From 24e21645784e23c5f402d71a6b162e25d567bf7c Mon Sep 17 00:00:00 2001 From: breadchris Date: Thu, 16 Dec 2021 14:03:05 -0500 Subject: [PATCH 01/12] bump cli version to 1.3.2 Former-commit-id: c273bcb0e79140479e4dc31e2668c8feea017531 Former-commit-id: ddbf07b3dd09901ab9178d59b9edb86e5bebb0da --- tools/log4shell/constants/version.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/log4shell/constants/version.go b/tools/log4shell/constants/version.go index d2f40bcc6..42594c23a 100644 --- a/tools/log4shell/constants/version.go +++ b/tools/log4shell/constants/version.go @@ -14,4 +14,4 @@ // package constants -const Version = "1.3.1" +const Version = "1.3.2" From 977392da984118cc53127d54ed33329e2355697f Mon Sep 17 00:00:00 2001 From: Forrest Date: Thu, 16 Dec 2021 13:42:07 -0800 Subject: [PATCH 02/12] warning about virus scanners in blog post Former-commit-id: 70d405f32c17b424c6df643da99a2fba445a7a02 Former-commit-id: 986958d5faca2c49f8a60cb2038bb9702e2fe14c --- docs/blog/2021-12-12-log4j-zero-day-mitigation-guide.mdx | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/blog/2021-12-12-log4j-zero-day-mitigation-guide.mdx b/docs/blog/2021-12-12-log4j-zero-day-mitigation-guide.mdx index 28c4ad920..8a8949477 100644 --- a/docs/blog/2021-12-12-log4j-zero-day-mitigation-guide.mdx +++ b/docs/blog/2021-12-12-log4j-zero-day-mitigation-guide.mdx @@ -96,6 +96,8 @@ log4shell scan your-project-dir/ ```shell title="Example Windows Command" log4shell.exe scan your-project-dir/ ``` +Because the tool contains exploit strings needed for the `livepatch` command, it might be falsely recognized as malware by some +virus scanners on Windows. Please add an exception for it. **Example Output** ```shell From 58766aaaf5db6c024f3f8c5b3fdf9fcd8d07d347 Mon Sep 17 00:00:00 2001 From: breadchris Date: Thu, 16 Dec 2021 16:59:49 -0500 Subject: [PATCH 03/12] resolve symlinks while scanning Former-commit-id: 427e49150ba6537983273785dda2fa79bf612220 Former-commit-id: 251a9645604a8bf13937a2d38c55d5b91df1c8d5 --- tools/log4shell/scan/scan.go | 20 ++++++++---- .../{ => not-jars}/not-a-valid-jar.jar | 0 .../not-jars/symlink-to-log4j-core-2.0.1.jar | 1 + tools/log4shell/util/fs.go | 31 +++++++++++++++++-- 4 files changed, 44 insertions(+), 8 deletions(-) rename tools/log4shell/test/vulnerable-log4j2-versions/{ => not-jars}/not-a-valid-jar.jar (100%) create mode 120000 tools/log4shell/test/vulnerable-log4j2-versions/not-jars/symlink-to-log4j-core-2.0.1.jar diff --git a/tools/log4shell/scan/scan.go b/tools/log4shell/scan/scan.go index 14856a45b..f21d632ad 100644 --- a/tools/log4shell/scan/scan.go +++ b/tools/log4shell/scan/scan.go @@ -79,6 +79,14 @@ func (s *Log4jDirectoryScanner) Scan( return } + if info.Mode() & os.ModeSymlink != 0 { + // overwrite path and info with the resolved symlink file values + path, info, err = util.ResolveSymlinkFilePathAndInfo(path) + if err != nil { + return + } + } + fileExt := util.FileExt(path) switch fileExt { case constants.JarFileExt, constants.WarFileExt: @@ -105,7 +113,7 @@ func (s *Log4jDirectoryScanner) scanLocatedArchive( log.Warn(). Str("path", path). Err(err). - Msg("unable to open archive") + Msg("unable to open located archive") return } defer file.Close() @@ -130,7 +138,7 @@ func (s *Log4jDirectoryScanner) scanArchiveForVulnerableFiles( log.Warn(). Str("path", path). Err(err). - Msg("unable to open archive") + Msg("unable to open archive for scanning") return } @@ -169,7 +177,7 @@ func (s *Log4jDirectoryScanner) scanFile( } return } - return s.scanArchive(path, file) + return s.scanEmbeddedArchive(path, file) } return } @@ -191,7 +199,7 @@ func (s *Log4jDirectoryScanner) scanArchiveFile( return s.processArchiveFile(reader, path, file.Name) } -func (s *Log4jDirectoryScanner) scanArchive( +func (s *Log4jDirectoryScanner) scanEmbeddedArchive( path string, file *zip.File, ) (findings []types.Finding) { @@ -201,7 +209,7 @@ func (s *Log4jDirectoryScanner) scanArchive( Str("classFile", file.Name). Str("path", path). Err(err). - Msg("unable to open archive") + Msg("unable to open embedded archive") return } defer reader.Close() @@ -212,7 +220,7 @@ func (s *Log4jDirectoryScanner) scanArchive( Str("classFile", file.Name). Str("path", path). Err(err). - Msg("unable to read archive") + Msg("unable to read embedded archive") return } diff --git a/tools/log4shell/test/vulnerable-log4j2-versions/not-a-valid-jar.jar b/tools/log4shell/test/vulnerable-log4j2-versions/not-jars/not-a-valid-jar.jar similarity index 100% rename from tools/log4shell/test/vulnerable-log4j2-versions/not-a-valid-jar.jar rename to tools/log4shell/test/vulnerable-log4j2-versions/not-jars/not-a-valid-jar.jar diff --git a/tools/log4shell/test/vulnerable-log4j2-versions/not-jars/symlink-to-log4j-core-2.0.1.jar b/tools/log4shell/test/vulnerable-log4j2-versions/not-jars/symlink-to-log4j-core-2.0.1.jar new file mode 120000 index 000000000..530e38a55 --- /dev/null +++ b/tools/log4shell/test/vulnerable-log4j2-versions/not-jars/symlink-to-log4j-core-2.0.1.jar @@ -0,0 +1 @@ +../apache/apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar \ No newline at end of file diff --git a/tools/log4shell/util/fs.go b/tools/log4shell/util/fs.go index bb42bd079..318d4ae2d 100644 --- a/tools/log4shell/util/fs.go +++ b/tools/log4shell/util/fs.go @@ -15,7 +15,8 @@ package util import ( - "log" + "github.com/rs/zerolog/log" + "os" "path/filepath" "strings" ) @@ -27,7 +28,11 @@ func FileExt(path string) string { func searchDir(searchDir string, callback filepath.WalkFunc) { err := filepath.Walk(searchDir, callback) if err != nil { - log.Fatal(err) + log.Error(). + Err(err). + Str("searchDir", searchDir). + Msg("Unable to walk directory") + panic(err) } } @@ -37,3 +42,25 @@ func SearchDirs(searchDirs []string, callback filepath.WalkFunc) { searchDir(dir, callback) } } + +func ResolveSymlinkFilePathAndInfo(symlinkPath string) (path string, info os.FileInfo, err error) { + path, err = filepath.EvalSymlinks(symlinkPath) + if err != nil { + log.Warn(). + Str("path", path). + Err(err). + Msg("unable to read symlink to file") + return + } + + // use file info of the resolved file + info, err = os.Lstat(path) + if err != nil { + log.Warn(). + Str("path", path). + Err(err). + Msg("unable to read file info of symlink file") + return + } + return +} From 3be42d738f35f4a6026921a7953c47a8bed41ca7 Mon Sep 17 00:00:00 2001 From: Forrest Date: Thu, 16 Dec 2021 14:49:13 -0800 Subject: [PATCH 04/12] switch all logs to stdout and prettier formatting for scan results Former-commit-id: 5b506a12fe1ec36aa37f7db85e810d9b279af9c2 Former-commit-id: 9aa02eae6136d1c8682ba02f440d7ccf153ef7e5 --- docs/blog/2021-12-12-log4j-zero-day-mitigation-guide.mdx | 2 +- tools/log4shell/commands/flags.go | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/docs/blog/2021-12-12-log4j-zero-day-mitigation-guide.mdx b/docs/blog/2021-12-12-log4j-zero-day-mitigation-guide.mdx index 8a8949477..dde1fc324 100644 --- a/docs/blog/2021-12-12-log4j-zero-day-mitigation-guide.mdx +++ b/docs/blog/2021-12-12-log4j-zero-day-mitigation-guide.mdx @@ -97,7 +97,7 @@ log4shell scan your-project-dir/ log4shell.exe scan your-project-dir/ ``` Because the tool contains exploit strings needed for the `livepatch` command, it might be falsely recognized as malware by some -virus scanners on Windows. Please add an exception for it. +virus scanners on Windows. Please add an exception for it. **Example Output** ```shell diff --git a/tools/log4shell/commands/flags.go b/tools/log4shell/commands/flags.go index 417167e4f..b50a68322 100644 --- a/tools/log4shell/commands/flags.go +++ b/tools/log4shell/commands/flags.go @@ -44,10 +44,16 @@ func enableGlobalFlags(c *cli.Context) { jsonFlag := c.Bool("json") if !jsonFlag { // pretty print output to the console if we are not interested in parsable output - consoleOutput := zerolog.ConsoleWriter{Out: os.Stderr} + consoleOutput := zerolog.ConsoleWriter{Out: os.Stdout} consoleOutput.FormatFieldName = func(i interface{}) string { return fmt.Sprintf("\n\t%s: ", util.Colorize(constants.ColorBlue, i)) } + consoleOutput.FormatLevel = func(i interface{}) string { + if (i == nil){ + return util.Colorize(constants.ColorBold,"Scan Result:") + } + return fmt.Sprintf("%s",i) + } log.Logger = log.Output(consoleOutput) } From 6b0353993c360edafd719be5680da24d0316352b Mon Sep 17 00:00:00 2001 From: Forrest Date: Thu, 16 Dec 2021 15:03:30 -0800 Subject: [PATCH 05/12] slightly better log level printing Former-commit-id: 1c98ea08cdd9bf75e9cf808976a939280b1728e0 Former-commit-id: 71807c1355c23c9b6643113632522253ee702d3c --- tools/log4shell/commands/flags.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tools/log4shell/commands/flags.go b/tools/log4shell/commands/flags.go index b50a68322..5aaf73659 100644 --- a/tools/log4shell/commands/flags.go +++ b/tools/log4shell/commands/flags.go @@ -48,11 +48,13 @@ func enableGlobalFlags(c *cli.Context) { consoleOutput.FormatFieldName = func(i interface{}) string { return fmt.Sprintf("\n\t%s: ", util.Colorize(constants.ColorBlue, i)) } + + consoleOutput.FormatLevel = func(i interface{}) string { if (i == nil){ return util.Colorize(constants.ColorBold,"Scan Result:") } - return fmt.Sprintf("%s",i) + return fmt.Sprintf("| %-6s |", i) } log.Logger = log.Output(consoleOutput) From 2134a3f59070b65a0038cdf949cb1b812c53557e Mon Sep 17 00:00:00 2001 From: Forrest Date: Thu, 16 Dec 2021 18:40:55 -0800 Subject: [PATCH 06/12] add manual releasing instructions Former-commit-id: be2b698a37bc4f01e4245f29476321a18e35c287 Former-commit-id: 2d4cfa9974b0531e1ce56512497f399465932e83 --- tools/log4shell/README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tools/log4shell/README.md b/tools/log4shell/README.md index f00cae7c5..9c486c045 100644 --- a/tools/log4shell/README.md +++ b/tools/log4shell/README.md @@ -81,3 +81,11 @@ make build && ./log4shell ## Releases Find the compiled tool for your OS [here](https://github.com/lunasec-io/lunasec/releases/). + + +## How to manually release to github +```shell +git tag -a v-log4shell -m "" +git push origin v-log4shell +GITHUB_TOKEN= goreleaser release --rm-dist +``` \ No newline at end of file From e464c4f89091b8bbbac7fc981de540fe64d80c65 Mon Sep 17 00:00:00 2001 From: breadchris Date: Thu, 16 Dec 2021 22:05:03 -0500 Subject: [PATCH 07/12] fix false positive for 2.16.0 and 2.15.0 Former-commit-id: bca90187ba1b810d7417c9fce68a8a1446cbabb6 Former-commit-id: 4794b8b2f3b624bfa610fcac42e46035b32af61a --- tools/log4shell/analyze/analyze.go | 4 +- tools/log4shell/commands/flags.go | 2 +- tools/log4shell/constants/vulnerablehashes.go | 37 +-- tools/log4shell/log4j-library-hashes.json | 309 +++++++----------- tools/log4shell/scan/scanfile.go | 2 +- 5 files changed, 126 insertions(+), 228 deletions(-) diff --git a/tools/log4shell/analyze/analyze.go b/tools/log4shell/analyze/analyze.go index 36a127fb0..fa86d72bc 100644 --- a/tools/log4shell/analyze/analyze.go +++ b/tools/log4shell/analyze/analyze.go @@ -83,14 +83,14 @@ func ProcessArchiveFile(reader io.Reader, filePath, fileName string) (finding *t versionCve := "" if isVersionALog4ShellVersion(semverVersion) { - if !strings.Contains(fileName, "JndiLookup.class") { + if !strings.Contains(fileName, "JndiManager.class") { return } versionCve = constants.Log4ShellCve } if isVersionACVE202145046Version(semverVersion) { - if !strings.Contains(fileName, "JndiManager$JndiManagerFactory.class") { + if !strings.Contains(fileName, "JndiManager.class") { return } versionCve = constants.CtxCve diff --git a/tools/log4shell/commands/flags.go b/tools/log4shell/commands/flags.go index 417167e4f..68af52ca2 100644 --- a/tools/log4shell/commands/flags.go +++ b/tools/log4shell/commands/flags.go @@ -44,7 +44,7 @@ func enableGlobalFlags(c *cli.Context) { jsonFlag := c.Bool("json") if !jsonFlag { // pretty print output to the console if we are not interested in parsable output - consoleOutput := zerolog.ConsoleWriter{Out: os.Stderr} + consoleOutput := zerolog.ConsoleWriter{Out: os.Stdout} consoleOutput.FormatFieldName = func(i interface{}) string { return fmt.Sprintf("\n\t%s: ", util.Colorize(constants.ColorBlue, i)) } diff --git a/tools/log4shell/constants/vulnerablehashes.go b/tools/log4shell/constants/vulnerablehashes.go index abfb526f2..55397f364 100644 --- a/tools/log4shell/constants/vulnerablehashes.go +++ b/tools/log4shell/constants/vulnerablehashes.go @@ -17,6 +17,7 @@ package constants import "github.com/lunasec-io/lunasec/tools/log4shell/types" var ( + NotVulnerable = "Not Vulnerable" Log4ShellCve = "CVE-2021-44228" CtxCve = "CVE-2021-45046" Log4j1RceCve = "CVE-2019-17571" @@ -38,37 +39,11 @@ const ( ) // from: https://github.com/hillu/local-log4j-vuln-scanner/blob/master/log4j-vuln-finder.go#L16 -var KnownVulnerableClassFileHashes = types.VulnerableHashLookup{ - "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8": { Name: "log4j 2.0-rc1", CVE: Log4ShellCve}, // JndiLookup.class - "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2": { Name: "log4j 2.0-rc2", CVE: Log4ShellCve}, // JndiLookup.class - "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e": { Name: "log4j 2.0.1", CVE: Log4ShellCve}, // JndiLookup.class - "9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c": { Name: "log4j 2.0.2", CVE: Log4ShellCve}, // JndiLookup.class - "fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29": { Name: "log4j 2.0", CVE: Log4ShellCve}, // JndiLookup.class - "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32": { Name: "log4j 2.7-2.8.1", CVE: Log4ShellCve}, // JndiManager.class - "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de": { Name: "log4j 2.12.0-2.12.1", CVE: Log4ShellCve}, // JndiManager.class - "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6": { Name: "log4j 2.9.0-2.11.2", CVE: Log4ShellCve}, // JndiManager.class - "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7": { Name: "log4j 2.4-2.5", CVE: Log4ShellCve}, // JndiManager.class - "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246": { Name: "log4j 2.6-2.6.2", CVE: Log4ShellCve}, // JndiManager.class - "764b06686dbe06e3d5f6d15891250ab04073a0d1c357d114b7365c70fa8a7407": { Name: "log4j 2.8.2", CVE: Log4ShellCve}, // JndiManager.class - "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6": { Name: "log4j 2.14.0-2.14.1", CVE: Log4ShellCve}, // JndiManager.class - "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c": { Name: "log4j 2.1-2.3", CVE: Log4ShellCve}, // JndiManager.class - "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078": { Name: "log4j 2.13.0-2.13.3", CVE: Log4ShellCve}, // JndiManager.class - - // The following shas for version 2.15 detect a valid but lower level of severity vulnerability, CVE CVE-2021-45046 - "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f" :{ Name:"log4j 2.15.0" , CVE: CtxCve}, // JNDILookup.class - - "6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d": { Name: "log4j 1.2.4", CVE: Log4j1RceCve}, // SocketNode.class - "3ef93e9cb937295175b75182e42ba9a0aa94f9f8e295236c9eef914348efeef0": { Name: "log4j 1.2.6-1.2.9", CVE: Log4j1RceCve}, // SocketNode.class - "bee4a5a70843a981e47207b476f1e705c21fc90cb70e95c3b40d04a2191f33e9": { Name: "log4j 1.2.8", CVE: Log4j1RceCve}, // SocketNode.class - "7b996623c05f1a25a57fb5b43c519c2ec02ec2e647c2b97b3407965af928c9a4": { Name: "log4j 1.2.15", CVE: Log4j1RceCve}, // SocketNode.class - "688a3dadfb1c0a08fb2a2885a356200eb74e7f0f26a197d358d74f2faf6e8f46": { Name: "log4j 1.2.16", CVE: Log4j1RceCve}, // SocketNode.class - "8ef0ebdfbf28ec14b2267e6004a8eea947b4411d3c30d228a7b48fae36431d74": { Name: "log4j 1.2.17", CVE: Log4j1RceCve}, // SocketNode.class - "d778227b779f8f3a2850987e3cfe6020ca26c299037fdfa7e0ac8f81385963e6": { Name: "log4j 1.2.11", CVE: Log4j1RceCve}, // SocketNode.class - "ed5d53deb29f737808521dd6284c2d7a873a59140e702295a80bd0f26988f53a": { Name: "log4j 1.2.5", CVE: Log4j1RceCve}, // SocketNode.class - "f3b815a2b3c74851ff1b94e414c36f576fbcdf52b82b805b2e18322b3f5fc27c": { Name: "log4j 1.2.12", CVE: Log4j1RceCve}, // SocketNode.class - "fbda3cfc5853ab4744b853398f2b3580505f5a7d67bfb200716ef6ae5be3c8b7": { Name: "log4j 1.2.13-1.2.14", CVE: Log4j1RceCve}, // SocketNode.class - "287c1d40f2a4bc0055b32b45f12f01bdc2a27379ec33fe13a084bf69a1f4c6e1": { Name: "log4j 1.2.15.v201012070815", CVE: Log4j1RceCve}, // SocketNode.class -} +// We have previously used these hashes to detect vulnerable libraries, however we now generate library hashes +// to prevent false positives. +// var KnownVulnerableClassFileHashes = types.VulnerableHashLookup{ +// ... +// } // from: https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes/blob/main/sha256sums.txt var KnownVulnerableArchiveFileHashes = types.VulnerableHashLookup{ diff --git a/tools/log4shell/log4j-library-hashes.json b/tools/log4shell/log4j-library-hashes.json index f7275dc00..7ecf979f4 100644 --- a/tools/log4shell/log4j-library-hashes.json +++ b/tools/log4shell/log4j-library-hashes.json @@ -21,248 +21,206 @@ "version": "1.2.17", "cve": "CVE-2019-17571" }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-beta9-bin/log4j-core-2.0-beta9.