log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch

Overview

Logpresso Logo

log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch. It also supports nested JAR file scanning and patch. It also detects CVE-2021-45046 (log4j 2.15.0), CVE-2021-45105 (log4j 2.16.0), CVE-2021-44832 (log4j 2.17.0), CVE-2021-4104, CVE-2019-17571, CVE-2017-5645, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307 (log4j 1.x), and CVE-2021-42550 (logback 0.9-1.2.7) vulnerabilities.

Download

Build

How to use

Just run log4j2-scan.exe or log4j2-scan with target directory path. The logpresso-log4j2-scan.jar should work with JRE/JDK 7+

--fix option is supported for following vulnerabilities:

  • Log4j v2
    • CVE-2021-44228 (JndiLookup)
    • CVE-2021-45046 (JndiLookup)
  • Log4j v1
    • CVE-2021-4104 (JMSAppender)
    • CVE-2019-17571 (SocketServer)
    • CVE-2017-5645 (SocketServer)
    • CVE-2020-9488 (SMTPAppender)
    • CVE-2022-23302 (JMSSink)
    • CVE-2022-23305 (JDBCAppender)
    • CVE-2022-23307 (chainsaw package)

--fix option doesn't mitigate following vulnerabilities:

  • Log4j v2 - CVE-2021-45105 (DoS)
  • Logback - CVE-2021-42550

Usage

Logpresso CVE-2021-44228 Vulnerability Scanner 2.9.0 (2022-02-02)
Usage: log4j2-scan [--scan-log4j1] [--fix] target_path1 target_path2

-f [config_file_path]
        Specify config file path which contains scan target paths.
        Paths should be separated by new line. Prepend # for comment.
--scan-log4j1
        Enables scanning for log4j 1 versions.
--scan-logback
        Enables scanning for logback CVE-2021-42550.
--scan-zip
        Scan also .zip extension files. This option may slow down scanning.
--zip-charset
        Specify an alternate zip encoding other than utf-8. System default charset is used if not specified.
--fix
        Backup original file and remove JndiLookup.class from JAR recursively.
        With --scan-log4j1 option, it also removes JMSAppender.class, SocketServer.class, SMTPAppender.class, SMTPAppender$1.class,
        JMSSink.class, JDBCAppender.class, and all classes of org.apache.log4j.chainsaw package
--force-fix
        Do not prompt confirmation. Don't use this option unless you know what you are doing.
--restore [backup_file_path]
        Unfix JAR files using zip archived file.
--backup-path [zip_output_path]
        Specify backup file path.
--backup-ext [zip]
        Specify backup file extension. zip by default.
        If --backup-path is specified, this option is ignored.
--all-drives
        Scan all drives on Windows
--drives c,d
        Scan specified drives on Windows. Spaces are not allowed here.
--no-symlink
        Do not detect symlink as vulnerable file.
--exclude [path_prefix]
        Path prefixes of directories whose absolute path starts with the specified value will be excluded.
        Does not support relative paths. You can specify multiple --exclude [path_prefix] pairs
--exclude-config [config_file_path]
        Specify exclude path prefix list in text file. Paths should be separated by new line. Prepend # for comment.
--exclude-pattern [pattern]
        Exclude specified paths of directories by pattern. Supports fragments.
        You can specify multiple --exclude-pattern [pattern] pairs (non regex)
--exclude-file-config [config_file_path]
        Specify exclude file path list in text file. Paths should be separated by new line. Prepend # for comment.
--exclude-fs nfs,tmpfs
        Exclude paths by file system type. nfs, nfs3, nfs4, afs, cifs, autofs, tmpfs, devtmpfs, fuse.sshfs and iso9660 is ignored by default.
--syslog-udp [host:port]
        Send reports to remote syslog host.
        Send vulnerable, potentially vulnerable, and mitigated reports by default.
--syslog-level [level]
        Send reports only if report is higher or equal to specified level.
        Specify alert for vulnerable and potentially vulnerable reports.
        Specify info for vulnerable, potentially vulnerable, and mitigated reports.
        Specify debug for vulnerable, potentially vulnerable, mitigated, and error reports.
--syslog-facility [code]
        Default value is 16 (LOCAL0). Facility value must be in the range of 0 to 23 inclusive.
--rfc5424
        Follow RFC5424 The Syslog Protocol strictly.
--report-csv
        Generate log4j2_scan_report_yyyyMMdd_HHmmss.csv in working directory if not specified otherwise via --report-path [path]
--report-json
        Generate log4j2_scan_report_yyyyMMdd_HHmmss.json in working directory if not specified otherwise via --report-path [path]
--report-path
        Specify report output path including filename. Implies --report-csv.
--report-dir
        Specify report output directory. Implies --report-csv.
--no-empty-report
        Do not generate empty report.
--csv-log-path
        Specify csv log file path. If log file exists, log will be appended.
--json-log-path
        Specify json log file path. If log file exists, log will be appended.
--old-exit-code
        Return sum of vulnerable and potentially vulnerable files as exit code.
--debug
        Print exception stacktrace for debugging.
--trace
        Print all directories and files while scanning.
--silent
        Do not print progress message.
--throttle
        Limit scan files per second.
--help
        Print this help.

