GithubHelp home page GithubHelp logo

doytsujin / log4j-sniffer Goto Github PK

View Code? Open in Web Editor NEW

This project forked from palantir/log4j-sniffer

0.0 1.0 0.0 23.81 MB

A tool that scans archives to check for vulnerable log4j versions

License: Apache License 2.0

Shell 11.68% Go 88.32%

log4j-sniffer's Introduction

Autorelease

log4j-sniffer

log4j-sniffer crawls for all instances of log4j that are earlier than version 2.16 on disk within a specified directory. It can be used to determine whether there are any vulnerable instances of log4j within a directory tree.

Scanning for CVE-2021-45046 and CVE-2021-45105 is currently supported.

What this does

log4j-sniffer will scan a filesystem looking for all files of the following types based upon suffix:

  • Zips: .zip
  • Java archives: .jar, .war, .ear
  • Tar: .tar.gz, .tgz

It will look for the following:

  • Jar files matching log4j-core-<version>.jar, including those nested within another archive
  • Class files named org.apache.logging.log4j.core.net.JndiManager within Jar files or other archives and check against md5 hashes of known versions
  • Class files named JndiManager in other package hierarchies and check against md5 hashes of known versions
  • Matching of the bytecode of classes named JndiManager against known patterns (see below for more details)

Installing

If Go is available on the host system, the following command can be used to install this program:

go install github.com/palantir/log4j-sniffer@latest

This repository also publishes binaries that can be downloaded and executed.

Downloads

log4j-sniffer executables compiled for linux-amd64, darwin-amd64, darwin-arm64 and windows-amd64 architectures are available on the releases page.

Running

This tool is intensive and is recommended to be run with low priority settings.

On Linux:

ionice -c 3 nice -n 19 log4j-sniffer crawl /path/to/a/directory

Output for vulnerable files looks as follows:

INFO  [2021-12-17T14:10:10.046706-08:00] github.com/palantir/log4j-sniffer/pkg/crawl/crawler.go:50: Crawl started (runID: 0132794a-6b5a-4632-b7ee-7e92672990ee)
INFO  [2021-12-17T14:10:10.053085-08:00] github.com/palantir/log4j-sniffer/pkg/crawl/report.go:44: CVE-2021-45046 detected (classFileMd5Matched: true, classNameMatched: false, classPackageAndNameMatch: true, filename: log4j-core-2.14.1.jar, jarNameInsideArchiveMatched: false, jarNameMatched: true, runID: 0132794a-6b5a-4632-b7ee-7e92672990ee) (log4jVersions: [2.14.0 - 2.14.1 2.14.1]) (path: examples/single_bad_version/log4j-core-2.14.1.jar)
INFO  [2021-12-17T14:10:10.053327-08:00] github.com/palantir/log4j-sniffer/pkg/crawl/crawler.go:54: Crawl complete (crawlDuration: 6.867927ms, filesScanned: 1, permissionDeniedCount: 0, runID: 0132794a-6b5a-4632-b7ee-7e92672990ee)
INFO  [2021-12-17T14:10:10.053455-08:00] github.com/palantir/log4j-sniffer/internal/crawler/crawl.go:46: Files affected by CVE-2021-45046 detected (runID: 0132794a-6b5a-4632-b7ee-7e92672990ee, vulnerableFileCount: 1)

With the following meaning:

  • classFileMd5Matched: there was a .class file called JndiManager that matched the md5 hash of a known version
  • bytecodeInstructionMd5Matched: the bytecode of a .class file called JndiManager exactly matched a known version, see below for more details
  • classNameMatched: there was a .class file called JndiManager
  • classPackageAndNameMatched: there was a .class file called JndiManager with a package of org.apache.logging.log4j.core.net
  • jarNameInsideArchiveMatched: there was a .jar file called log4j-core-<version>.jar inside the archive
  • jarNameMatched: the file scanned was a .jar file called log4j-core-<version>.jar
  • log4jVersions: the versions detected at this location based on a combination of filenames and md5 hash matching
  • filename: the filename matched
  • path: the full path on disk for the file

Bytecode matching

If a class is shaded, for example to build a fat jar, then the bytecode is rewritten to update the package. This means the hash of the class will no longer match against known versions, nor will the class appear where expected within a jar.

To account for this we perform a less accurate hash of a class file: we only hash the fixed parts of the bytecode defining each method, ignoring all parts that might vary upon shading. We take an md5 hash of the resulting bytecode and compare against known versions.

Testing against shaded jars shows this matches when the package version has been changed but the class otherwise left intact. Shading which further modifies classes, such as by removing methods, will not be found with this approach.

CVE-2021-45105

If you do not wish to report results for CVE-2021-45105 then pass the --disable-cve-2021-45105-detection flag to the crawl command.

By default both CVE-2021-45046 and CVE-2021-45105 will be reported.

log4j-sniffer's People

Contributors

ashrayjain avatar bmoylan avatar gcampbell12 avatar hpryce avatar nmiyake avatar svc-autorelease avatar svc-excavator-bot avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.