Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too!

Last update: Dec 26, 2022

Overview

Log4-detector

Scanner that detects vulnerable Log4J versions to help teams assess their exposure to CVE-2021-44228 (CRITICAL), CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832. Can search for Log4J instances by carefully examining the complete file-system, including all installed applications. It is able to find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too!

Introduction
Example Usage
More Example Usage
Understanding The Results
Usage
Build From Source
Testing
License
Frequently Asked Questions
What Is MergeBase All About?

Introduction

Currently reports log4j-core versions 2.3.2, 2.12.4, and 2.17.1 as _SAFE_, 2.3.1, 2.12.2, 2.12.3, 2.15.0, 2.16.0, and 2.17.0 as _OKAY_ and all other versions as _VULNERABLE_ (although it does report pre-2.0-beta9 as _POTENTIALLY_SAFE_). It reports older log4j-1.x versions as _OLD_.

Can correctly detect log4j inside executable spring-boot jars/wars, dependencies blended into uber jars, shaded jars, and even exploded jar files just sitting uncompressed on the file-system (aka *.class).

We currently maintain a collection of log4j-samples we use for testing.

Example Usage:

java -jar log4j-detector-2021.12.29.jar ./samples 

-- github.com/mergebase/log4j-detector v2021.12.29 (by mergebase.com) analyzing paths (could take a while).
-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
false-hits/log4j-core-2.12.2.jar contains Log4J-2.x   == 2.12.2 _OKAY_
false-hits/log4j-core-2.12.3.jar contains Log4J-2.x   == 2.12.3 _OKAY_
false-hits/log4j-core-2.12.4.jar contains Log4J-2.x   == 2.12.4 _SAFE_
false-hits/log4j-core-2.15.0.jar contains Log4J-2.x   == 2.15.0 _OKAY_
false-hits/log4j-core-2.16.0.jar contains Log4J-2.x   == 2.16.0 _OKAY_
false-hits/log4j-core-2.17.0.jar contains Log4J-2.x   == 2.17.0 _OKAY_
false-hits/log4j-core-2.17.1.jar contains Log4J-2.x   >= 2.17.1 _SAFE_
false-hits/log4j-core-2.3.1.jar contains Log4J-2.x   == 2.3.1 _OKAY_
false-hits/log4j-core-2.3.2.jar contains Log4J-2.x   == 2.3.2 _SAFE_
true-hits/log4j-core-2.0-beta9.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_
true-hits/log4j-core-2.10.0.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
true-hits/log4j-core-2.10.0.zip contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
true-hits/log4j-core-2.11.0.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
true-hits/log4j-core-2.11.1.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
true-hits/log4j-core-2.11.2.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
true-hits/log4j-core-2.12.0.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
true-hits/log4j-core-2.12.1.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
true-hits/log4j-core-2.14.0.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
true-hits/log4j-core-2.14.1.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
true-hits/log4j-core-2.2.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_
true-hits/log4j-core-2.3.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_
true-hits/log4j-core-2.4.1.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_
true-hits/log4j-core-2.4.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_
true-hits/log4j-core-2.9.1.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_
old-hits/log4j-1.1.3.jar contains Log4J-1.x   <= 1.2.17 _OLD_
old-hits/log4j-1.2.17.jar contains Log4J-1.x   <= 1.2.17 _OLD_
old-hits/log4j-core-2.0-beta2.jar contains Log4J-2.x   <= 2.0-beta8 _POTENTIALLY_SAFE_ (Did you remove JndiLookup.class?)

Understanding The Results

_VULNERABLE_ -> You need to upgrade or remove this file.

_OKAY_ -> We report this for Log4J versions 2.3.1, 2.12.2, 2.12.3, 2.15.0, 2.16.0, and 2.17.0. We recommend upgrading to 2.17.1.

_SAFE_ -> We currently only report this for Log4J versions 2.3.2, 2.12.4, and 2.17.1 (and greater).

_OLD_ -> You are safe from CVE-2021-44228, but should plan to upgrade because Log4J 1.2.x has been EOL for 7 years and has several known-vulnerabilities.

_POTENTIALLY_SAFE_ -> The "JndiLookup.class" file is not present, either because your version of Log4J is very old (pre 2.0-beta9), or because someone already removed this file. Make sure it was someone in your team or company that removed "JndiLookup.class" if that's the case, because attackers have been known to remove this file themselves to prevent additional competing attackers from gaining access to compromised systems.