On Windows

log4j2-scan [--fix] target_path

On Linux

./log4j2-scan [--fix] target_path

On UNIX (AIX, Solaris, and so on)

java -jar logpresso-log4j2-scan-2.9.0.jar [--fix] target_path

If you add --fix option, this program will copy vulnerable original JAR file to .bak file, and create new JAR file without org/apache/logging/log4j/core/lookup/JndiLookup.class entry. All .bak files are archived into the single zip file which is named by log4j2_scan_backup_yyyyMMdd_HHmmss.zip, then deleted safely. In most environments, JNDI lookup feature will not be used. However, you must use this option at your own risk. You can easily restore original vulnerable JAR files using --restore option.

Depending the Operating System:

  • Windows: It is necessary to shutdown any running JVM process before applying patch due to lock files. Start affected JVM process after fix.
  • Linux/macOS: Apply patch, restart the JVM after

If you want to automate patch job, use --force-fix option. With this option, this program will no longer prompt for confirmation.

(mitigated) tag will be displayed if org/apache/logging/log4j/core/lookup/JndiLookup.class entry is removed from JAR file.

If you add --trace option, this program will print all visited directories and files. Use this option only for debugging.

On Windows:

CMD> log4j2-scan.exe D:\tmp
[*] Found CVE-2021-44228 vulnerability in D:\tmp\elasticsearch-7.16.0\bin\elasticsearch-sql-cli-7.16.0.jar, log4j 2.11.1
[*] Found CVE-2021-44228 vulnerability in D:\tmp\elasticsearch-7.16.0\lib\log4j-core-2.11.1.jar, log4j 2.11.1
[*] Found CVE-2021-44228 vulnerability in D:\tmp\flink-1.14.0\lib\log4j-core-2.14.1.jar, log4j 2.14.1
[*] Found CVE-2021-44228 vulnerability in D:\tmp\logstash-7.16.0\logstash-core\lib\jars\log4j-core-2.14.0.jar, log4j 2.14.0
[*] Found CVE-2021-44228 vulnerability in D:\tmp\logstash-7.16.0\vendor\bundle\jruby\2.5.0\gems\logstash-input-tcp-6.2.1-java\vendor\jar-dependencies\org\logstash\inputs\logstash-input-tcp\6.2.1\logstash-input-tcp-6.2.1.jar, log4j 2.9.1
[*] Found CVE-2021-44228 vulnerability in D:\tmp\solr-7.7.3\solr-7.7.3\contrib\prometheus-exporter\lib\log4j-core-2.11.0.jar, log4j 2.11.0
[*] Found CVE-2021-44228 vulnerability in D:\tmp\solr-7.7.3\solr-7.7.3\server\lib\ext\log4j-core-2.11.0.jar, log4j 2.11.0
[*] Found CVE-2021-44228 vulnerability in D:\tmp\solr-8.11.0\contrib\prometheus-exporter\lib\log4j-core-2.14.1.jar, log4j 2.14.1
[*] Found CVE-2021-44228 vulnerability in D:\tmp\solr-8.11.0\server\lib\ext\log4j-core-2.14.1.jar, log4j 2.14.1

