Comments (11)
That's a very weird jar file. It definitely contains Log4J 2.12.1.
I think it also has log4j-1.2-api-2.12.1.jar blended in there (from here: https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-1.2-api/2.12.1/ ).
from log4j-detector.
Okay ! We can do this easily.
(Note: Log4J 1.2.x never interpolates log messages and so things like "${anything}" always remain "${anything}" in a log message on Log4J 1.2.x. There is no way for someone just interacting as a normal user with a Java system on Log4J 1.2.x to cause anything remotely similar to this bug.)
from log4j-detector.
Hi,
ich checked one of our windows systems:
oracle_common\modules\thirdparty\log4j-1.2.17.jar contains Log4J-2.x >= 2.10.0 VULNERABLE :-(
Is this a bug, or can I ignore this output? I thought 1.2.17 is not affected?
from log4j-detector.
@carstenjaeckel
I've tried to scan elastisearch-2.4.6 which is also using log4j-1.2.17.jar but it was not reported as vulnerable.
-- No vulnerable Log4J 2.x samples found in supplied paths: [/opt/local/elasticsearch-2.4.6]
-- Congratulations, the supplied paths are not vulnerable to CVE-2021-44228 ! :-)
P.S. checked on macOS Big Sur
from log4j-detector.
Hi,
maybe the tool is looking for the file ending (1.2.17.jar)?
from log4j-detector.
@carstenjaeckel - are you able to share that file "oracle_common\modules\thirdparty\log4j-1.2.17.jar" ? I suspect that particular file has been misnamed by Oracle in this case and actually contains Log4j-2.x, despite its name.
(Because the detector looks for file names and actual byte patterns that would only ever occur in Log4-2.x, I doubt this is a false positive.)
from log4j-detector.
Hi,
sure.
log4j-1.2.17.jar.zip
from log4j-detector.
For example, notice the canonical version of Log4j-1.2.17 is 490KB (https://repo1.maven.org/maven2/log4j/log4j/1.2.17/).
Whereas the "log4j-1.2.17.jar" you shared is 2.0 MB.
from log4j-detector.
Hi,
yeah, but Oracle already confirmed that the product this files belongs to (Fusion Middleware) is affected by the issue, so I have to wait until they fix it. Thanks for your effort.
from log4j-detector.
FYI - 1.2.17 is not vulnerable to the Log4Shell CVE. It does itself have an older 2019 CVE which is not great, but that's a separate concern.
from log4j-detector.
It reports on detected Log4J 1.x versions now:
/var/tmp/ll/log4j-1.1.3.jar contains Log4J-1.x <= 1.2.17 _OLD_ :-|
/var/tmp/ll/log4j-1.2.13.jar contains Log4J-1.x <= 1.2.17 _OLD_ :-|
/var/tmp/ll/log4j-1.2.15.jar contains Log4J-1.x <= 1.2.17 _OLD_ :-|
/var/tmp/ll/log4j-1.2.17.jar contains Log4J-1.x <= 1.2.17 _OLD_ :-|
/var/tmp/ll/log4j-1.2.4.jar contains Log4J-1.x <= 1.2.17 _OLD_ :-|
/var/tmp/ll/log4j-1.2.8.jar contains Log4J-1.x <= 1.2.17 _OLD_ :-|
from log4j-detector.
Related Issues (20)
- Detection of potentially safe log4j 1.x after manual mitigation HOT 1
- fix --exclude example in README HOT 4
- Shaded Log4j class JndiLookup not found HOT 7
- java.util.zip.ZipException: invalid entry size (expected 0 but got 622 bytes) HOT 4
- version 2021.12.20 not redirecting output anymore (in Windows) HOT 1
- Simple test using sample files outputs no status HOT 10
- Detection of Log4j 1.x as vulnerable HOT 5
- great idea but can be enhanced
- Some archives are not detected when using Java 8
- Scan OSGI .kar and .par archives HOT 1
- Scan .car files HOT 1
- New log4j 2.17.0 CVE that can lead to RCE HOT 1
- log4j CVEs
- Output fixing / adjustment HOT 2
- IDEA: Show a _SAFE_ when nothing found
- Don't handle *.gwtar and other normal files ending with *ar as archives HOT 2
- Incomplete pathnames HOT 1
- Weird new File("blah") in nextByte HOT 3
- Exploded jar not detected under Windows
- reload4j raised as log4j-1.x vulnerability
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from log4j-detector.