Comments (18)
It will have no effect on speed, since the hash-file is truncated anyway with | sort | uniq
I will merge the lines anyway ...
from log4j_checker_beta.
Please check if this is solved
from log4j_checker_beta.
Thanks this seems to work for me. I.e. hashes for the complete JAR files of the susceptible 2.x versions are in hashes-pre-cve.txt.
If found the following two lists of hashes on the net:
scstanton: https://github.com/scstanton/log4j-hashes/blob/main/sha256sum.txt
mubex: https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes/blob/main/sha256sums.txt
while mubex has been referenced by lunasec.io's thread on how to detect the original exploit here:
the scstanton also includes sha256 hashes for the 1.x versions too.
Apart from that I do not know if it would be better to check for the actually relevant JndiManager.class which in turn imports the JndiLookup.class. I have seen e.g. log4j-finder to check only for the class inside the JAR file.
@rubo77 I do not know if it would be feasible to generate md5 / sha256 hashes of the JndiManager.class inside the JARs ?
Regarding @whenselm 2. I do not know if this is really necessary. The script itself is executable together with the hashes-pre-cve.txt or whatever other hashes you supply. Though I do like the approach of the log4j-finder to include the hashes within the script itself, either using a here-doc or something similar as a safe default to be overwritten by a hashes file argument.
from log4j_checker_beta.
Checked the source code, you can call the script with any of the above URLs as parameter and it will download the hashes via wget / curl.
Now if there would be a third option besides wget & curl, you could call it with a local file instead of a remote URL that would allow to run it without internet connection.
from log4j_checker_beta.
You could add a pull request, that checks if the local file exists and use it only then
from log4j_checker_beta.
from log4j_checker_beta.
I do not understand how you would gain less impact on the VMs you are about to analyse when you A. download the JAR files via a secure/encrypted protocol like ssh which will do its own hashes to do encryption and checksums and B. It is neither mire performant nor less than SFTP and the like. So either you do it remotely with the hashes copied or included or you may need to write a nice rsync script to pull all the relevant JAR files for local analysis.
YMMV
from log4j_checker_beta.
You could add a pull request, that checks if the local file exists and use it only then
I added a check if the parameter is a URL, if not it uses a local file now. See README.md
from log4j_checker_beta.
@rubo77 thanks for the latest addition, you even added some of the JNDIContextSelector.class hashes to the prepackaged hash file. Thanks a lot.
I have one further question which I did not figure out from the code:
Given an EAR file a.ear containing amongst others eg. a WAR file b.war which again contains a JAR file named c.jar which may contain a repackaged / rebundled version of the susceptible JndiLookup/JndiContextSelector.classes will your script recurse into a.ear to unpack b.war and then c.jar to generate the hashes for comparison of the class files ?
Ie. does your script run a recursive, depth-first search to find log4j or the suspected Class files in any packaged EAR/WAR/JAR combination our fellow developers came/come up with when developing and adding dependencies to their application stack of libraries ?
Though should I add a separate issue for such a deep inspection ?
@whenselm Regarding 2. I dunno if this is really feasible or useful doubting the impact of calculating the hashes locally vs. the overhead of transferring the classes and calculate hashes remotely.
from log4j_checker_beta.
should I add a separate issue for such a deep inspection ?
new issue: #21
The best would be if you would provide a pull request to the issue, because I won't have time for this this this.
from log4j_checker_beta.
I have one question: Why are the provided hashes for "JNDIContextSelector.class" and not for "JndiLookup.class"?
We got patches for our embedded systems, AFAIK they only removed "JNDILookup.class" from the .jar files (2.0) . But I still get vulnerable results when running the script. In general, this issue can be closed. Performance/CPU load is now ok, when not running in verbose mode
from log4j_checker_beta.
@gmoniker : maybe you can say something about the hashes?
they were added at 2e55b73
from log4j_checker_beta.
@whenselm
I have compared the SHA256 Hashes with those in other tools before and afair they matched the log4j-core-x.jar or the JndiLookup.class file in general, i.e. those lines with the log4j version at the end.
These are both in the scstanton and mubex lists I referenced above.
There is only two hashes for the JNDIContextSelector.class
I believe this is for 1.x and 2.x maybe @gmoniker can comment on my assumption.
from log4j_checker_beta.
@stefan123t did you notice the commit, where I added two more hashes?
from log4j_checker_beta.
a lot of (~half )provided hashes are doublettes. Should be concatenated to improve scan speed (add corresponding version on right side rather than one hash per version). I do not know how to comit a change ...
so line 2,4,8,10,16,19,21,22,24,25,27,28,31,31,33,34,35,37,40,41,42,44 are doubletes.
@stefan123t , I see in the mubex list other hashes from the complee libraries, not the classfile itself? Did you generate /compare it?
from log4j_checker_beta.
Just click the edit button here on GitHub on the top right when you view the hash file.
It leads to a pull request
from log4j_checker_beta.
I checked now the hashes of my embedded system. The script reports false positives because it checks as mentioned JndiContextSelector.class rather than the JndiLookup.class, which was removed from the embedded system
here version 2.5
for comparison, this is the corect sha-256 hash for version 2.5
from log4j_checker_beta.
Dear @whenselm,
No I did not compare it thoroughly enough. Your assumptions are right. I guess though that the JndiContextSelector.class hashes have been added to also catch cases of the ctx: / context vulnerability detected later as CVE-2021-450346 and fixed in IMHO 2.17 or even 2.17.1 respectively.
Therefor you may want to scan also those hashes.
Regarding the duplicate hashes that were seen I agree that they should be merged into one unique line. Is the second column used eg for output ? If yes it should contain a list of the affected version numbers to display.
Kind regards,
Stefan
from log4j_checker_beta.
Related Issues (15)
- Bundled JVMs HOT 4
- CentOS 7, line 15, information, command not found. HOT 4
- Use counter instead of hexdump HOT 1
- the find_jar_files is making a mess and the while id considering it all as a single line HOT 4
- Find HOT 1
- Recursive depth-first Deep inspection of EAR/WAR/JAR HOT 1
- MacOS, mktemp illegal option HOT 2
- Fails to find wget
- Need to add other JndiLookup.class version hashes and a cmdline argument which hashes to use
- It refuses to create the tempdir locally
- dpkg HOT 2
- DNF vs YUM, may want to add DNF to the package managers in this script, either/or with YUM HOT 3
- Maintainer wanted
- Hashes required? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from log4j_checker_beta.