Scanned 5047 directories and 26251 files
Found 9 vulnerable files
Completed in 0.42 seconds

How it works

Run in 5 steps:

  1. Find all .jar, .war, .ear, .aar, .rar, .nar files recursively.
  2. Find META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties entry from JAR file.
  3. Read groupId, artifactId, and version.
  4. Compare log4j2 version and print vulnerable version.
  5. If --fix option is used, backup vulnerable file and patch it.
    • For example, original vulnerable.jar is copied to vulnerable.jar.bak
  6. Archive all backup files into the zip file log4j2_scan_backup_yyyyMMdd_HHmmss.zip, then delete .bak files.

Exit code for automation

  • -1 failed to run
  • 0 for clean (No vulnerability)
  • 1 for found
  • 2 for some errors

Tool Integrations

Reporting

If you need centralized logging and reporting, contact [email protected] for more information.

Logpresso Scanner Report

Contact

If you have any question or issue, create an issue in this repository.

About Logpresso

Logpresso is a leading company in the AI and big data industry located in South Korea. Logpresso provides SIEM, SOAR, Log management, and FDS solutions with its own big data platform.

Comments
  • Even if NFS is ignored, symbolic links to NFS are scanned

    Even if NFS is ignored, symbolic links to NFS are scanned

    Would it be possible to have an option which would prevent following symbolic link? Because even if NFS mounts are excluded, one has to explicitly exclude also symbolic links which would point to a NFS share.

    discussion patch released 
    opened by vongillus 21
  • Allow exclusions by filesystem type

    Allow exclusions by filesystem type

    Though this is really specific to Unix, really need an option to exclude by filesystem type.

    This is because we have numerous servers with network drives with various mount points.

    We need to exclude all network drives (nfs, cifs, etc).

    Exclusion by path name is difficult to utilize.

    enhancement patch released 
    opened by MrPippin66 21
  • unable to report-csv or custom csv report path on windows at least

    unable to report-csv or custom csv report path on windows at least

    Hi there, firstly, thanks for this hard work, its great!

    I was doing some testing and I am using OpenJDK 11 latest JRE compressed zip file to run the jar file. Windows 2012 R2 and 2016 are hitting a problem and unable to export CSV, here is the debug log. Using the exact same scanner version and exact same OpenJDK 11 JRE on Windows 10 tho does not exhibit this issue and I get the expected CSV output.

    EDIT: I ran the exact same command on working Windows 10 system, and I have the exact same error as on the Server OS's however the CSV file generates just fine. Intriguing!

    Can you please assist? Thanks again!

    Download page: https://adoptium.net/releases.html?variant=openjdk11&jvmVariant=hotspot Direct download link: https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.13%2B8/OpenJDK11U-jre_x64_windows_hotspot_11.0.13_8.zip

    c:\Users\mario\Desktop>"c:\Users\mario\Desktop\log4j_scan\openjdk\jdk-11.0.13+8-jre\bin\java.exe" -jar "c:\Users\mario\Desktop\log4j_scan\logpresso-log4j2-scan-1.7.0.jar" --drives C --silent --report-csv --debug
    
