-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please add support 3 CVE (log4j) #10
Comments
@trust1345 CVE-2021-42550 is logback, not log4j vulnerability. |
Yes, this is understandable, but I think that the scanner has almost everything ready to implement the search for this CVE. |
logback have different version numbers, different folder structure. I will check that later |
@trust1345 added detection of CVE-2017-5645. |
Hi @HynekPetrak version https://github.com/HynekPetrak/log4shell-finder/tree/95a52803f3cca82803e10600ef56a2f845abb209 Run task with samples these https://github.com/mergebase/log4j-samples |
Fixed, please check |
Thanks, I'm still checking out different options. |
Tried to bring the table up to date. log4J 2.x
log4J 1.x
reload4jFork log4J 1.x reload4j (2022-01-12 - first release reload 4 about project 1.2.18.0 ) with the elimination of security vulnerabilities, released as a new version in the log4j 1 branch.x while maintaining backward compatibility (not considering hardening)
Other CVEsOther CVEs require the same approach (search and parse) as log4j just contained in other products.
|
added support for CVE-2019-17571 (9.8) |
note CVE-2017-5645 is already supported. |
added support for CVE-2022-23307 (8.1) |
Maybe this will help |
In all cases that I have been able to check, the latest version works well. I think we need to make a release. PS. Updated the information in the table above |
Fix CVE-2020-9488 place in the table (move to log4j 2.x). |
added detection of CVE-2022-23305 (8.1) |
With release I would rather wait for me fixing the false positives on reload4j: [+] [CVE-2019-17571 (9.8), CVE-2021-4104 (7.5), CVE-2022-23307 (8.1)] Package /home/hynek/war.bak/reload4j/reload4j-1.2.18.1.jar contains Log4J-None <= 1.2.17 |
added detection of CVE-2022-23305, CVE-2022-23302 and proper handling of reload4j. Detection of CVE-2022-23307 is equivalent to CVE-2020-9493 @trust1345 test on your dataset, please. I'm ready to make a release.\ My test case:
|
2021-01-21 - Release of reload4j 1.2.18.2 PS. |
Checked the latest version from git, something went wrong I think.
|
They actually fixed the CVE-2022-23305 already in 1.2.18.1 by removing the JDBCAppender completely. In version 1.2.18.2 they brought it back hardened. So they way I'm reporting it, I believe, is correct. |
@trust1345 I've possibly reworked the detection logic, still need to test before release. Please test on your side, if possible. |
OK, I agree |
Updated the table according to |
I doubt that
(log4j-1.x) |
Why illogical? OLDSAFE is meant for log4j 1.x with no CVE. By definition |
For example, it says here (CVE-2022-23302) Description: I think that just no one wants to dig into the old code to find out the details. But at the moment I have not found such information in the descriptions on reliable sources. Perhaps you should leave it like this, waiting until the analysis from nist is over |
CVE-2021-4104 is a bug of JMSAppender class - in your example there is no JMSAppender, so it's not vulnerable to CVE-2021-4104. For every CVE I'm trying to identify the vulnerable piece of code and the patch applied in order to empirically check, whether that particular instance of log4j is vulnerable or not. |
In all cases that I have been able to check, the latest version works well. |
Updated the table (nvd.nist.gov) |
It is especially important to detect CVE-2021-42550
Maybe in the documentation (readme) such a table will be useful
The text was updated successfully, but these errors were encountered: