LunaSec - Dependency Security Scanner that automatically notifies you about vulnerabilities like Log4Shell or node-ipc in your Pull Requests and Builds. Protect yourself in 30 seconds with the LunaTrace GitHub App: https://github.com/marketplace/lunatrace-by-lunasec/
This release fixes some issues that were raised about false positives with Log4j 2.15.0. This cli tool is also tested on both apache libraries and maven libraries since their hashes were observered to be different in some cases.
ab5abab2 Basic technical analysis of the Log4Shell exploit 99d89964 Better phrasing 5aadc823 Blog post updates 9a159fde CLI UX improvements and more legalish warnings 861c385c Fix bad image links by using MDX syntax instead 13cd33f2 Fix formatting 4395867e Fix image link for bad image also d74964cc Fix image links to be persistent a60fddcb Fix some typos a582d5cf Merge branch 'hotpatch-improvements' of github.com:lunasec-io/lunasec into hotpatch-improvements 6e4314a3 Merge branch 'master' into improve-scanner-reliability 53d0b1cf Merge pull request #311 from lunasec-io/hotpatch-improvements 64254cd3 Merge pull request #312 from lunasec-io/update-patch-section c7043c69 Merge pull request #313 from lunasec-io/fix-bad-image-links e74319fe Merge pull request #319 from natrem/detect-elastic-apm 6b8618e2 Merge pull request #322 from lunasec-io/fix-post-warning 4126b0ba Merge pull request #329 from dhoizner/feat/scan-zip-archives 9e917022 Merge pull request #331 from lunasec-io/fix-typo-in-property-name cf602124 Merge pull request #333 from lunasec-io/log4j-exploit-analysis-blog-post bb8d2533 Tweaks 9f248924 Update Patch section with new notes 254ade8d Update timestamps fbf14b10 Wordsmithing 195cbc4b add payload url to the print out in the cli 65dbfe89 bump version 400c6e37 feat: scan into zip archives in addition to jar+war 34c76115 fix typo 0e27f16e log4shell and 2.15.0 cves are distinct in findings now 1f0f3bfc pull all maven and apache versions of log4j fc357889 scan library before browsing it ea2f1afb script for downloading all log4j versions 4a3d9220 update blog post to fix changes suggested in issues 79aab2e7 update blog to include java decomp f42427a7 use webarchive to reference zero day tweet
898e19dd Change links to the generic Releases page ee9655eb Merge branch 'master' into hotpatch-improvements 58e1478e Merge pull request #309 from lunasec-io/blog-includes-hot-patch-cli f92099d5 Merge pull request #310 from lunasec-io/cli-ux 2132b5a1 Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx 579472e0 add docker-compose and update readme with some commands f1945c30 add live patch blog post 02f39cfd added more options to the hotpatch server and added a landing page cc2b9157 blog mentions hot patch cli 4856a510 bump version of log4shell cli 3cf46599 change dependency to not panic c6a4f579 update blog posts 6187edd1 update hotpatch server to have more descriptive text
Added hotpatch command which attempts to use the bug against itself to patch the vulnerability in a running server.
Added severity levels to different log4j versions detected by scan, and included 2.15.0 in vulnerable versions.
dfa5cb59 Add CVE number back to first line of text for SEO f0478fad Add log4j to first sentence f4ef8a1f Add log4shell CLI tool 3df90893 Add option to write outputs to a file. 007212a7 Add social links and update main Readme 6849b468 Adding command for running log4shell hotpatch server. The command brings up the servers, but they currently do not work. 2ebe83b3 Bump version 86d0fb52 Change version to beta dd21d161 Content reworking d0202768 Enabled options for printing out json for parsing results. 6e88ba6d Fix Master CI 7fa24c42 Fix bad link in blog post 209e3ad5 Fix bad path 1d79ccef Fix entrypoint for package 28f4278b Fix grammar in mitigation guide 18ff24a2 Fix renamed directory 457d281c Fix script to work with both a specific path or in the current folder 94ce327f Fix typo aca37df6 Hotpatching works when being tested locally again vulnerable spring server. a7384c0d Merge branch 'add-log4shell-cli' of github.com:lunasec-io/lunasec into add-log4shell-cli 86dc3970 Merge branch 'master' into add-log4shell-cli b89fed58 Merge branch 'master' into log4shell-vuln-finder b7f58e4c Merge pull request #283 from lunasec-io/add-log4shell-cli ad7840c5 Merge pull request #285 from lunasec-io/log4shell-vuln-finder f5e6a3e9 Merge pull request #286 from lunasec-io/fix-ci-on-master 66cacc51 Merge pull request #288 from lunasec-io/update-mitigation-guide 9a1c3c81 Merge pull request #289 from lunasec-io/fix-bad-link-in-post 78e9ac56 Merge pull request #290 from slovdahl/patch-1 a3e5bfc6 Merge pull request #293 from lunasec-io/dec13-blog-edits de48c4d4 Merge pull request #294 from lunasec-io/add-social-links-to-mitigation-guide 8eb17dba Merge pull request #296 from lunasec-io/log4shell-vuln-finder 5252c628 Merge pull request #297 from lunasec-io/mitigation-edits-forrest 708a471c Merge pull request #302 from natrem/patch-1 5fb29d04 Merge pull request #303 from lunasec-io/no-lookups-no-worky 2307b8d4 Merge remote-tracking branch 'origin/master' into mitigation-edits-forrest 9a9a79a1 Mitigation edits forrest (#295) 8b896f13 More post cleanup 7831485c More post cleanup 4eac2041 Remove thank you line 2279eb66 Scanner finds 2.15 (#305) 91d70d86 Update 2021-12-09-log4j-zero-day.md 90a4e6ec Update 2021-12-09-log4j-zero-day.md d81ffb42 WIP blog post c59a38a4 Wrap up the Log4Shell Mitigation Guide doc 312a99d5 Write up the rest of the blog post 85060ce2 add contact form, what a doozy 471f56b6 add warnings about 2.15 and flag cea63e88 also find war files a1a365cd better warning ab10a9f5 big mitigation edits c76f49b3 blog edits to header example b6b2dcd6 few tiny edits 04317974 fix english (#304) 817388a5 fix package mistake d59ad407 fix typo and add CVE name 1c0c95b6 log4shell scanning cli initial commit 54acae91 make hash downloading automatic even if not using NPM a9145cfb mention log4j 2.16 a2d76373 merge master 7c828870 more CVE mentions b6a70040 move log4shell to tools e0f97969 remove bad dep and eslint ignore something a717e205 small edits linking two blog posts together and other nits 56fe9946 update Log4ShellHotpatch cddae2ce update binary name to log4shell a9199b77 when scanning archives, scan nested ones