    java.io.IOException: Cannot run program "df": CreateProcess error=2, The system cannot find the file specified
    	at java.base/java.lang.ProcessBuilder.start(Unknown Source)
    	at java.base/java.lang.ProcessBuilder.start(Unknown Source)
    	at java.base/java.lang.Runtime.exec(Unknown Source)
    	at java.base/java.lang.Runtime.exec(Unknown Source)
    	at java.base/java.lang.Runtime.exec(Unknown Source)
    	at com.logpresso.scanner.LinuxPartitionLoader.getPartitions(LinuxPartitionLoader.java:34)
    	at com.logpresso.scanner.LinuxPartitionLoader.getExcludePaths(LinuxPartitionLoader.java:24)
    	at com.logpresso.scanner.Log4j2Scanner.parseArguments(Log4j2Scanner.java:316)
    	at com.logpresso.scanner.Log4j2Scanner.run(Log4j2Scanner.java:101)
    	at com.logpresso.scanner.Log4j2Scanner.main(Log4j2Scanner.java:87)
    Caused by: java.io.IOException: CreateProcess error=2, The system cannot find the file specified
    	at java.base/java.lang.ProcessImpl.create(Native Method)
    	at java.base/java.lang.ProcessImpl.<init>(Unknown Source)
    	at java.base/java.lang.ProcessImpl.start(Unknown Source)
    	... 10 more
    Logpresso CVE-2021-44228 Vulnerability Scanner 1.7.0 (2021-12-17)
    
    Scanned 22706 directories and 108838 files
    Found 0 vulnerable files
    Found 0 potentially vulnerable files
    Found 0 mitigated files
    Completed in 9.30 seconds
    
    
    enhancement patch released 
    opened by i286 19
  • Wrong format of the syslog messages

    Wrong format of the syslog messages

    Your syslog message looks at the moment like this

    <133>{"time": "2022-01-01 19:35:25+0100", "hostname": "checkmk", "path": "/usr/bin/pycharm/pycharm-community-2021.1.3/lib/log4j.jar", "entry": "", "product": "Log4j 1", "version": "1.2.17.2", "cve": "CVE-2021-4104", "status": "MITIGATED", "fixed": false}

    Acording to RFC5424 the header (the stuff before the STRUCTURED-DATA/MESSAGE) should look like this

    PRI VERSION SP TIMESTAMP SP HOSTNAME SP APP-NAME SP PROCID SP MSGID

    followed by SP STRUCTURED-DATA [SP MSG] (structured data must always be encoded in UTF-8). If the MESSAGE is UTF-8 encoded it must start with the BOM (BOM = %xEF.BB.BF).

    You are using only the PRI (Facility/Severity) field (<133>) and the Message. This causes problems with some syslog implementations as the expect the message to be like in the RFC.

    If you want to skip optional fileds you can use the NILVALUE (-).

    So your syslog message should look at least like this

    <133> 1 - - - - - - {your message}

    It would be nice to have the TIMESTAMP, HOSTNAME and APP-NAME populated like this (skipped PROCID, MSGID and STRUCTURED-DATA)

    <133> 1 2022-01-01T23:20:50.52Z CHECKMK LOG4J-SCANNER - - - {your message}

    enhancement patch released 
    opened by thl-cmk 18
  • .jar Files not being fixed with --fix parameter

    .jar Files not being fixed with --fix parameter

    Using the --fix parameter is not working for the .jar file below:

    C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars\log4j-1.2.17.jar 1.2.17 POTENTIALLY_VULNERABLE

    The output of log4j2-scan.exe (Ver. 2.2.0) looks like this:

    C:\Temp\Logpresso\logpresso-log4j2-scan-2.2.0-win64>log4j2-scan.exe --fix "C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars\log4j-1.2.17.jar"
    Logpresso CVE-2021-44228 Vulnerability Scanner 2.2.0 (2021-12-18)
    This command will remove JndiLookup.class from log4j2-core binaries. Are you sure [y/N]? y
    Scanning directory: C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars\log4j-1.2.17.jar
    
    Scanned 0 directories and 1 files
    Found 0 vulnerable files
    Found 0 potentially vulnerable files
    Found 0 mitigated files
    Fixed 0 vulnerable files
    Completed in 0.00 seconds
    

    Every hint is highly appreciated.

    Thank you.

    enhancement patch released 
    opened by latency0ms 15
  • CVE-2021-44832: RCE in log4j 2.17.0

    CVE-2021-44832: RCE in log4j 2.17.0

    log4j 2.17.1 has been released to resolve CVE-2021-44832, a new RCE

    Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

    enhancement patch released 
    opened by adammike 14
  • provide an option for one-line-logs in a file

    provide an option for one-line-logs in a file

    It would be good to have an option to log into a logfile in i.e. syslog style.