Usage

java -jar log4j-detector-2021.12.29.jar 

Usage: java -jar log4j-detector-2021.12.29.jar [--verbose] [--json] [--stdin] [--exclude=X] [paths to scan...]

  --json       - Output STDOUT results in JSON.  (Errors/warning still emitted to STDERR)
  --stdin      - Read STDIN for paths to explore (one path per line)
  --exclude=X  - Where X is a JSON list containing full paths to exclude. Must be valid JSON.

                 Example: --exclude='["/dev", "/media", "Z:\TEMP"]'

Exit codes:  0 = No vulnerable Log4J versions found.
             1 = At least one legacy Log4J 1.x version found.
             2 = At least one vulnerable Log4J version found.

About - MergeBase log4j detector (version 2021.12.29)
Docs  - https://github.com/mergebase/log4j-detector 
(C) Copyright 2021 Mergebase Software Inc. Licensed to you via GPLv3.

Build From Source:

git clone https://github.com/mergebase/log4j-detector.git
cd log4j-detector/
mvn install
java -jar target/log4j-detector-latest.jar

Testing:

We maintain a collection of log4j samples here: https://github.com/mergebase/log4j-samples

License

GPL version 3.0

Frequently Asked Questions

How Does It Work?

The Java compiler stores String literals directly in the compiled *.class files. If log4j-detector detects a file named "JndiManager.class" on your file-system, it then examines that file for this String: "Invalid JNDI URI - {}". Turns out that specific String literal is only present in the patched version of Log4J (version 2.15.0). Any versions of Log4J without that String are vulnerable.

This same technique of examining *.class files for String literals is further extended to accurately detect safe versions 2.3.2, 2.12.4, and 2.17.1.

This Scanner Only Reports Hits Against The `log4j-core` Library. What About `log4j-api`?

Many scanners (including GitHub's own Dependabot) currently report both "log4j-core" and "log4j-api" libraries as vulnerable. These scanners are incorrect. There is currently no existing version of the "log4j-api" library that can be exploited by any of these vulnerabilities.

At MergeBase we pride ourselves on our scan accuracy. You're already busy enough patching and defending your systems. We don't want you to waste your time with false positives. That's why we don't report any hits against log4j-api.

Why Report About 2.3.1, 2.10.0, 2.12.2, 2.12.3, 2.15.0, 2.16.0, and 2.17.0 ?

Version 2.10.0 is important because that's the first version where Log4J's vulnerable "message lookup feature" can be disabled via Log4J configuration.

Version 2.12.2 is important because it's a Java 7 compatible version of Log4J that is not vulnerable to CVE-2021-44228.

Versions 2.15.0 and 2.16.0 are important because these are the first versions where Log4J's default out-of-the-box configuration is not vulnerable to CVE-2021-44228.

And versions 2.3.2, 2.12.4, and 2.17.1 are important because they are not vulnerable to more recently discovered CVEs such as CVE-2021-45046 and CVE-2021-45105. Despite these being much less serious vulnerabilities, we anticipate everyone will want to patch to one of 2.3.2, 2.12.4, or 2.17.1.

What are those "file1.war!/path/to/file2.zip!/path/to/file3.jar!/path/to/log4j.jar" results about?

The "!" means the log4j-detector entered a zip archive (e.g., *.zip, *.ear, *.war, *.aar, *.jar). Since zip files can contain zip files, a single result might contain more than one "!" indicator in its result.

Note: the log4j-detector only recursively enters zip archives. It does not enter tar or gz or bz2, etc. The main reason being that Java systems are often configured to execute jars inside jars, but they are never configured to execute other file formats (that I know of!). And so a log4j copy inside a *.tar.gz is probably not reachable for a running Java system, and hence, not a vulnerability worth reporting.

2nd note: for zips-inside-zips our scanner does load the inner-zip completely into memory (using ByteArrayInputStream) before attempting to scan it. You might need to give Java some extra memory if you have extremely large inner-zips on your system (e.g., 1 GB or larger).

What About Log4J 1.2.x ?

Only versions of Log4J 2.x (from 2.0-beta9 to 2.14.1) are vulnerable to CVE-2021-44228.

How Can I Be Sure This Isn't A Trojan Pretending To Be A Log4J Detector?

Great question! Since we include the complete source code here in Github (all 2500 lines of Java), as well as the steps to build it, and since this tool has zero dependencies, it shouldn't take too long to carefully study the code to your satisfaction. If you don't trust Maven you can go directly into the "src/main/java/com/mergebase/log4j" directory and type "javac *.java". That works, too!

We also sign the pre-compiled jar we keep in the root of the repository (./log4j-detector-2021.12.29.jar) with the MergeBase code signing key. Please run "jarsigner -verbose -verify log4j-detector-2021.12.29.jar" to confirm this.

What Is MergeBase All About?

MergeBase is an SCA company (Software Composition Analysis) based in Vancouver, Canada. We're similar to companies like Snyk, Sonatype, Blackduck, etc., in that we help companies detect and manage vulnerable open-source libraries in their software. Check us out! We have great accuracy, great language support, and we're not too expensive, either: mergebase.com/pricing.

We would be delighted if anyone takes a 2-week free trial of our SCA product! And if you email our CEO ([email protected]) with the subject "log4j-detector" we will extend your free trial to 4-weeks.

Comments

Hard to tell if program works as expected: Simple test case fails

mkdir tmp; cd tmp
mkdir -p appender/nosql core
touch "core/LogEvent.class"
touch "core/Appender.class"
touch "core/Filter.class"
touch "core/Layout.class"
touch "core/LoggerContext.class"
touch "appender/nosql/NoSqlAppender.class"
touch "JndiLookup.class"
java -jar ~/Downloads/log4j-detector-2021.12.13.jar . --verbose

results in

-- Analyzing paths (could take a long time).
-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
-- Examining ./appender/nosql/NoSqlAppender.class... 
-- Examining ./core/Appender.class... 
-- Examining ./core/Filter.class... 
-- Examining ./core/Layout.class... 
-- Examining ./core/LogEvent.class... 
-- Examining ./core/LoggerContext.class... 
-- Examining ./JndiLookup.class... 
-- No vulnerable Log4J 2.x samples found in supplied paths: [.]
-- Congratulations, the supplied paths are not vulnerable to CVE-2021-44228 !  :-)

from what I can tell, this should report the vuln

opened by yspreen 15

Version 1 may very well be vulnerable.

For context, see https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301

This tool should at the very least warn Version 1 as "potentially vulnerable"

opened by dminuoso 11
log4j-over-slf4j bridge identified as old log4j

Hi, in my opinion the mentioned library shouldn't be identified as an old log4j version. As described here log4j-over-slf4j.jar only bridges old log4j 1.2.x versions. The log output could then be bound (redirected) to java.util.logging for example.

Console output:

... log4j-over-slf4j-1.7.29.jar contains Log4J-1.x <= 1.2.17 OLD :-|

opened by chriseins 9
Shaded Log4j class JndiLookup not found

I found a case where a shaded Log4j-core class JndiLookup was not found.

In this case in applicationinsights-agent 3.0.3 as an example.

With shading they also renamed the JndiLoopup.class to JndiLookup.classdata.

To confirm, I found this one with, and the regex also finding the .classdata file: find . -regex ".*.jar" -type f | xargs -I{} grep JndiLookup.class "{}"

opened by MarkvanOsch 7
Read files to scan from stdin to use `find` for excluding of files, folders and mount points
It would be great if the files to be scanned could be read from stdin. This would open up a whole new set of possibilities together with find.

Example:

find / -xdev -type f | java -jar log4j-detector-2021.12.16.jar --stdin

This would scan all files in the local root filesystem, but omit /dev, /proc, etc. and all NFS mounts.

Using find, the following issues would be easy to solve: #11, #39 and #40,
opened by beckerr-rzht 6
Unzip exceptions with 14-12, but 13-12 works

Hi.

