Version 1 may very well be vulnerable. about log4j-detector HOT 11 CLOSED

That's a very weird jar file. It definitely contains Log4J 2.12.1.

I think it also has log4j-1.2-api-2.12.1.jar blended in there (from here: https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-1.2-api/2.12.1/ ).

from log4j-detector.

Okay ! We can do this easily.

(Note: Log4J 1.2.x never interpolates log messages and so things like "${anything}" always remain "${anything}" in a log message on Log4J 1.2.x. There is no way for someone just interacting as a normal user with a Java system on Log4J 1.2.x to cause anything remotely similar to this bug.)

from log4j-detector.

Hi,
ich checked one of our windows systems:
oracle_common\modules\thirdparty\log4j-1.2.17.jar contains Log4J-2.x >= 2.10.0 VULNERABLE :-(

Is this a bug, or can I ignore this output? I thought 1.2.17 is not affected?

from log4j-detector.

@carstenjaeckel
I've tried to scan elastisearch-2.4.6 which is also using log4j-1.2.17.jar but it was not reported as vulnerable.

-- No vulnerable Log4J 2.x samples found in supplied paths: [/opt/local/elasticsearch-2.4.6]
-- Congratulations, the supplied paths are not vulnerable to CVE-2021-44228 ! :-)

P.S. checked on macOS Big Sur

from log4j-detector.

Hi,

maybe the tool is looking for the file ending (1.2.17.jar)?

from log4j-detector.

@carstenjaeckel - are you able to share that file "oracle_common\modules\thirdparty\log4j-1.2.17.jar" ? I suspect that particular file has been misnamed by Oracle in this case and actually contains Log4j-2.x, despite its name.

(Because the detector looks for file names and actual byte patterns that would only ever occur in Log4-2.x, I doubt this is a false positive.)

from log4j-detector.

Hi,

sure.
log4j-1.2.17.jar.zip

from log4j-detector.

For example, notice the canonical version of Log4j-1.2.17 is 490KB (https://repo1.maven.org/maven2/log4j/log4j/1.2.17/).

Whereas the "log4j-1.2.17.jar" you shared is 2.0 MB.

from log4j-detector.

Hi,

yeah, but Oracle already confirmed that the product this files belongs to (Fusion Middleware) is affected by the issue, so I have to wait until they fix it. Thanks for your effort.

from log4j-detector.

FYI - 1.2.17 is not vulnerable to the Log4Shell CVE. It does itself have an older 2019 CVE which is not great, but that's a separate concern.

from log4j-detector.

It reports on detected Log4J 1.x versions now:

/var/tmp/ll/log4j-1.1.3.jar contains Log4J-1.x   <= 1.2.17 _OLD_ :-|
/var/tmp/ll/log4j-1.2.13.jar contains Log4J-1.x   <= 1.2.17 _OLD_ :-|
/var/tmp/ll/log4j-1.2.15.jar contains Log4J-1.x   <= 1.2.17 _OLD_ :-|
/var/tmp/ll/log4j-1.2.17.jar contains Log4J-1.x   <= 1.2.17 _OLD_ :-|
/var/tmp/ll/log4j-1.2.4.jar contains Log4J-1.x   <= 1.2.17 _OLD_ :-|
/var/tmp/ll/log4j-1.2.8.jar contains Log4J-1.x   <= 1.2.17 _OLD_ :-|

from log4j-detector.