    Because... Here's something else I've been thinking about. If a host was potentially attackable, it would be useful to know later which one it was. If an attacker was fast and infected the host, maybe he could place a trojan or something to activate it later.

    A single line logfile is easy to parse and/or logrotated or shipped to checkmk logwatch or Elastic Stack (with or without machine learning), Graylog, ...

    Hey... and DO NOT USE LOG4J :-D

    enhancement patch released 
    opened by doctore74 14
  • Getting Error file is locked even after moving .jar file do a different system and trying to fix

    Getting Error file is locked even after moving .jar file do a different system and trying to fix

    I'm getting file is "locked by other process" even if I copied the files to a different system to try and run the scan on them. You seen this before ?

    C:\Admin>log4j2-scan.exe --force-fix --debug "C:\Program Files\Tableau\Tableau 2021.3" Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.6 (2021-12-20) Scanning directory: C:\Program Files\Tableau\Tableau 2021.3 [*] Found CVE-2021-44228 (log4j 2.x) vulnerability in C:\Program Files\Tableau\Tableau 2021.3\bin\jdbcserver.jar, log4j 2.13.1 [*] Found CVE-2021-44228 (log4j 2.x) vulnerability in C:\Program Files\Tableau\Tableau 2021.3\bin\oauthservice.jar, log4j 2.13.1 [*] Found CVE-2021-44228 (log4j 2.x) vulnerability in C:\Program Files\Tableau\Tableau 2021.3\bin32\jdbcserver.jar, log4j 2.13.1 [*] Found CVE-2021-44228 (log4j 2.x) vulnerability in C:\Program Files\Tableau\Tableau 2021.3\bin32\oauthservice.jar, log4j 2.13.1

    Error: File is locked by other process. Skipping C:\Program Files\Tableau\Tableau 2021.3\bin32\jdbcserver.jar Error: File is locked by other process. Skipping C:\Program Files\Tableau\Tableau 2021.3\bin32\oauthservice.jar Error: File is locked by other process. Skipping C:\Program Files\Tableau\Tableau 2021.3\bin\jdbcserver.jar Error: File is locked by other process. Skipping C:\Program Files\Tableau\Tableau 2021.3\bin\oauthservice.jar

    Scanned 352 directories and 5359 files Found 4 vulnerable files Found 0 potentially vulnerable files Found 0 mitigated files Fixed 0 vulnerable log4j2 files and potentially vulnerable log4j1 files Completed in 3.19 seconds

    enhancement discussion patch released 
    opened by arnarthor88 13
  • Scan error: 'Index -1 out of bounds for length 0

    Scan error: 'Index -1 out of bounds for length 0

    Hi,

    Seems like zip file scanning is running into a error Scan error: 'Index -1 out of bounds for length 0' on file: C:\Users\uie13286.VT1\Downloads\OneDrive_1_11-15-2021.zip

    image

    and Scan error: 'malformed input off : 98, length : 1' on file: C:\Users\uix08287\Desktop\IE-DFSS-15-0003 (2).zip Scan error: 'malformed input off : 82, length : 1' on file: C:\Users\uix08287\Desktop\IE-DFSS-15-0003.zip

    image

    enhancement patch released 
    opened by AlexMilotin 13
  • Scanner is still treating symlinks as jar files on linux

    Scanner is still treating symlinks as jar files on linux

    I did update the previous issue I opened about symlinks, but that issue has already been closed and I don't think the update I made has been seen there. I have pulled, rebuilt, and re-tested. There are still issues with handling symlinks to jar files.