I have unzip exceptions with 14-12 on several machines:

$ java -jar log4j-detector-2021.12.14.jar /opt/tomcat/webapps/awi.war -- Analyzing paths (could take a long time). -- Note: specify the '--verbose' flag to have every file examined printed to STDERR. -- Problem /opt/tomcat/webapps/awi.war!/WEB-INF/bundle/webui-logback.jar!/lib/commons-lang3-3.8.1.jar - java.io.EOFException: Unexpected end of ZLIB input stream -- Problem /opt/tomcat/webapps/awi.war!/WEB-INF/bundle/webui-logback.jar!/lib/guava-19.0.jar - java.io.EOFException -- Problem /opt/tomcat/webapps/awi.war!/WEB-INF/bundle/webui-logback.jar!/lib/logback-classic-1.2.3.jar - java.io.EOFException: Unexpected end of ZLIB input stream -- Problem /opt/tomcat/webapps/awi.war!/WEB-INF/bundle/webui-logback.jar!/lib/logback-core-1.2.3.jar - java.io.EOFException: Unexpected end of ZLIB input stream -- Problem /opt/tomcat/webapps/awi.war!/WEB-INF/bundle/webui-logback.jar!/lib/slf4j-api-1.7.16.jar - java.io.EOFException -- Problem /opt/tomcat/webapps/awi.war!/WEB-INF/bundle/com.automic.rest.api.jar!/lib/validation-api.jar - java.io.EOFException: Unexpected end of ZLIB input stream -- Problem /opt/tomcat/webapps/awi.war!/WEB-INF/bundle/webui-chart.jar!/lib/commons-lang3-3.5.jar - java.io.EOFException: Unexpected end of ZLIB input stream

For instance with:

$ java -version java version "1.8.0_112" Java(TM) SE Runtime Environment (build 1.8.0_112-b15) Java HotSpot(TM) 64-Bit Server VM (build 25.112-b15, mixed mode)

on

$ lsb_release -a LSB Version: :core-4.1-amd64:core-4.1-noarch Distributor ID: OracleServer Description: Oracle Linux Server release 7.9 Release: 7.9 Codename: n/a

This is NOT a permission issue. Version 13-12 works fine!

p.s. it would be great if previous versions were available in Github, I couldn't locate the old version here or anywhere else on the web, had to source it from a colleague who happened to have it.

p.p.s. even with 13-12, if I do "--verbose", it does not list the class files it (presumably) scans, only the included JAR files. It would be great and very reassuring if it listed the actual files as well. I assume that's how it works, by scanning class files and such?

Thanks, best regards.

opened by jsark78 6

java.util.zip.ZipException: unexpected EOF - Scan hangs in an infinite loop on Linux

Using log4j-detector-2021.12.15.jar on Red Hat Enterprise Linux release 8.5 (Ootpa) with openjdk version "1.8.0_312" The following output is from infinite loop:

-- Problem /opt/omni/AppServer/modules/system/layers/base/com/h2database/h2/main/h2-1.4.193.jar!/org/h2/util/data.zip - java.util.zip.ZipException: unexpected EOF
/opt/omni/AppServer/modules/system/layers/base/org/jboss/log4j/logmanager/main/log4j-jboss-logmanager-1.2.0.Final.jar contains Log4J-1.x   <= 1.2.17 _OLD_ :-|
-- Problem /opt/omni/AppServer/modules/system/layers/base/com/h2database/h2/main/h2-1.4.193.jar!/org/h2/util/data.zip - java.util.zip.ZipException: unexpected EOF
/opt/omni/AppServer/modules/system/layers/base/org/jboss/log4j/logmanager/main/log4j-jboss-logmanager-1.2.0.Final.jar contains Log4J-1.x   <= 1.2.17 _OLD_ :-|
-- Problem /opt/omni/AppServer/modules/system/layers/base/com/h2database/h2/main/h2-1.4.193.jar!/org/h2/util/data.zip - java.util.zip.ZipException: unexpected EOF
/opt/omni/AppServer/modules/system/layers/base/org/jboss/log4j/logmanager/main/log4j-jboss-logmanager-1.2.0.Final.jar contains Log4J-1.x   <= 1.2.17 _OLD_ :-|
-- Problem /opt/omni/AppServer/modules/system/layers/base/com/h2database/h2/main/h2-1.4.193.jar!/org/h2/util/data.zip - java.util.zip.ZipException: unexpected EOF
/opt/omni/AppServer/modules/system/layers/base/org/jboss/log4j/logmanager/main/log4j-jboss-logmanager-1.2.0.Final.jar contains Log4J-1.x   <= 1.2.17 _OLD_ :-|

opened by vosskaem 6

scanning /dev folder on (NAS) unix causes program to freeze

I tried running the detector on my Synology NAS via putty.