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", - "version": "2.0.0-beta9", - "cve": "CVE-2021-44228" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-bin/log4j-core-2.0.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29", - "version": "2.0.0", - "cve": "CVE-2021-44228" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc1-bin/log4j-core-2.0-rc1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", - "version": "2.0.0-rc1", - "cve": "CVE-2021-44228" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc2-bin/log4j-core-2.0-rc2.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2", - "version": "2.0.0-rc2", - "cve": "CVE-2021-44228" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", - "version": "2.0.1", - "cve": "CVE-2021-44228" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0.2-bin/log4j-core-2.0.2.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c", - "version": "2.0.2", - "cve": "CVE-2021-44228" - }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.1-bin/log4j-core-2.1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "a768e5383990b512f9d4f97217eda94031c2fa4aea122585f5a475ab99dc7307", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", "version": "2.1.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.10.0-bin/log4j-core-2.10.0.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", "version": "2.10.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.11.0-bin/log4j-core-2.11.0.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", "version": "2.11.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.11.1-bin/log4j-core-2.11.1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", "version": "2.11.1", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.11.2-bin/log4j-core-2.11.2.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", "version": "2.11.2", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.12.0-bin/log4j-core-2.12.0.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "5c104d16ff9831b456e4d7eaf66bcf531f086767782d08eece3fb37e40467279", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de", "version": "2.12.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.12.1-bin/log4j-core-2.12.1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "5c104d16ff9831b456e4d7eaf66bcf531f086767782d08eece3fb37e40467279", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de", "version": "2.12.1", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.12.2-bin/log4j-core-2.12.2.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "febbc7867784d0f06934fec59df55ee45f6b24c55b17fff71cc4fca80bf22ebb", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "b1960d63a3946f9e16e1920624f37c152b58b98932ed04df99ed5d9486732afb", "version": "2.12.2", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.0-bin/log4j-core-2.13.0.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", "version": "2.13.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.1-bin/log4j-core-2.13.1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", "version": "2.13.1", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.2-bin/log4j-core-2.13.2.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", "version": "2.13.2", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.3-bin/log4j-core-2.13.3.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", "version": "2.13.3", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6", "version": "2.14.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.14.1-bin/log4j-core-2.14.1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6", "version": "2.14.1", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.15.0-bin/log4j-core-2.15.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager$JndiManagerFactory.class", - "hash": "7c99e6d0a680b14748b05d24bcc54883907e057517d278c69788f626fbaebe9d", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "db07ef1ea174e000b379732681bd835cfede648a7971bf4e9a0d31981582d69e", "version": "2.15.0", "cve": "CVE-2021-45046" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.2-bin/log4j-core-2.2.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "a768e5383990b512f9d4f97217eda94031c2fa4aea122585f5a475ab99dc7307", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", "version": "2.2.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.3-bin/log4j-core-2.3.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "a768e5383990b512f9d4f97217eda94031c2fa4aea122585f5a475ab99dc7307", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", "version": "2.3.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.4-bin/log4j-core-2.4.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "a534961bbfce93966496f86c9314f46939fd082bb89986b48b7430c3bea903f7", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", "version": "2.4.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.4.1-bin/log4j-core-2.4.1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "a534961bbfce93966496f86c9314f46939fd082bb89986b48b7430c3bea903f7", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", "version": "2.4.1", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.5-bin/log4j-core-2.5.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "a534961bbfce93966496f86c9314f46939fd082bb89986b48b7430c3bea903f7", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", "version": "2.5.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.6-bin/log4j-core-2.6.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "e8ffed196e04f81b015f847d4ec61f22f6731c11b5a21b1cfc45ccbc58b8ea45", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", "version": "2.6.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.6.1-bin/log4j-core-2.6.1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "e8ffed196e04f81b015f847d4ec61f22f6731c11b5a21b1cfc45ccbc58b8ea45", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", "version": "2.6.1", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.6.2-bin/log4j-core-2.6.2.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "e8ffed196e04f81b015f847d4ec61f22f6731c11b5a21b1cfc45ccbc58b8ea45", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", "version": "2.6.2", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.7-bin/log4j-core-2.7.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "cee2305065bb61d434cdb45cfdaa46e7da148e5c6a7678d56f3e3dc8d7073eae", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", "version": "2.7.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.8-bin/log4j-core-2.8.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "66c89e2d5ae674641138858b571e65824df6873abb1677f7b2ef5c0dd4dbc442", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", "version": "2.8.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.8.1-bin/log4j-core-2.8.1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "66c89e2d5ae674641138858b571e65824df6873abb1677f7b2ef5c0dd4dbc442", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", "version": "2.8.1", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.8.2-bin/log4j-core-2.8.2.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "d4ec57440cd6db6eaf6bcb6b197f1cbaf5a3e26253d59578d51db307357cbf15", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "764b06686dbe06e3d5f6d15891250ab04073a0d1c357d114b7365c70fa8a7407", "version": "2.8.2", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.9.0-bin/log4j-core-2.9.0.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", "version": "2.9.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", "version": "2.9.1", "cve": "CVE-2021-44228" }, @@ -357,241 +315,206 @@ "version": "1.2.9", "cve": "CVE-2019-17571" }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0-rc1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", - "version": "2.0.0-rc1", - "cve": "CVE-2021-44228" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0-rc2.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2", - "version": "2.0.0-rc2", - "cve": "CVE-2021-44228" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", - "version": "2.0.1", - "cve": "CVE-2021-44228" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.2.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c", - "version": "2.0.2", - "cve": "CVE-2021-44228" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29", - "version": "2.0.0", - "cve": "CVE-2021-44228" - }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "a768e5383990b512f9d4f97217eda94031c2fa4aea122585f5a475ab99dc7307", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", "version": "2.1.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.10.0.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", "version": "2.10.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.11.0.