    I have a bash script I'm using to cleanup, build, setup, and test. I'm looking for a way to attach it here, if I find one I'll do so. I don't have maven, tried installing it but it fails to build the scanner with maven plugin errors I don't want to spend time right now to resolve. . My java experience is from 2002 so I'm resorting to bash scripts for build and test.

    find test -ls
      1049724      4 drwxrwxr-x   4 joi      joi          4096 Dec 14 10:33 test
      1053429      4 drwxrwxr-x   2 joi      joi          4096 Dec 14 10:45 test/dir\ with\ spaces
      1049569   1556 -rw-r--r--   1 joi      joi       1590537 Sep 10  2019 test/dir\ with\ spaces/log4j-core.jar
      1053443      4 drwxrwxr-x   2 joi      joi          4096 Dec 14 10:45 test/test-symlink
      1051275   1556 -rw-r--r--   1 joi      joi       1590537 Sep 10  2019 test/test-symlink/log4j-core.jar
      1053445      0 lrwxrwxrwx   1 joi      joi            14 Dec 14 10:34 test/test-symlink/mytestlink.jar -> log4j-core.jar
    
    # verify bad jar is detected twice
    java -jar scanner.jar test
    Logpresso CVE-2021-44228 Vulnerability Scanner 1.3.0 (2021-12-15)
    [*] Found CVE-2021-44228 vulnerability in /home/joi/working-dir/CVE-2021-44228-Scanner/test/dir with spaces/log4j-core.jar, log4j 2.11.2
    [*] Found CVE-2021-44228 vulnerability in /home/joi/working-dir/CVE-2021-44228-Scanner/test/test-symlink/log4j-core.jar, log4j 2.11.2
    [*] Found CVE-2021-44228 vulnerability in /home/joi/working-dir/CVE-2021-44228-Scanner/test/test-symlink/mytestlink.jar, log4j 2.11.2
    
    Scanned 3 directories and 3 files
    Found 3 vulnerable files
    Completed in 0.03 seconds
    

    Running with --fix creates a .bak file for all jars it thinks it detected, including the symlinks.

    joi@desktop2004:~/working-dir/CVE-2021-44228-Scanner$ java -jar scanner.jar --fix test
    This command will remove JndiLookup.class from log4j2-core binaries. Are you sure [y/N]? y
    Logpresso CVE-2021-44228 Vulnerability Scanner 1.3.0 (2021-12-15)
    [*] Found CVE-2021-44228 vulnerability in /home/joi/working-dir/CVE-2021-44228-Scanner/test/dir with spaces/log4j-core.jar, log4j 2.11.2
    [*] Found CVE-2021-44228 vulnerability in /home/joi/working-dir/CVE-2021-44228-Scanner/test/test-symlink/log4j-core.jar, log4j 2.11.2
    [*] Found CVE-2021-44228 vulnerability in /home/joi/working-dir/CVE-2021-44228-Scanner/test/test-symlink/mytestlink.jar, log4j 2.11.2
    
    Fixed: /home/joi/working-dir/CVE-2021-44228-Scanner/test/dir with spaces/log4j-core.jar
    Fixed: /home/joi/working-dir/CVE-2021-44228-Scanner/test/test-symlink/log4j-core.jar
    Fixed: /home/joi/working-dir/CVE-2021-44228-Scanner/test/test-symlink/mytestlink.jar
    
    Scanned 3 directories and 3 files
    Found 3 vulnerable files
    Fixed 3 vulnerable files
    Completed in 1.12 seconds
    joi@desktop2004:~/working-dir/CVE-2021-44228-Scanner$ find test -ls
      1049724      4 drwxrwxr-x   4 joi      joi          4096 Dec 14 10:33 test
      1053429      4 drwxrwxr-x   2 joi      joi          4096 Dec 14 10:48 test/dir\ with\ spaces
      1049569   1572 -rw-r--r--   1 joi      joi       1607573 Dec 14 10:48 test/dir\ with\ spaces/log4j-core.jar
      1051277   1556 -rw-rw-r--   1 joi      joi       1590537 Dec 14 10:48 test/dir\ with\ spaces/log4j-core.jar.bak
      1053443      4 drwxrwxr-x   2 joi      joi          4096 Dec 14 10:48 test/test-symlink
      1051275   1572 -rw-r--r--   1 joi      joi       1607573 Dec 14 10:48 test/test-symlink/log4j-core.jar
      1053445      0 lrwxrwxrwx   1 joi      joi            14 Dec 14 10:34 test/test-symlink/mytestlink.jar -> log4j-core.jar
      1053427   1572 -rw-rw-r--   1 joi      joi       1607573 Dec 14 10:48 test/test-symlink/mytestlink.jar.bak
      1052166   1556 -rw-rw-r--   1 joi      joi       1590537 Dec 14 10:48 test/test-symlink/log4j-core.jar.bak
    