on my first try it just... basically freezes after reaching a certain folder structure (running as root for / (root) directory):

-- Examining /.old_patch_info/.system_info/bits...
-- Examining /.old_patch_info/.system_info/endian...
-- Examining /.old_patch_info/.system_info/pgsql_alignment...
-- Examining /.old_patch_info/.system_info/Sone.5...
-- Examining /.old_patch_info/synoinfo.conf...
-- Examining /.old_patch_info/VERSION...
-- Examining /.rnd...
-- Examining /.syno/dsminfo/default_config.log...
-- Examining /.syno/dsminfo/VERSION.init...
-- Examining /.syno/patch/bios.ROM...
-- Examining /.syno/patch/checksum.syno...
-- Examining /.syno/patch/grub_cksum.syno...
-- Examining /.syno/patch/GRUB_VER...
-- Examining /.syno/patch/H2OFFT-Lx64...
-- Examining /.syno/patch/platform.ini...
-- Examining /.syno/patch/rd.gz...
-- Examining /.syno/patch/SynoBootLoader.conf...
-- Examining /.syno/patch/updater...
-- Examining /.syno/patch/VERSION...
-- Examining /.syno/patch/zImage...
-- Examining /.system_info/bits...
-- Examining /.system_info/endian...
-- Examining /.system_info/pgsql_alignment...
-- Examining /.system_info/Sone.5...
-- Examining /config/pool/cache_info...
-- Examining /config/pool/ext_jnl_cache_cnt...
-- Examining /config/pool/ext_jnl_enable...
-- Examining /config/pool/ext_jnl_path...
-- Examining /config/pool/ext_jnl_suspend...
-- Examining /config/pool/help...
-- Examining /config/pool/preread_control...
-- Examining /config/rodsys/help...
-- Examining /config/rodsys/local_key...
-- Examining /config/rodsys/throttle_interval_msec...
-- Examining /config/target/core/alua/lu_gps/default_lu_gp/lu_gp_id...
-- Examining /config/target/core/alua/lu_gps/default_lu_gp/members...
-- Examining /config/target/core/epio_0/hba_info...
-- Examining /config/target/core/epio_0/hba_mode...
-- Examining /config/target/core/epio_0/odx_info...
-- Examining /config/target/core/epio_0/odx_mode...
-- Examining /config/target/core/epio_1/hba_info...
-- Examining /config/target/core/epio_1/hba_mode...
-- Examining /config/target/core/epio_1/odx_info...
-- Examining /config/target/core/epio_1/odx_mode...
-- Examining /config/target/core/fileio_0/hba_info...
-- Examining /config/target/core/fileio_0/hba_mode...
-- Examining /config/target/core/fileio_0/odx_info...
-- Examining /config/target/core/fileio_0/odx_mode...
-- Examining /config/target/core/iblock_0/hba_info...
-- Examining /config/target/core/iblock_0/hba_mode...
-- Examining /config/target/core/iblock_0/odx_info...
-- Examining /config/target/core/iblock_0/odx_mode...
-- Examining /config/target/core/multifile_0/hba_info...
-- Examining /config/target/core/multifile_0/hba_mode...
-- Examining /config/target/core/multifile_0/odx_info...
-- Examining /config/target/core/multifile_0/odx_mode...
-- Examining /config/target/dbroot...
-- Examining /config/target/io_delay_msec...
-- Examining /config/target/io_delay_per_io...
-- Examining /config/target/iscsi/discovery_auth/authenticate_target...
-- Examining /config/target/iscsi/discovery_auth/enforce_discovery_auth...
-- Examining /config/target/iscsi/discovery_auth/password...
-- Examining /config/target/iscsi/discovery_auth/password_mutual...
-- Examining /config/target/iscsi/discovery_auth/userid...
-- Examining /config/target/iscsi/discovery_auth/userid_mutual...
-- Examining /config/target/iscsi/global_np_enable...
-- Examining /config/target/iscsi/lio_version...
-- Examining /config/target/loopback/version...
-- Examining /config/target/version...
-- Examining /config/vsys/help...
-- Examining /dev/bus/usb/001/001...
-- Examining /dev/bus/usb/001/002...
-- Examining /dev/bus/usb/002/001...
-- Examining /dev/bus/usb/003/001...
-- Examining /dev/bus/usb/004/001...