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", "version": "2.11.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.11.1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", "version": "2.11.1", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.11.2.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", "version": "2.11.2", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.12.0.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "5c104d16ff9831b456e4d7eaf66bcf531f086767782d08eece3fb37e40467279", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de", "version": "2.12.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.12.1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "5c104d16ff9831b456e4d7eaf66bcf531f086767782d08eece3fb37e40467279", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de", "version": "2.12.1", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.12.2.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "febbc7867784d0f06934fec59df55ee45f6b24c55b17fff71cc4fca80bf22ebb", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "b1960d63a3946f9e16e1920624f37c152b58b98932ed04df99ed5d9486732afb", "version": "2.12.2", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.0.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", "version": "2.13.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", "version": "2.13.1", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.2.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", "version": "2.13.2", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.3.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", "version": "2.13.3", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.14.0.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6", "version": "2.14.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.14.1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6", "version": "2.14.1", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.15.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager$JndiManagerFactory.class", - "hash": "7c99e6d0a680b14748b05d24bcc54883907e057517d278c69788f626fbaebe9d", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "db07ef1ea174e000b379732681bd835cfede648a7971bf4e9a0d31981582d69e", "version": "2.15.0", "cve": "CVE-2021-45046" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.2.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "a768e5383990b512f9d4f97217eda94031c2fa4aea122585f5a475ab99dc7307", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", "version": "2.2.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.3.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "a768e5383990b512f9d4f97217eda94031c2fa4aea122585f5a475ab99dc7307", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", "version": "2.3.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.4.1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "a534961bbfce93966496f86c9314f46939fd082bb89986b48b7430c3bea903f7", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", "version": "2.4.1", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.4.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "a534961bbfce93966496f86c9314f46939fd082bb89986b48b7430c3bea903f7", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", "version": "2.4.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.5.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "a534961bbfce93966496f86c9314f46939fd082bb89986b48b7430c3bea903f7", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", "version": "2.5.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.6.1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "e8ffed196e04f81b015f847d4ec61f22f6731c11b5a21b1cfc45ccbc58b8ea45", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", "version": "2.6.1", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.6.2.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "e8ffed196e04f81b015f847d4ec61f22f6731c11b5a21b1cfc45ccbc58b8ea45", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", "version": "2.6.2", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.6.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "e8ffed196e04f81b015f847d4ec61f22f6731c11b5a21b1cfc45ccbc58b8ea45", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", "version": "2.6.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.7.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "cee2305065bb61d434cdb45cfdaa46e7da148e5c6a7678d56f3e3dc8d7073eae", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", "version": "2.7.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.8.1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "66c89e2d5ae674641138858b571e65824df6873abb1677f7b2ef5c0dd4dbc442", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", "version": "2.8.1", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.8.2.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "d4ec57440cd6db6eaf6bcb6b197f1cbaf5a3e26253d59578d51db307357cbf15", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "764b06686dbe06e3d5f6d15891250ab04073a0d1c357d114b7365c70fa8a7407", "version": "2.8.2", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.8.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "66c89e2d5ae674641138858b571e65824df6873abb1677f7b2ef5c0dd4dbc442", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", "version": "2.8.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.9.0.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", "version": "2.9.0", "cve": "CVE-2021-44228" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.9.1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", "version": "2.9.1", "cve": "CVE-2021-44228" } diff --git a/tools/log4shell/scan/scanfile.go b/tools/log4shell/scan/scanfile.go index 262c70e9b..159aacbf8 100644 --- a/tools/log4shell/scan/scanfile.go +++ b/tools/log4shell/scan/scanfile.go @@ -70,7 +70,7 @@ func identifyPotentiallyVulnerableFile(reader io.Reader, path, fileName string, Path: path, FileName: fileName, Hash: fileHash, - Version: vulnerableFile.Name, + Version: vulnerableFile.Version, CVE: vulnerableFile.CVE, } return From 52963e38b897538c3d3683c66d4765892d9e12d3 Mon Sep 17 00:00:00 2001 From: breadchris Date: Thu, 16 Dec 2021 23:27:26 -0500 Subject: [PATCH 08/12] analyzer has better semver version checking Former-commit-id: 2dd839192a789c45cebc272a9fab2e03ede68f52 Former-commit-id: 0f3c23a6a293eef92d6eaea649bdf96103de6e6a --- tools/log4shell/analyze/analyze.go | 107 +-- tools/log4shell/constants/vulnerablehashes.go | 34 +- tools/log4shell/findings.json | 708 ++++++++++++++++++ tools/log4shell/log4j-library-hashes.json | 91 +++ tools/log4shell/scan/scanfile.go | 1 + tools/log4shell/types/findings.go | 1 + tools/log4shell/types/vulnerablehashes.go | 8 + 7 files changed, 897 insertions(+), 53 deletions(-) create mode 100644 tools/log4shell/findings.json diff --git a/tools/log4shell/analyze/analyze.go b/tools/log4shell/analyze/analyze.go index fa86d72bc..cb88b53ca 100644 --- a/tools/log4shell/analyze/analyze.go +++ b/tools/log4shell/analyze/analyze.go @@ -22,34 +22,23 @@ import ( "github.com/rs/zerolog/log" "io" "path" + "regexp" "strings" ) -func isVersionALog4ShellVersion(semverVersion string) bool { - version, _ := semver.Make(semverVersion) +var alphaRegex = regexp.MustCompile("([a-z]+)") - vulnerableRange, _ := semver.ParseRange(">=2.0.0-beta9 <=2.14.1") - if vulnerableRange(version) { - return true - } - return false -} - -func isVersionACVE202145046Version(semverVersion string) bool { - version, _ := semver.Make(semverVersion) - - vulnerableRange, _ := semver.ParseRange("=2.15.0") - if vulnerableRange(version) { - return true +func versionIsInRange(fileName string, semverVersion string, semverRange semver.Range) bool { + version, err := semver.Make(semverVersion) + if err != nil { + log.Warn(). + Str("fileName", fileName). + Str("semverVersion", semverVersion). + Msg("Unable to parse semver version") + return false } - return false -} - -func isVersionACVE201917571Version(semverVersion string) bool { - version, _ := semver.Make(semverVersion) - vulnerableRange, _ := semver.ParseRange(">=1.2.0 <=1.2.17") - if vulnerableRange(version) { + if semverRange(version) { return true } return false @@ -68,39 +57,61 @@ func adjustMissingPatchVersion(semverVersion string) string { return semverVersion } +func fileNameToSemver(fileNameNoExt string) string { + fileNameParts := strings.Split(fileNameNoExt, "-") + + var tag, semverVersion string + for i := len(fileNameParts) - 1; i >= 0; i-- { + fileNamePart := fileNameParts[i] + if ( + strings.HasPrefix(fileNamePart, "1") || + strings.HasPrefix(fileNamePart, "2")) && + strings.Contains(fileNamePart, ".") { + + tagPart := alphaRegex.FindString(fileNamePart) + if tagPart != "" { + fileNamePart = strings.Replace(fileNamePart, tagPart, "", 1) + if tag == "" { + tag = tagPart + } else { + tag = tagPart + "-" + tag + } + } + + fileNamePart = adjustMissingPatchVersion(fileNamePart) + + if tag == "" { + semverVersion = fileNamePart + break + } + semverVersion = fileNamePart + "-" + tag + break + } + if tag == "" { + tag = fileNamePart + continue + } + tag = fileNamePart + "-" + tag + } + return semverVersion +} + func ProcessArchiveFile(reader io.Reader, filePath, fileName string) (finding *types.Finding) { _, file := path.Split(filePath) - version := strings.TrimSuffix(file, path.Ext(file)) + fileNameNoExt := strings.TrimSuffix(file, path.Ext(file)) // small adjustments to the version so that it can be parsed as semver - semverVersion := strings.Replace(version, "log4j-core-", "", -1) - semverVersion = strings.Replace(semverVersion, "logging-log4j-", "", -1) - semverVersion = strings.Replace(semverVersion, "jakarta-log4j-", "", -1) - semverVersion = strings.Replace(semverVersion, "log4j-", "", -1) - - semverVersion = adjustMissingPatchVersion(semverVersion) + semverVersion := fileNameToSemver(fileNameNoExt) versionCve := "" - if isVersionALog4ShellVersion(semverVersion) { - if !strings.Contains(fileName, "JndiManager.class") { - return - } - versionCve = constants.Log4ShellCve - } - - if isVersionACVE202145046Version(semverVersion) { - if !strings.Contains(fileName, "JndiManager.class") { - return - } - versionCve = constants.CtxCve - } - - if isVersionACVE201917571Version(semverVersion) { - if !strings.Contains(fileName, "SocketNode.class") { - return + for _, fileVersionCheck := range constants.FileVersionChecks { + if versionIsInRange(fileNameNoExt, semverVersion, fileVersionCheck.SemverRange) { + if !strings.Contains(fileName, fileVersionCheck.LibraryFile) { + return + } + versionCve = fileVersionCheck.Cve } - versionCve = constants.Log4j1RceCve } if versionCve == "" { @@ -126,7 +137,7 @@ func ProcessArchiveFile(reader io.Reader, filePath, fileName string) (finding *t if versionCve == "" { log.Debug(). Str("hash", fileHash). - Str("version", version). + Str("version", semverVersion). Msg("Skipping version as it is not vulnerable to any known CVE") return nil } diff --git a/tools/log4shell/constants/vulnerablehashes.go b/tools/log4shell/constants/vulnerablehashes.go index 55397f364..65603a190 100644 --- a/tools/log4shell/constants/vulnerablehashes.go +++ b/tools/log4shell/constants/vulnerablehashes.go @@ -14,10 +14,13 @@ // package constants -import "github.com/lunasec-io/lunasec/tools/log4shell/types" +import ( + "github.com/blang/semver/v4" + "github.com/lunasec-io/lunasec/tools/log4shell/types" +) -var ( - NotVulnerable = "Not Vulnerable" + +const ( Log4ShellCve = "CVE-2021-44228" CtxCve = "CVE-2021-45046" Log4j1RceCve = "CVE-2019-17571" @@ -29,9 +32,30 @@ var ( CtxCve: "3.7", Log4j1RceCve: "9.8", } -) -type Log4jVersion string + FileVersionChecks = []types.LibraryFileVersionCheck{ + { + Cve: Log4ShellCve, + SemverRange: semver.MustParseRange(">=2.0.0-beta9 <2.1.0"), + LibraryFile: "JndiLookup.class", + }, + { + Cve: Log4ShellCve, + SemverRange: semver.MustParseRange(">=2.1.0 <=2.14.1"), + LibraryFile: "JndiManager.class", + }, + { + Cve: CtxCve, + SemverRange: semver.MustParseRange("=2.15.0"), + LibraryFile: "JndiManager.class", + }, + { + Cve: Log4j1RceCve, + SemverRange: semver.MustParseRange(">=1.2.0 <=1.2.17"), + LibraryFile: "SocketNode.class", + }, + } +) const ( Log4j1x = "1" diff --git a/tools/log4shell/findings.json b/tools/log4shell/findings.json new file mode 100644 index 000000000..346b5875b --- /dev/null +++ b/tools/log4shell/findings.json @@ -0,0 +1,708 @@ +{ + "vulnerable_libraries": [ + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-1.2.15/log4j-1.2.15.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "7b996623c05f1a25a57fb5b43c519c2ec02ec2e647c2b97b3407965af928c9a4", + "version": "1.2.15", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-1.2.16/log4j-1.2.16.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "688a3dadfb1c0a08fb2a2885a356200eb74e7f0f26a197d358d74f2faf6e8f46", + "version": "1.2.16", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-1.2.17/log4j-1.2.17.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "8ef0ebdfbf28ec14b2267e6004a8eea947b4411d3c30d228a7b48fae36431d74", + "version": "1.2.17", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-beta9-bin/log4j-core-2.0-beta9.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "version": "2.0.0-beta9, 2.0.0-rc1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-beta9-osgi-bin/log4j-core-osgi-reduced-2.0-beta9.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "version": "2.0.0-beta9, 2.0.0-rc1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-bin/log4j-core-2.0.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29", + "version": "2.0.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc1-bin/log4j-core-2.0-rc1.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "version": "2.0.0-beta9, 2.0.0-rc1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc1-osgi-bin/log4j-core-osgi-reduced-2.0-rc1.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "version": "2.0.0-beta9, 2.0.0-rc1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc2-bin/log4j-core-2.0-rc2.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2", + "version": "2.0.0-rc2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", + "version": "2.0.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0.2-bin/log4j-core-2.0.2.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c", + "version": "2.0.2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.1-bin/log4j-core-2.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", + "version": "2.1.0, 2.2.0, 2.3.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.10.0-bin/log4j-core-2.10.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.11.0-bin/log4j-core-2.11.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.11.1-bin/log4j-core-2.11.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.11.2-bin/log4j-core-2.11.2.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.12.0-bin/log4j-core-2.12.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de", + "version": "2.12.0, 2.12.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.12.1-bin/log4j-core-2.12.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de", + "version": "2.12.0, 2.12.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.12.2-bin/log4j-core-2.12.2.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "b1960d63a3946f9e16e1920624f37c152b58b98932ed04df99ed5d9486732afb", + "version": "2.12.2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.0-bin/log4j-core-2.13.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", + "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.1-bin/log4j-core-2.13.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", + "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.2-bin/log4j-core-2.13.2.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", + "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.3-bin/log4j-core-2.13.3.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", + "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6", + "version": "2.14.0, 2.14.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.14.1-bin/log4j-core-2.14.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6", + "version": "2.14.0, 2.14.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.15.0-bin/log4j-core-2.15.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "db07ef1ea174e000b379732681bd835cfede648a7971bf4e9a0d31981582d69e", + "version": "2.15.0", + "cve": "CVE-2021-45046", + "severity": "3.7" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.2-bin/log4j-core-2.2.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", + "version": "2.1.0, 2.2.0, 2.3.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.3-bin/log4j-core-2.3.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", + "version": "2.1.0, 2.2.0, 2.3.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.4-bin/log4j-core-2.4.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", + "version": "2.4.0, 2.4.1, 2.5.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.4.1-bin/log4j-core-2.4.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", + "version": "2.4.0, 2.4.1, 2.5.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.5-bin/log4j-core-2.5.