Comments (9)
juliusmusseau
commented on June 11, 2024
1
Thanks for this feedback! I agree 100% that log4j-over-slf4j is NOT log4j.
Looks like testing for presence of "log4j/DailyRollingFileAppender.class" would work much better. :-)
I figured out a cute technique just now for quickly getting an overview of which class files are in which jar files (essentially a type of bitfield):
cat b/files api/files api/files l1/files l1/files l1/files l1/files l2/files l2/files l2/files l2/files l2/files l2/files l2/files l2/files | sort | uniq -c | sort -n | less -S
`
b = log4j-over-slf4j-1.7.32.jar
api = log4j-1.2-api (maintained by log4j2 project)
l1 = log4j-1.1.3
l2 = log4j-1.2.17
According to that approach "log4j/DailyRollingFileAppender.class" is only in l1 and l2.
from log4j-detector.
MarkvanOsch
commented on June 11, 2024
Same question here, how it this dependency to Log4j 1.x in here. I cannot find it.
log4j-over-slf4j-1.7.21.jar contains Log4J-1.x <= 1.2.17 OLD :-|
from log4j-detector.
MarkvanOsch
commented on June 11, 2024
Because log4j-over-slf4j is replacing log4j classes, I think the string path match does not work for this. "log4j/FileApppender.class" can be the same from log4j-over-slf4j and log4j libs.
from log4j-detector.
juliusmusseau
commented on June 11, 2024
Fixed. Such a small fix I'm not bothering to increment the version, and I just replaced current v2021.12.16 pre-built binary with this fix.
from log4j-detector.
MarkvanOsch
commented on June 11, 2024
Top, great effort! 👍
from log4j-detector.
rnaredl
commented on June 11, 2024
HI All, Great effort and many thanks.
could you please advise how much time it will take to complete the scan and generate the report.
from log4j-detector.
rnaredl
commented on June 11, 2024
HI All,
please advise how much time it will take to complete?
as my servers its taking longer time but its not writing anything other then first line like below.
-- github.com/mergebase/log4j-detector v2021.12.16 (by mergebase.com) analyzing paths (could take a while).
-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
/appl/dcvs3sc/backup/webServiceStub.war!/WEB-INF/lib/log4j-1.2.17.jar contains Log4J-1.x <= 1.2.17 OLD :-|
from log4j-detector.
juliusmusseau
commented on June 11, 2024
What version of the scanner are you using? How are you invoking it (e.g., as which user, and against which path)? How large are the disks you are scanning?
Are you including the "--verbose" flag? There is also an undocumented "--debug" flag you can add as well.
Here's my favourite way to run it (as root on a linux box)
time java -jar log4j-detector-2021.12.16.jar --verbose / > hits.txt
from log4j-detector.
rnaredl
commented on June 11, 2024
HI Team,
am running it under root user and am using 12.16 version.
i did not use verbose option .
let me try
Many thanks for the update.
from log4j-detector.
Related Issues (20)
- Detection of potentially safe log4j 1.x after manual mitigation HOT 1
- fix --exclude example in README HOT 4
- Shaded Log4j class JndiLookup not found HOT 7
- java.util.zip.ZipException: invalid entry size (expected 0 but got 622 bytes) HOT 4
- version 2021.12.20 not redirecting output anymore (in Windows) HOT 1
- Simple test using sample files outputs no status HOT 10
- Detection of Log4j 1.x as vulnerable HOT 5
- great idea but can be enhanced
- Some archives are not detected when using Java 8
- Scan OSGI .kar and .par archives HOT 1
- Scan .car files HOT 1
- New log4j 2.17.0 CVE that can lead to RCE HOT 1
- log4j CVEs
- Output fixing / adjustment HOT 2
- IDEA: Show a _SAFE_ when nothing found
- Don't handle *.gwtar and other normal files ending with *ar as archives HOT 2
- Incomplete pathnames HOT 1
- Weird new File("blah") in nextByte HOT 3
- Exploded jar not detected under Windows
- reload4j raised as log4j-1.x vulnerability
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from log4j-detector.