Ctrl+C'ed the program after two hours. After not running it as root (and thus not 'reaching' those structures) it first causes an OoM when trying to access /dev/full and, after raising the memory, freezes at /dev/null afterwards and doing nothing again.

opened by Feathered-Serpent 6

Detection of Log4j 1.x as vulnerable

According to the https://logging.apache.org/log4j/2.x/security.html "Log4j 1.x is not impacted by this vulnerability.". And currently the scanner detects this version as vulnerable, and collaborated by the README which states "Currently reports log4j-core versions 2.3.1, 2.12.3, and 2.17.0 as SAFE, 2.12.2, 2.15.0 and 2.16.0 as OKAY and all other versions as VULNERABLE"

opened by dnjoe96 5
Can we have an option to exclude a path?

Seems like /System/Volumes/Data is not needed?

Apologies for the blob, might bring it in to a text editor to see what I mean.

$ tail -f /Library/Application\ Support/Vanguard/SearchResults/log4j-detector/log4j-detector.txt -- github.com/mergebase/log4j-detector v2021.12.17 (by mergebase.com) analyzing paths (could take a while). -- Note: specify the '--verbose' flag to have every file examined printed to STDERR. /Applications/AWS Schema Conversion Tool.app/Contents/Java/packager_jar/AWSSchemaConversionTool.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /Applications/AWS Schema Conversion Tool.app/Contents/Java/packager_jar/AWSSchemaConversionToolBatch.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /Applications/Tableau Desktop 2021.2.app/Contents/Resources/jdbcserver.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /Applications/Tableau Desktop 2021.2.app/Contents/Resources/oauthservice.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /Applications/Tableau Prep Builder 2021.2.app/Contents/lib/tableau-prep-cli.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /Applications/Tableau Prep Builder 2021.2.app/Contents/Resources/app/loom-rest-api-1.0-SNAPSHOT.jar!/BOOT-INF/lib/log4j-core-2.13.2.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /Applications/Tableau Prep Builder 2021.2.app/Contents/Resources/app/tableau-1.3/build/Release/jdbcserver.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /Applications/Tableau Prep Builder 2021.2.app/Contents/Resources/app/tableau-1.3/build/Release/oauthservice.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/itms/share/OSGi-Bundles/org.apache.logging.log4j.core-2.11.2.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /Library/Application Support/JAMF/Composer/Sources/Xcode/ROOT/Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/itms/share/OSGi-Bundles/org.apache.logging.log4j.core-2.11.2.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /System/Volumes/Data/Applications/AWS Schema Conversion Tool.app/Contents/Java/packager_jar/AWSSchemaConversionTool.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /System/Volumes/Data/Applications/AWS Schema Conversion Tool.app/Contents/Java/packager_jar/AWSSchemaConversionToolBatch.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /System/Volumes/Data/Applications/Tableau Desktop 2021.2.app/Contents/Resources/jdbcserver.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /System/Volumes/Data/Applications/Tableau Desktop 2021.2.app/Contents/Resources/oauthservice.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /System/Volumes/Data/Applications/Tableau Prep Builder 2021.2.app/Contents/lib/tableau-prep-cli.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /System/Volumes/Data/Applications/Tableau Prep Builder 2021.2.app/Contents/Resources/app/loom-rest-api-1.0-SNAPSHOT.jar!/BOOT-INF/lib/log4j-core-2.13.2.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /System/Volumes/Data/Applications/Tableau Prep Builder 2021.2.app/Contents/Resources/app/tableau-1.3/build/Release/jdbcserver.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /System/Volumes/Data/Applications/Tableau Prep Builder 2021.2.app/Contents/Resources/app/tableau-1.3/build/Release/oauthservice.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /System/Volumes/Data/Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/itms/share/OSGi-Bundles/org.apache.logging.log4j.core-2.11.2.jar contains Log4J-2.x >= 2.10.0 VULNERABLE /System/Volumes/Data/Library/Application Support/JAMF/Composer/Sources/Xcode/ROOT/Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/itms/share/OSGi-Bundles/org.apache.logging.log4j.core-2.11.2.jar contains Log4J-2.x >= 2.10.0 VULNERABLE

opened by donmontalvo 5
Problem: cannot read - XXX

Hi all, thanks for that fantastic tool! Short question with the newly released version of today (15th of december). I do see a lot of read errors. Do i need to run this as sudo?