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", + "version": "2.4.0, 2.4.1, 2.5.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.6-bin/log4j-core-2.6.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", + "version": "2.6.0, 2.6.1, 2.6.2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.6.1-bin/log4j-core-2.6.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", + "version": "2.6.0, 2.6.1, 2.6.2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.6.2-bin/log4j-core-2.6.2.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", + "version": "2.6.0, 2.6.1, 2.6.2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.7-bin/log4j-core-2.7.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", + "version": "2.7.0, 2.8.0, 2.8.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.8-bin/log4j-core-2.8.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", + "version": "2.7.0, 2.8.0, 2.8.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.8.1-bin/log4j-core-2.8.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", + "version": "2.7.0, 2.8.0, 2.8.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.8.2-bin/log4j-core-2.8.2.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "764b06686dbe06e3d5f6d15891250ab04073a0d1c357d114b7365c70fa8a7407", + "version": "2.8.2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.9.0-bin/log4j-core-2.9.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.1/dist/lib/log4j-1.2.1.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d", + "version": "1.2.1, 1.2.2, 1.2.3, 1.2.4", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.2/dist/lib/log4j-1.2.2.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d", + "version": "1.2.1, 1.2.2, 1.2.3, 1.2.4", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.3/dist/lib/log4j-1.2.3.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d", + "version": "1.2.1, 1.2.2, 1.2.3, 1.2.4", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.4/dist/lib/log4j-1.2.4.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d", + "version": "1.2.1, 1.2.2, 1.2.3, 1.2.4", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.5/dist/lib/log4j-1.2.5.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "ed5d53deb29f737808521dd6284c2d7a873a59140e702295a80bd0f26988f53a", + "version": "1.2.5", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.6/dist/lib/log4j-1.2.6.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "3ef93e9cb937295175b75182e42ba9a0aa94f9f8e295236c9eef914348efeef0", + "version": "1.2.6, 1.2.7, 1.2.9", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.7/dist/lib/log4j-1.2.7.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "3ef93e9cb937295175b75182e42ba9a0aa94f9f8e295236c9eef914348efeef0", + "version": "1.2.6, 1.2.7, 1.2.9", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.8/dist/lib/log4j-1.2.8.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "bee4a5a70843a981e47207b476f1e705c21fc90cb70e95c3b40d04a2191f33e9", + "version": "1.2.8", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.11/dist/lib/log4j-1.2.11.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "d778227b779f8f3a2850987e3cfe6020ca26c299037fdfa7e0ac8f81385963e6", + "version": "1.2.11", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.12/dist/lib/log4j-1.2.12.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "f3b815a2b3c74851ff1b94e414c36f576fbcdf52b82b805b2e18322b3f5fc27c", + "version": "1.2.12", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.13/dist/lib/log4j-1.2.13.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "fbda3cfc5853ab4744b853398f2b3580505f5a7d67bfb200716ef6ae5be3c8b7", + "version": "1.2.13, 1.2.14", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.14/dist/lib/log4j-1.2.14.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "fbda3cfc5853ab4744b853398f2b3580505f5a7d67bfb200716ef6ae5be3c8b7", + "version": "1.2.13, 1.2.14", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.9/dist/lib/log4j-1.2.9.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "3ef93e9cb937295175b75182e42ba9a0aa94f9f8e295236c9eef914348efeef0", + "version": "1.2.6, 1.2.7, 1.2.9", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", + "version": "2.0.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0-rc1.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "version": "2.0.0-beta9, 2.0.0-rc1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0-rc2.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2", + "version": "2.0.0-rc2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.1.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", + "version": "2.0.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.2.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c", + "version": "2.0.2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29", + "version": "2.0.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", + "version": "2.1.0, 2.2.0, 2.3.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.10.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.11.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.11.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.11.2.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.12.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de", + "version": "2.12.0, 2.12.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.12.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de", + "version": "2.12.0, 2.12.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.12.2.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "b1960d63a3946f9e16e1920624f37c152b58b98932ed04df99ed5d9486732afb", + "version": "2.12.2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", + "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", + "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.2.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", + "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.3.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", + "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.14.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6", + "version": "2.14.0, 2.14.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.14.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6", + "version": "2.14.0, 2.14.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.15.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "db07ef1ea174e000b379732681bd835cfede648a7971bf4e9a0d31981582d69e", + "version": "2.15.0", + "cve": "CVE-2021-45046", + "severity": "3.7" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.2.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", + "version": "2.1.0, 2.2.0, 2.3.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.3.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", + "version": "2.1.0, 2.2.0, 2.3.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.4.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", + "version": "2.4.0, 2.4.1, 2.5.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.4.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", + "version": "2.4.0, 2.4.1, 2.5.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.5.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", + "version": "2.4.0, 2.4.1, 2.5.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.6.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", + "version": "2.6.0, 2.6.1, 2.6.2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.6.2.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", + "version": "2.6.0, 2.6.1, 2.6.2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.6.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", + "version": "2.6.0, 2.6.1, 2.6.2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.7.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", + "version": "2.7.0, 2.8.0, 2.8.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.8.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", + "version": "2.7.0, 2.8.0, 2.8.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.8.2.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "764b06686dbe06e3d5f6d15891250ab04073a0d1c357d114b7365c70fa8a7407", + "version": "2.8.2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.8.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", + "version": "2.7.0, 2.8.0, 2.8.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.9.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.9.