    I am at the office on Central Standard Time, and am willing to update and re-test if I am notified.

    bug patch released 
    opened by jlellis 13
  • Hang in directory with tons of files

    Hang in directory with tons of files

    Running version 2.1.1 or older (java) in a Linux box I faced an issue of hang in script. Look close, it was caused because directory has tons of files. Application try to enummerate it and never finish.

    discussion patch released 
    opened by rgallobr 12
  • Processor usage limit (mainly on) Linux

    Processor usage limit (mainly on) Linux

    Can you implement processor limit on the log4j scan run, perhaps as an option in commandline?

    I am aware that BigFix is having this capability built in, i have used it for four years on the environment, but we have moved from BigFix in favour of Ansible and Ansible does not sport a client, that would limit the processor time used by the job.

    I would be happy if you would be able to do such limit on all platforms we support (aix, linux, windows), but the priority is based on a customer request on Linux now.

    opened by jozefduhacek 0
  • Logpresso does not touch MANIFEST files?

    Logpresso does not touch MANIFEST files?

    Hey,

    we have a lot of different applications running as JAR files. The mitigations itself works, but why are the according metaf infos, like MANIFEST etc. not touched as well? E.g. vulnerability scanners like tenable will detect these files still as vulnerable even though logpresso fixed the issue by deleting vulnerable classes from the JAR file.

    BR

    opened by echsenmensch666 0
  • CVE-2021-45046 not being detected by Logspresso

    CVE-2021-45046 not being detected by Logspresso

    Hi, we have been using Logspresso to scan our environment and recently found that CVE-2021-45046 is not being detected. Our security scanner Nexpose is able to find paths that are vulnerable for CVE-2021-45046. Our Logspresso scan scripts are not excluding any paths or CVEs . Thanks in advance.

    opened by chimera999 0
  • Cannot fix CVE-2021-44832 upgrade it

    Cannot fix CVE-2021-44832 upgrade it

    On some jar files, I get this error: Cannot fix CVE-2021-44832, upgrade it

    Such as on file log4j-2.11.1.jar

    Does this mean I should upgrade the tool, or upgrade the Jar file? Any suggestions would be welcome.

    Many thanks Brian

    opened by bcraigie 1
  • Is it necessary to run the tool every boot?

    Is it necessary to run the tool every boot?

    Hello, I am wondering if it is enough to run the tool once or should I configure my computer to run it each boot. Sorry if this is not the right place to ask this, I was not sure where I can ask. Thanks a lot!

    opened by Zeev86 0
Releases(v3.0.1)
Owner
Logpresso GitHub
Logpresso GitHub
Burp Active Scan extension to identify Log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046

Log4j-HammerTime This Burp Suite Active Scanner extension validates exploitation of the Apache Log4j CVE-2021-44228 and CVE-2021-45046 vulnerabilities

DXC Technology - StrikeForce 8 Jan 8, 2022
Local Bytecode Scanner for the Log4JShell Vulnerability (CVE-2021-44228)

?? Log4JShell Bytecode Detector Log4jShell Bytecode Detector is an open source tool that helps identify if a jar file is affected by the critical CVE-

CodeShield GmbH 49 Apr 23, 2022
CVE-2021-44228 (Apache Log4j Remote Code Execution)

CVE-2021-44228 (Apache Log4j Remote Code Execution) all log4j-core versions >=2.0-beta9 and <=2.14.1 The version of 1.x has other vulnerabilities, it

Roxas77 10 Apr 23, 2022
Log4Shell sample vulnerable application (CVE-2021-44228)

Log4Shell sample vulnerable application (CVE-2021-44228)