opened by Timokirch 5
reload4j raised as log4j-1.x vulnerability
Hi,

I tried installing ActiveMQ 5.16.4 which comes with reload4j-1.2.19, now running the detector shows the following output:

-- github.com/mergebase/log4j-detector v2021.12.29 (by mergebase.com) analyzing paths (could take a while). -- Note: specify the '--verbose' flag to have every file examined printed to STDERR. activemq-all-5.16.4.jar contains Log4J-1.x <= 1.2.17 _OLD_

As per raising the issue with the AMQ team, we received the following comment:

The Log4J transitive dependency from Zookeeper related bits were excluded (directly or via dependencyManagement) and reload4j was added to activemq-partition as a dependency to serve in their place during AMQ-8472. The classes included in activemq-all thus should be those from reload4j, which necessarily uses the same org.apache.log4j namespace to serve their intent to act as a substitute for Log4j.

After some inspection, I figured that the log4j-detector jar is doing a check with the same namespace as it is in log4j-1.x hence seeing the issue:

private static final String FILE_OLD_LOG4J = "log4j/DailyRollingFileAppender.".toLowerCase(Locale.ROOT);

Since reload4j has resolved the vulnerability as seen in log4j-1.x but uses the same namespace, I believe the condition check for checking the existence of log4j-1.x shall be improved here or else all reload4j jars will be wrongly detected as vulnerable.
opened by livesamarthgupta 0
Exploded jar not detected under Windows

Exploded jar files (*.class) are not detected on a Windows 10 platform. Detection works properly under WSL and native Linux. Tests were performed on all platforms against the same set of the provided log4j-samples.

opened by mgaiser 0
SymLinks Feature

Dear Mergebase / Dear @juliusmusseau ,

we had the pleasure to use your log4j-detector tool as complentary scanning tool and would like to contribute some improvements as Pull Request (from our point of view). Please note that we've run the tool automatically on some thousand notebooks so our changes are quite hardened and also we needed a configuration working for all of them.

This Pull Request improves SymLinks handling. We added usage of Files.isSymbolicLink as well as a Windows-specific reflection-based method to identify Junctions/ReparsePoints. Both are separately controlled by switches --ignoreSymLinks and --ignoreReparsePoints. --ignoreReparsePoints is only allowed on Windows obviously (tested on Win 10). Default is symlinks and reparsePoints are followed and users can change that by specifiying the switches.

This feature especially eased our automatic scan of thousands of notebooks, as they were scanned under MACHINE user which sees loads of legacy reparse points partially even resulting in endless loops. Otherwise they need to be excluded quite annoyingly.

Please feel free to indicate wether you would like changes in the PR, I will consider to implement them. Also I am willing to sufficiently grant you "copyright" so you can use the code of this PR as you like, so just send me whatever confirmation you need and I will have a friendly look ...

This is a disjunct feature as to PR #84

I hope this is helpful and I am looking forward for your feedback :-)

Cheers, Philipp

opened by phbreitbach 0
OutOfMemory Handling Improvement

Dear Mergebase / Dear @juliusmusseau ,

we had the pleasure to use your log4j-detector tool as complentary scanning tool and would like to contribute some improvements as Pull Request (from our point of view). Please note that we've run the tool automatically on some thousand notebooks so our changes are quite hardened and also we needed a configuration working for all of them.

This Pull Request improves OutOfMemory's handling as in #7 We added a catch block for OutOfMemoryError to catch the case there's one ZIP file too big to be processed in memory. Then the tool will not abort but proceed with the remaining files until a threshold is reached. The threshold is specified as corresponding command line switch.

Please feel free to indicate wether you would like changes in the PR, I will consider to implement them. Also I am willing to sufficiently grant you "copyright" so you can use the code of this PR as you like, so just send me whatever confirmation you need and I will have a friendly look ...

I have a further PR in the Pipeline for handling of symlinks and maybe even one more for #82 .

I hope this is helpful and I am looking forward for your feedback :-)

Cheers, Philipp

opened by phbreitbach 0
Incomplete pathnames

Script detects e.g.

bea/user_projects/myproject/applications/jobScheduler.war

when actual path is

/home/user/proj/bea/user_projects/myproject/applications/jobScheduler.war

I'm not sure why the path gets cropped there and not on any other subdirectory. There is a mountpoint /home and another /home/user, but for some reason the script deletes up to /home/user/proj/

OS is Red Hat Enterprise Linux Server release 7.9 (Maipo) Linux 3.10.0-1160.24.1.el7.x86_64 #1 SMP Thu Mar 25 21:21:56 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

opened by jrselzer 1

Owner

MergeBase

Securing software supply chains!