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + } + ] +} \ No newline at end of file diff --git a/tools/log4shell/log4j-library-hashes.json b/tools/log4shell/log4j-library-hashes.json index 7ecf979f4..bfc6d6ec9 100644 --- a/tools/log4shell/log4j-library-hashes.json +++ b/tools/log4shell/log4j-library-hashes.json @@ -21,6 +21,62 @@ "version": "1.2.17", "cve": "CVE-2019-17571" }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-beta9-bin/log4j-core-2.0-beta9.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "version": "2.0.0-beta9", + "cve": "CVE-2021-44228" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-beta9-osgi-bin/log4j-core-osgi-reduced-2.0-beta9.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "version": "2.0.0-beta9", + "cve": "CVE-2021-44228" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-bin/log4j-core-2.0.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29", + "version": "2.0.0", + "cve": "CVE-2021-44228" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc1-bin/log4j-core-2.0-rc1.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "version": "2.0.0-rc1", + "cve": "CVE-2021-44228" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc1-osgi-bin/log4j-core-osgi-reduced-2.0-rc1.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "version": "2.0.0-rc1", + "cve": "CVE-2021-44228" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc2-bin/log4j-core-2.0-rc2.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2", + "version": "2.0.0-rc2", + "cve": "CVE-2021-44228" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", + "version": "2.0.1", + "cve": "CVE-2021-44228" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0.2-bin/log4j-core-2.0.2.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c", + "version": "2.0.2", + "cve": "CVE-2021-44228" + }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.1-bin/log4j-core-2.1.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", @@ -315,6 +371,41 @@ "version": "1.2.9", "cve": "CVE-2019-17571" }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0-rc1.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "version": "2.0.0-rc1", + "cve": "CVE-2021-44228" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0-rc2.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2", + "version": "2.0.0-rc2", + "cve": "CVE-2021-44228" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.1.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", + "version": "2.0.1", + "cve": "CVE-2021-44228" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.2.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c", + "version": "2.0.2", + "cve": "CVE-2021-44228" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29", + "version": "2.0.0", + "cve": "CVE-2021-44228" + }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.1.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", diff --git a/tools/log4shell/scan/scanfile.go b/tools/log4shell/scan/scanfile.go index 159aacbf8..0843736f9 100644 --- a/tools/log4shell/scan/scanfile.go +++ b/tools/log4shell/scan/scanfile.go @@ -72,6 +72,7 @@ func identifyPotentiallyVulnerableFile(reader io.Reader, path, fileName string, Hash: fileHash, Version: vulnerableFile.Version, CVE: vulnerableFile.CVE, + Severity: severity, } return } diff --git a/tools/log4shell/types/findings.go b/tools/log4shell/types/findings.go index bc81a5a77..82e9ccbe3 100644 --- a/tools/log4shell/types/findings.go +++ b/tools/log4shell/types/findings.go @@ -24,6 +24,7 @@ type Finding struct { Hash string `json:"hash"` Version string `json:"version"` CVE string `json:"cve"` + Severity string `json:"severity"` } type FindingsOutput struct { diff --git a/tools/log4shell/types/vulnerablehashes.go b/tools/log4shell/types/vulnerablehashes.go index df43bee26..3f17d9a64 100644 --- a/tools/log4shell/types/vulnerablehashes.go +++ b/tools/log4shell/types/vulnerablehashes.go @@ -14,6 +14,8 @@ // package types +import "github.com/blang/semver/v4" + type VulnerableHash struct { Name string `json:"name"` Version string `json:"version"` @@ -21,3 +23,9 @@ type VulnerableHash struct { } type VulnerableHashLookup map[string]VulnerableHash + +type LibraryFileVersionCheck struct { + Cve string + SemverRange semver.Range + LibraryFile string +} From 2a409585437abaddbd5da59ff971631a81f80c9b Mon Sep 17 00:00:00 2001 From: breadchris Date: Thu, 16 Dec 2021 23:32:54 -0500 Subject: [PATCH 09/12] improve log colors Former-commit-id: 7ebe74f46e08e27c44a67a254f684b7156f70c3f Former-commit-id: 9848c015093e196721b2950b6585f90fc9730bc3 --- tools/log4shell/commands/flags.go | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/tools/log4shell/commands/flags.go b/tools/log4shell/commands/flags.go index 5aaf73659..ffd160c8b 100644 --- a/tools/log4shell/commands/flags.go +++ b/tools/log4shell/commands/flags.go @@ -49,13 +49,29 @@ func enableGlobalFlags(c *cli.Context) { return fmt.Sprintf("\n\t%s: ", util.Colorize(constants.ColorBlue, i)) } - consoleOutput.FormatLevel = func(i interface{}) string { - if (i == nil){ + if i == nil { return util.Colorize(constants.ColorBold,"Scan Result:") } - return fmt.Sprintf("| %-6s |", i) + + level := i.(string) + + var formattedLevel string + switch level { + case "warn": + formattedLevel = util.Colorize(constants.ColorYellow, level) + case "error": + formattedLevel = util.Colorize(constants.ColorRed, level) + case "info": + formattedLevel = util.Colorize(constants.ColorBlue, level) + case "debug": + formattedLevel = util.Colorize(constants.ColorGreen, level) + default: + formattedLevel = util.Colorize(constants.ColorWhite, level) + } + return fmt.Sprintf("| %s |", formattedLevel) } + log.Logger = log.Output(consoleOutput) } From b5a4ba40fae8c957a0950a4d218e35c881d12205 Mon Sep 17 00:00:00 2001 From: breadchris Date: Thu, 16 Dec 2021 23:33:59 -0500 Subject: [PATCH 10/12] version change is more than a patch, version should reflect this Former-commit-id: c6affa5ddc31a531654823fe13e22dee7d0561b0 Former-commit-id: 5b108a90b4538a968833c95127f703793757e9c4 --- tools/log4shell/constants/version.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/log4shell/constants/version.go b/tools/log4shell/constants/version.go index 42594c23a..64c73e31b 100644 --- a/tools/log4shell/constants/version.go +++ b/tools/log4shell/constants/version.go @@ -14,4 +14,4 @@ // package constants -const Version = "1.3.2" +const Version = "1.4.0" From 67aa3f4a63225b2d50b899086194f9d602d3728e Mon Sep 17 00:00:00 2001 From: breadchris Date: Fri, 17 Dec 2021 00:18:49 -0500 Subject: [PATCH 11/12] global flags are recognized by the cli if they have a name collision in a subcommand Former-commit-id: ccd10e67c422875f26b06fc66b6e45c454327519 Former-commit-id: f40c122d0db30dcca274040469d065033ef7320c --- tools/log4shell/commands/analyze.go | 4 ++-- tools/log4shell/commands/flags.go | 10 ++++----- tools/log4shell/commands/livepatch.go | 4 ++-- tools/log4shell/commands/scan.go | 4 ++-- tools/log4shell/main.go | 32 ++++++++++++++++++++++----- 5 files changed, 38 insertions(+), 16 deletions(-) diff --git a/tools/log4shell/commands/analyze.go b/tools/log4shell/commands/analyze.go index 2af2ee3d7..3c52af1b3 100644 --- a/tools/log4shell/commands/analyze.go +++ b/tools/log4shell/commands/analyze.go @@ -21,8 +21,8 @@ import ( "github.com/urfave/cli/v2" ) -func AnalyzeCommand(c *cli.Context) error { - enableGlobalFlags(c) +func AnalyzeCommand(c *cli.Context, globalBoolFlags map[string]bool) error { + enableGlobalFlags(c, globalBoolFlags) searchDirs := c.Args().Slice() diff --git a/tools/log4shell/commands/flags.go b/tools/log4shell/commands/flags.go index ffd160c8b..569d1b37b 100644 --- a/tools/log4shell/commands/flags.go +++ b/tools/log4shell/commands/flags.go @@ -24,10 +24,11 @@ import ( "os" ) -func enableGlobalFlags(c *cli.Context) { - verbose := c.Bool("verbose") - ignoreWarnings := c.Bool("ignore-warnings") - debug := c.Bool("debug") +func enableGlobalFlags(c *cli.Context, globalBoolFlags map[string]bool) { + verbose := globalBoolFlags["verbose"] + debug := globalBoolFlags["debug"] + jsonFlag := globalBoolFlags["json"] + ignoreWarnings := globalBoolFlags["ignore-warnings"] if verbose || debug { zerolog.SetGlobalLevel(zerolog.DebugLevel) @@ -41,7 +42,6 @@ func enableGlobalFlags(c *cli.Context) { log.Logger = log.With().Caller().Logger() } - jsonFlag := c.Bool("json") if !jsonFlag { // pretty print output to the console if we are not interested in parsable output consoleOutput := zerolog.ConsoleWriter{Out: os.Stdout} diff --git a/tools/log4shell/commands/livepatch.go b/tools/log4shell/commands/livepatch.go index 72a017c54..70c4d9a40 100644 --- a/tools/log4shell/commands/livepatch.go +++ b/tools/log4shell/commands/livepatch.go @@ -24,8 +24,8 @@ import ( "github.com/urfave/cli/v2" ) -func