StandB 5 Dec 26, 2021
CVE-2021-44228 (Log4Shell) Proof of Concept

CVE-2021-44228 (Log4Shell) Proof of Concept Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect ag

Sunnyvale S.r.l. 5 Mar 18, 2022
An LDAP RCE exploit for CVE-2021-44228 Log4Shell

log4j-poc An LDAP RCE exploit for CVE-2021-44228 Log4Shell Description The demo Tomcat 8 server on port 8080 has a vulnerable app (log4shell) deployed

null 60 Dec 10, 2022
PCRE RegEx matching Log4Shell CVE-2021-44228 IOC in your logs

Log4Shell-Rex The following RegEx was written in an attempt to match indicators of a Log4Shell (CVE-2021-44228 and CVE-2021-45046) exploitation. If yo

back2root 286 Nov 9, 2022
A command-line tool to securely encrypt passwords and notes using AES encryption.

Treasury A command-line tool to securely encrypt passwords and notes using AES encryption. Installation Usage Technology Built solely in Java Picocli

Kai 4 Oct 17, 2022
Jacksum (JAva ChecKSUM) is a free, open source, cross-platform, feature-rich, multi-threaded command line tool for calculating hash values, verifying data integrity, finding files by their fingerprints, and finding algorithms to a hash value.

Jacksum (JAva ChecKSUM) is a free, open source, cross-platform, feature-rich, multi-threaded command line tool for calculating hash values, verifying data integrity, finding files by their fingerprints, and finding algorithms to a hash value.

Johann N. Löfflmann 17 Dec 26, 2022
Disables JNDI lookup globally using Java agent instrumentation, mitigation for Log4Shell attacks.

NoJNDI This is a simple proof of concept agent that disables JNDI lookups globally across the JVM. This is useful for mitigating the Log4Shell attack,

Will Sargent 9 Dec 29, 2021
This App is a command line application, based on Cryptography.

This App is a command line application, based on Cryptography. where a user input a text and its encrypted and can be decrypted as well.

Mohamed Ibrahim 1 Jan 28, 2022
Writeup and exploit for installed app to system privilege escalation on Android 12 Beta through CVE-2021-0928

Writeup and exploit for installed app to system privilege escalation on Android 12 Beta through CVE-2021-0928, a `writeToParcel`/`createFromParcel` serialization mismatch in `OutputConfiguration`

null 52 Dec 30, 2022
log4j2 remote code execution or IP leakage exploit (with examples)

log4j2-exploits 2021-12-11.12-17-44.mp4 This fundamental vulnerability was reported by CVE-2018-3149 and patched by this article. (8u121 Release Notes

ilsubyeega-desu 70 Sep 7, 2022
Contains all my research and content produced regarding the log4shell vulnerability

Objective Contains all my research and content produced regarding the log4shell vulnerability. Content Folder "analysis" Contain the information that

Dominique RIGHETTO 30 Oct 28, 2022
Log4shell-hunter - Scanner that scans local files for log4shell vulnerability

Log4shell-hunter - Scanner that scans local files for log4shell vulnerability. Does bytecode analysis so it does not rely on metadata. Will find vulnerable log4j even it has been self-compiled/repackaged/shaded/nested (e.g. uberjar, fatjar) and even obfuscated.

Peter Fichtner 5 Feb 27, 2022
🟪 TommyBox is a single-file executable that makes it possible to launch web apps on a desktop.

?? TommyBox About: TommyBox is a standalone executable container that makes it possible to launch static and dynamic web apps on a desktop by providin

null 19 May 28, 2022
The tool that every pentester needs ;)

ProxyChecker As you maybe noticed I am not programming much in these days because of university stuff. I found a lot of time fpr programming in Christ

null 2 Dec 13, 2022
A small and easy-to-use one-time password generator library for Java according to RFC 4226 (HOTP) and RFC 6238 (TOTP).

OTP-Java A small and easy-to-use one-time password generator for Java according to RFC 4226 (HOTP) and RFC 6238 (TOTP). Table of Contents Features Ins

Bastiaan Jansen 106 Dec 30, 2022