GitHub

Burp Active Scan extension to identify Log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046

Log4j-HammerTime This Burp Suite Active Scanner extension validates exploitation of the Apache Log4j CVE-2021-44228 and CVE-2021-45046 vulnerabilities

8 Jan 8, 2022

Log4Shell sample vulnerable application (CVE-2021-44228)

5 Dec 26, 2021

Local Bytecode Scanner for the Log4JShell Vulnerability (CVE-2021-44228)

?? Log4JShell Bytecode Detector Log4jShell Bytecode Detector is an open source tool that helps identify if a jar file is affected by the critical CVE-

49 Apr 23, 2022

Removal of JndiLookup in now obsolete Minecraft versions, or versions that still have log4j < 2.10 and is unable to use

NukeJndiLookupFromLog4j Removal of JndiLookup in now obsolete Minecraft versions, or versions that still have log4j < 2.10 and is unable to use -Dlog4

11 Dec 15, 2022

CVE-2021-44228 (Apache Log4j Remote Code Execution）

CVE-2021-44228 (Apache Log4j Remote Code Execution） all log4j-core versions >=2.0-beta9 and <=2.14.1 The version of 1.x has other vulnerabilities, it

10 Apr 23, 2022

PCRE RegEx matching Log4Shell CVE-2021-44228 IOC in your logs

Log4Shell-Rex The following RegEx was written in an attempt to match indicators of a Log4Shell (CVE-2021-44228 and CVE-2021-45046) exploitation. If yo

286 Nov 9, 2022

log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch

log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch. It also supports nested JAR file scan

839 Dec 29, 2022

CVE-2021-44228 (Log4Shell) Proof of Concept

CVE-2021-44228 (Log4Shell) Proof of Concept Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect ag

5 Mar 18, 2022

An LDAP RCE exploit for CVE-2021-44228 Log4Shell

log4j-poc An LDAP RCE exploit for CVE-2021-44228 Log4Shell Description The demo Tomcat 8 server on port 8080 has a vulnerable app (log4shell) deployed

60 Dec 10, 2022

A Basic Java Application Vulnerable to the Log4Shell RCE

This is a basic, minimal, intentionally vulnerable Java web application including a version (2.14.1) of the log4j library affected by the infamous log4shell (CVE-2021-44228) vulnerability.

31 Nov 9, 2022

Writeup and exploit for installed app to system privilege escalation on Android 12 Beta through CVE-2021-0928

Writeup and exploit for installed app to system privilege escalation on Android 12 Beta through CVE-2021-0928, a `writeToParcel`/`createFromParcel` serialization mismatch in `OutputConfiguration`

52 Dec 30, 2022

Log4shell-hunter - Scanner that scans local files for log4shell vulnerability

Log4shell-hunter - Scanner that scans local files for log4shell vulnerability. Does bytecode analysis so it does not rely on metadata. Will find vulnerable log4j even it has been self-compiled/repackaged/shaded/nested (e.g. uberjar, fatjar) and even obfuscated.

5 Feb 27, 2022

A Java Mindustry mod template that works on Android and PC. The Kotlin version of this mod can be seen here.

Mindustry Java Mod Template A Java Mindustry mod template that works on Android and PC. The Kotlin version of this mod can be seen here. Building for

3 Jan 22, 2022

This exention enables autocompletion within BurpSuite Repeater/Intruder tabs.

BurpSuiteAutoCompletion This exention enables autocompletion within BurpSuite Repeater/Intruder tabs.

147 Oct 28, 2022

Unofficial Clubhouse web app client. For personal use only. It's a personal open-source project and not affiliated with any company.

Purpose of this web app That's a personal project and not affiliated with any company. This is the web client app to make your Club House experience b

45 Nov 15, 2022

Make a customized list of exercises, create and save workouts, and be led through your routine. This application is currently under development.

HIIT Workout Builder ABOUT This application allows you to create and be led through customized high-intensity interval training (HIIT) sessions. The a

1 Nov 28, 2022