CVE 2021 44228 Scanner Versions Save

Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228

2 years ago

Detect also CVE-2021-44832 RCE vulnerability for log4j 2.17.0, 2.12.3, 2.3.1. See #218
- https://nvd.nist.gov/vuln/detail/CVE-2021-44832
- https://logging.apache.org/log4j/2.x/security.html
- --fix option does not mitigate 2.17.0. It should be upgraded.

2 years ago

Do not use this version. --fix option should not touch 2.17.0 binary.
Detect also CVE-2021-44832 RCE vulnerability for log4j 2.17.0, 2.12.3, 2.3.1. See #218
- https://nvd.nist.gov/vuln/detail/CVE-2021-44832
- https://logging.apache.org/log4j/2.x/security.html

2 years ago

Do not detect Log4j 2.3.1 (for jdk6) and Log4j 2.12.3 (for jdk7) as vulnerable version. See #213
- CVE-2021-44228 is fixed in Log4j 2.12.2, but Log4j 2.12.2 has CVE-2021-45105. See https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- CVE-2021-45105 is fixed in Log4j 2.12.3 for jdk7. See https://nvd.nist.gov/vuln/detail/CVE-2021-45105
- CVE-2021-45105 is fixed in Log4j 2.3.1 for jdk6. See https://logging.apache.org/log4j/2.x/security.html

2 years ago

Fixed read-only file may be left in writable state. See #211
Restrict use of both --report-csv and --report-json only if --report-path option is specified. See #210
Print mitigated tag for version undetected binaries. See #197

2 years ago

Support --report-dir with --report-json option. See #203
Suppress error report for broken symlink except explicitly specified input path. See #202

2 years ago

Robust JAR or ZIP decompression. See #198
- Desperately, I found out that there is no sound and complete ZIP implementation in Java world.
- Even commons-compress cannot decompress all known ZIP samples properly.
- Implemented robustness by repetitive trial.
Follow symbolic link if input file path is explicitly specified. See #193
Added afs and autofs to ignore filesystem list. #194
Use dynamic library link due to GraalVM native-image bug. #192
- See https://github.com/oracle/graal/issues/3099
- If you know how to workaround, please let me know.

2 years ago

2 years ago

Added --syslog-level option. See #186
- Default mode info sends also MITIGATED report. This is right option for BI reporting
- Use alert level for SIEM integration.
- Use debug level for error reporting
Added --backup-ext option. See #141 , #181
- Default extension is zip.
Added --backup-path option.
- You can fully customize backup file path.

2 years ago

Revised CSV formatting. See #185
Signed and notarized Mach-O binary for automation. See #175
- Developer ID Application is log4j2-scan

2 years ago

Added --restore [backup_file_path] option. See #150
- Scanner archive all .bak files into the single log4j2_scan_backup_yyyyMMdd_HHmmss.zip file, then delete all .bak files automatically since v2.5.0.
- If you ensure that application works well after mitigation patch, you can delete .zip backup file.
- If you want to restore original vulnerable files, you can easily restore files using --restore option.
Added --syslog-udp [remote_ip:port] option.
- Integrate this scanner into your SIEM. e.g. Logpresso, Splunk, or Elastic. See #183
- Example: {"time": "2021-12-21 00:00:36+0900", "hostname": "XERAPH", "path": "/path/to/log4j-core-2.16.0.jar", "entry": "", "product": "Log4j 2", "version": "2.16.0", "cve": "CVE-2021-45105", "status": "VULNERABLE", "fixed": false}