) in the root folder (built with Java 6 because I'm that nice).
p.p.s. There is a super-secret "--debug" flag that causes the tool to list every *.class file it examines.
from log4j-detector.
Thanks, this is all very good news. Also many thanks for your work!
from log4j-detector.
Related Issues (20)
- Detection of potentially safe log4j 1.x after manual mitigation HOT 1
- fix --exclude example in README HOT 4
- Shaded Log4j class JndiLookup not found HOT 7
- java.util.zip.ZipException: invalid entry size (expected 0 but got 622 bytes) HOT 4
- version 2021.12.20 not redirecting output anymore (in Windows) HOT 1
- Simple test using sample files outputs no status HOT 10
- Detection of Log4j 1.x as vulnerable HOT 5
- great idea but can be enhanced
- Some archives are not detected when using Java 8
- Scan OSGI .kar and .par archives HOT 1
- Scan .car files HOT 1
- New log4j 2.17.0 CVE that can lead to RCE HOT 1
- log4j CVEs
- Output fixing / adjustment HOT 2
- IDEA: Show a _SAFE_ when nothing found
- Don't handle *.gwtar and other normal files ending with *ar as archives HOT 2
- Incomplete pathnames HOT 1
- Weird new File("blah") in nextByte HOT 3
- Exploded jar not detected under Windows
- reload4j raised as log4j-1.x vulnerability
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from log4j-detector.