LivePatchCommand(c *cli.Context, hotpatchFiles embed.FS) error { - enableGlobalFlags(c) +func LivePatchCommand(c *cli.Context, globalBoolFlags map[string]bool, hotpatchFiles embed.FS) error { + enableGlobalFlags(c, globalBoolFlags) payloadUrl := c.String("payload-url") ldapHost := c.String("ldap-host") diff --git a/tools/log4shell/commands/scan.go b/tools/log4shell/commands/scan.go index 43dd142c4..07d1fa4a2 100644 --- a/tools/log4shell/commands/scan.go +++ b/tools/log4shell/commands/scan.go @@ -47,8 +47,8 @@ func loadHashLookup(log4jLibraryHashes []byte, versionHashes string, onlyScanArc return } -func ScanCommand(c *cli.Context, log4jLibraryHashes []byte) (err error) { - enableGlobalFlags(c) +func ScanCommand(c *cli.Context, globalBoolFlags map[string]bool, log4jLibraryHashes []byte) (err error) { + enableGlobalFlags(c, globalBoolFlags) searchDirs := c.Args().Slice() log.Debug(). diff --git a/tools/log4shell/main.go b/tools/log4shell/main.go index 25437a652..2ce352a8f 100644 --- a/tools/log4shell/main.go +++ b/tools/log4shell/main.go @@ -28,6 +28,22 @@ func main() { zerolog.SetGlobalLevel(zerolog.InfoLevel) + globalBoolFlags := map[string]bool{ + "verbose": false, + "json": false, + "debug": false, + "ignore-warnings": false, + } + + setGlobalBoolFlags := func(c *cli.Context) error { + for flag := range globalBoolFlags { + if c.IsSet(flag) { + globalBoolFlags[flag] = true + } + } + return nil + } + app := &cli.App{ Name: "log4shell", Usage: "Identify and mitigate the impact of the log4shell (CVE-2021-44228) vulnerability.", @@ -39,6 +55,7 @@ func main() { }, Version: constants.Version, Description: "Identify code dependencies that are vulnerable to the log4shell vulnerability. Read more at https://log4shell.com.", + Before: setGlobalBoolFlags, Flags: []cli.Flag{ &cli.BoolFlag{ Name: "verbose", @@ -55,20 +72,24 @@ func main() { }, Commands: []*cli.Command{ { - Name: "analyze", - Usage: "Scan known vulnerable Log4j dependencies and create a mapping of JndiLookup.class hash to version.", + Name: "analyze", + Usage: "Scan known vulnerable Log4j dependencies and create a mapping of JndiLookup.class hash to version.", + Before: setGlobalBoolFlags, Flags: []cli.Flag{ &cli.StringFlag{ Name: "output", Usage: "File path for where to output findings in JSON format.", }, }, - Action: commands.AnalyzeCommand, + Action: func(c *cli.Context) error { + return commands.AnalyzeCommand(c, globalBoolFlags) + }, }, { Name: "scan", Aliases: []string{"s"}, Usage: "Scan directories, passed as arguments, for archives (.jar, .war) which contain class files that are vulnerable to the log4shell vulnerability.", + Before: setGlobalBoolFlags, Flags: []cli.Flag{ &cli.StringSliceFlag{ Name: "exclude", @@ -109,13 +130,14 @@ func main() { }, }, Action: func(c *cli.Context) error { - return commands.ScanCommand(c, log4jLibraryHashes) + return commands.ScanCommand(c, globalBoolFlags, log4jLibraryHashes) }, }, { Name: "livepatch", Aliases: []string{"s"}, Usage: "Perform a live patch of a system by exploiting the log4shell vulnerability for immediate mitigation. The payload executed patches the running process to prevent further payloads from being able to be executed.", + Before: setGlobalBoolFlags, Flags: []cli.Flag{ &cli.StringFlag{ Name: "payload-url", @@ -131,7 +153,7 @@ func main() { }, }, Action: func(c *cli.Context) error { - return commands.LivePatchCommand(c, hotpatchFiles) + return commands.LivePatchCommand(c, globalBoolFlags, hotpatchFiles) }, }, }, From 88ae4ed630cc8513e42b61186531d0eb05aca4d5 Mon Sep 17 00:00:00 2001 From: breadchris Date: Fri, 17 Dec 2021 01:49:02 -0500 Subject: [PATCH 12/12] add --no-follow-symlinks Former-commit-id: b654be545e5641b2335cbe9f7df51c43b433a9d9 Former-commit-id: 32143d07c4a054d619df2c6aafc82540afe999ac --- tools/log4shell/README.md | 7 +++++++ tools/log4shell/commands/analyze.go | 2 +- tools/log4shell/commands/scan.go | 10 ++++++++-- tools/log4shell/main.go | 4 ++++ tools/log4shell/scan/scan.go | 11 +++++++++-- 5 files changed, 29 insertions(+), 5 deletions(-) diff --git a/tools/log4shell/README.md b/tools/log4shell/README.md index 9c486c045..441627c75 100644 --- a/tools/log4shell/README.md +++ b/tools/log4shell/README.md @@ -48,6 +48,13 @@ You can disable these by passing `--ignore-warnings`. $ log4shell scan --ignore-warnings ... ``` +It can be common to run into symlink'ed jar files, and by default they are resolved. To not have this happen +use the `--no-follow-symlinks` flag. + +```shell +$ log4shell scan --no-follow-symlinks ... +``` + You may exclude subdirectories while searching by using `--exclude`. This can be used multiple times in the command to exclude multiple subdirectories. diff --git a/tools/log4shell/commands/analyze.go b/tools/log4shell/commands/analyze.go index 3c52af1b3..7ff981706 100644 --- a/tools/log4shell/commands/analyze.go +++ b/tools/log4shell/commands/analyze.go @@ -28,7 +28,7 @@ func AnalyzeCommand(c *cli.Context, globalBoolFlags map[string]bool) error { processArchiveFile := analyze.ProcessArchiveFile - scanner := scan.NewLog4jDirectoryScanner([]string{}, false, processArchiveFile) + scanner := scan.NewLog4jDirectoryScanner([]string{}, false, false, processArchiveFile) scannerFindings := scanner.Scan(searchDirs) diff --git a/tools/log4shell/commands/scan.go b/tools/log4shell/commands/scan.go index 07d1fa4a2..71ea3e881 100644 --- a/tools/log4shell/commands/scan.go +++ b/tools/log4shell/commands/scan.go @@ -23,7 +23,11 @@ import ( "github.com/urfave/cli/v2" ) -func loadHashLookup(log4jLibraryHashes []byte, versionHashes string, onlyScanArchives bool) (hashLookup types.VulnerableHashLookup, err error) { +func loadHashLookup( + log4jLibraryHashes []byte, + versionHashes string, + onlyScanArchives bool, +) (hashLookup types.VulnerableHashLookup, err error) { if versionHashes != "" { hashLookup, err = scan.LoadVersionHashesFromFile(versionHashes) if err != nil { @@ -59,6 +63,7 @@ func ScanCommand(c *cli.Context, globalBoolFlags map[string]bool, log4jLibraryHa onlyScanArchives := c.Bool("archives") excludeDirs := c.StringSlice("exclude") versionHashes := c.String("version-hashes") + noFollowSymlinks := c.Bool("no-follow-symlinks") hashLookup, err := loadHashLookup(log4jLibraryHashes, versionHashes, onlyScanArchives) if err != nil { @@ -67,7 +72,8 @@ func ScanCommand(c *cli.Context, globalBoolFlags map[string]bool, log4jLibraryHa processArchiveFile := scan.IdentifyPotentiallyVulnerableFiles(scanLog4j1, hashLookup) - scanner := scan.NewLog4jDirectoryScanner(excludeDirs, onlyScanArchives, processArchiveFile) + scanner := scan.NewLog4jDirectoryScanner( + excludeDirs, onlyScanArchives, noFollowSymlinks, processArchiveFile) scannerFindings := scanner.Scan(searchDirs) diff --git a/tools/log4shell/main.go b/tools/log4shell/main.go index 2ce352a8f..f26031856 100644 --- a/tools/log4shell/main.go +++ b/tools/log4shell/main.go @@ -120,6 +120,10 @@ func main() { Name: "ignore-warnings", Usage: "Do not display warnings, only show findings.", }, + &cli.BoolFlag{ + Name: "no-follow-symlinks", + Usage: "Disable the resolution of symlinks while scanning. Note: symlinks might resolve to files outside of the included directories and so this option might be useful if you strictly want to search in said directories.", + }, &cli.BoolFlag{ Name: "json", Usage: "Display findings in json format.", diff --git a/tools/log4shell/scan/scan.go b/tools/log4shell/scan/scan.go index f21d632ad..1238a1b8a 100644 --- a/tools/log4shell/scan/scan.go +++ b/tools/log4shell/scan/scan.go @@ -35,13 +35,20 @@ type Log4jVulnerableDependencyScanner interface { type Log4jDirectoryScanner struct { excludeDirs []string onlyScanArchives bool + noFollowSymlinks bool processArchiveFile types.ProcessArchiveFile } -func NewLog4jDirectoryScanner(excludeDirs []string, onlyScanArchives bool, processArchiveFile types.ProcessArchiveFile) Log4jVulnerableDependencyScanner { +func NewLog4jDirectoryScanner( + excludeDirs []string, + onlyScanArchives bool, + noFollowSymlinks bool, + processArchiveFile types.ProcessArchiveFile, +) Log4jVulnerableDependencyScanner { return &Log4jDirectoryScanner{ excludeDirs: excludeDirs, onlyScanArchives: onlyScanArchives, + noFollowSymlinks: noFollowSymlinks, processArchiveFile: processArchiveFile, } } @@ -79,7 +86,7 @@ func (s *Log4jDirectoryScanner) Scan( return } - if info.Mode() & os.ModeSymlink != 0 { + if !s.noFollowSymlinks && info.Mode() & os.ModeSymlink != 0 { // overwrite path and info with the resolved symlink file values path, info, err = util.ResolveSymlinkFilePathAndInfo(path) if err != nil {