Skip to content

Commit

Permalink
fix false positive for 2.16.0 and 2.15.0
Browse files Browse the repository at this point in the history
  • Loading branch information
breadchris committed Dec 17, 2021
1 parent 427e491 commit bca9018
Show file tree
Hide file tree
Showing 5 changed files with 126 additions and 228 deletions.
4 changes: 2 additions & 2 deletions tools/log4shell/analyze/analyze.go
Original file line number Diff line number Diff line change
Expand Up @@ -83,14 +83,14 @@ func ProcessArchiveFile(reader io.Reader, filePath, fileName string) (finding *t
versionCve := ""

if isVersionALog4ShellVersion(semverVersion) {
if !strings.Contains(fileName, "JndiLookup.class") {
if !strings.Contains(fileName, "JndiManager.class") {
return
}
versionCve = constants.Log4ShellCve
}

if isVersionACVE202145046Version(semverVersion) {
if !strings.Contains(fileName, "JndiManager$JndiManagerFactory.class") {
if !strings.Contains(fileName, "JndiManager.class") {
return
}
versionCve = constants.CtxCve
Expand Down
2 changes: 1 addition & 1 deletion tools/log4shell/commands/flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ func enableGlobalFlags(c *cli.Context) {
jsonFlag := c.Bool("json")
if !jsonFlag {
// pretty print output to the console if we are not interested in parsable output
consoleOutput := zerolog.ConsoleWriter{Out: os.Stderr}
consoleOutput := zerolog.ConsoleWriter{Out: os.Stdout}
consoleOutput.FormatFieldName = func(i interface{}) string {
return fmt.Sprintf("\n\t%s: ", util.Colorize(constants.ColorBlue, i))
}
Expand Down
37 changes: 6 additions & 31 deletions tools/log4shell/constants/vulnerablehashes.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ package constants
import "github.com/lunasec-io/lunasec/tools/log4shell/types"

var (
NotVulnerable = "Not Vulnerable"
Log4ShellCve = "CVE-2021-44228"
CtxCve = "CVE-2021-45046"
Log4j1RceCve = "CVE-2019-17571"
Expand All @@ -38,37 +39,11 @@ const (
)

// from: https://github.com/hillu/local-log4j-vuln-scanner/blob/master/log4j-vuln-finder.go#L16
var KnownVulnerableClassFileHashes = types.VulnerableHashLookup{
"39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8": { Name: "log4j 2.0-rc1", CVE: Log4ShellCve}, // JndiLookup.class
"a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2": { Name: "log4j 2.0-rc2", CVE: Log4ShellCve}, // JndiLookup.class
"964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e": { Name: "log4j 2.0.1", CVE: Log4ShellCve}, // JndiLookup.class
"9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c": { Name: "log4j 2.0.2", CVE: Log4ShellCve}, // JndiLookup.class
"fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29": { Name: "log4j 2.0", CVE: Log4ShellCve}, // JndiLookup.class
"1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32": { Name: "log4j 2.7-2.8.1", CVE: Log4ShellCve}, // JndiManager.class
"1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de": { Name: "log4j 2.12.0-2.12.1", CVE: Log4ShellCve}, // JndiManager.class
"293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6": { Name: "log4j 2.9.0-2.11.2", CVE: Log4ShellCve}, // JndiManager.class
"3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7": { Name: "log4j 2.4-2.5", CVE: Log4ShellCve}, // JndiManager.class
"6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246": { Name: "log4j 2.6-2.6.2", CVE: Log4ShellCve}, // JndiManager.class
"764b06686dbe06e3d5f6d15891250ab04073a0d1c357d114b7365c70fa8a7407": { Name: "log4j 2.8.2", CVE: Log4ShellCve}, // JndiManager.class
"77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6": { Name: "log4j 2.14.0-2.14.1", CVE: Log4ShellCve}, // JndiManager.class
"ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c": { Name: "log4j 2.1-2.3", CVE: Log4ShellCve}, // JndiManager.class
"c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078": { Name: "log4j 2.13.0-2.13.3", CVE: Log4ShellCve}, // JndiManager.class

// The following shas for version 2.15 detect a valid but lower level of severity vulnerability, CVE CVE-2021-45046
"84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f" :{ Name:"log4j 2.15.0" , CVE: CtxCve}, // JNDILookup.class

"6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d": { Name: "log4j 1.2.4", CVE: Log4j1RceCve}, // SocketNode.class
"3ef93e9cb937295175b75182e42ba9a0aa94f9f8e295236c9eef914348efeef0": { Name: "log4j 1.2.6-1.2.9", CVE: Log4j1RceCve}, // SocketNode.class
"bee4a5a70843a981e47207b476f1e705c21fc90cb70e95c3b40d04a2191f33e9": { Name: "log4j 1.2.8", CVE: Log4j1RceCve}, // SocketNode.class
"7b996623c05f1a25a57fb5b43c519c2ec02ec2e647c2b97b3407965af928c9a4": { Name: "log4j 1.2.15", CVE: Log4j1RceCve}, // SocketNode.class
"688a3dadfb1c0a08fb2a2885a356200eb74e7f0f26a197d358d74f2faf6e8f46": { Name: "log4j 1.2.16", CVE: Log4j1RceCve}, // SocketNode.class
"8ef0ebdfbf28ec14b2267e6004a8eea947b4411d3c30d228a7b48fae36431d74": { Name: "log4j 1.2.17", CVE: Log4j1RceCve}, // SocketNode.class
"d778227b779f8f3a2850987e3cfe6020ca26c299037fdfa7e0ac8f81385963e6": { Name: "log4j 1.2.11", CVE: Log4j1RceCve}, // SocketNode.class
"ed5d53deb29f737808521dd6284c2d7a873a59140e702295a80bd0f26988f53a": { Name: "log4j 1.2.5", CVE: Log4j1RceCve}, // SocketNode.class
"f3b815a2b3c74851ff1b94e414c36f576fbcdf52b82b805b2e18322b3f5fc27c": { Name: "log4j 1.2.12", CVE: Log4j1RceCve}, // SocketNode.class
"fbda3cfc5853ab4744b853398f2b3580505f5a7d67bfb200716ef6ae5be3c8b7": { Name: "log4j 1.2.13-1.2.14", CVE: Log4j1RceCve}, // SocketNode.class
"287c1d40f2a4bc0055b32b45f12f01bdc2a27379ec33fe13a084bf69a1f4c6e1": { Name: "log4j 1.2.15.v201012070815", CVE: Log4j1RceCve}, // SocketNode.class
}
// We have previously used these hashes to detect vulnerable libraries, however we now generate library hashes
// to prevent false positives.
// var KnownVulnerableClassFileHashes = types.VulnerableHashLookup{
// ...
// }

// from: https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes/blob/main/sha256sums.txt
var KnownVulnerableArchiveFileHashes = types.VulnerableHashLookup{
Expand Down
Loading

0 comments on commit bca9018

Please sign in to comment.