Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Scanner finds 2.15 #305

Merged
merged 8 commits into from
Dec 15, 2021
Merged

Conversation

factoidforrest
Copy link
Contributor

reports them with lower severity level. This adds a feature but should break anything, so a minor version change. Also you can put flags AFTER the scan command now, they dont have to be before

@factoidforrest
Copy link
Contributor Author

#298

@freeqaz
Copy link
Member

freeqaz commented Dec 15, 2021

Maybe we should log out the CVE for each severity, also? I feel like that would be the most clear for people trying to get guidance around this.

@freeqaz
Copy link
Member

freeqaz commented Dec 15, 2021

I went through and made that change. I think it's clearer for people.

@factoidforrest factoidforrest merged commit 2279eb6 into log4shell-vuln-finder Dec 15, 2021
@factoidforrest factoidforrest deleted the scanner-finds-2.15 branch December 15, 2021 00:46
factoidforrest added a commit that referenced this pull request Dec 21, 2021
* improve lunasec plug

* improve iphone words

* clean up the secondary attack vector explanation

* a word

* update docusaurus to fix blogs and fix the awful looking admonition from beta 12

* clearer warning about dnslog.cn

* remove sentence saying there was no stable release, no longer relevant

* Better CTAs on the page

* Add social info

* Remove random stuff

* Fix example to use log4j2

pedantry: make the example code actually valid log4j2 use, not log4j 1.x

* make demo backend use pm2

* Update 2021-12-09-log4j-zero-day.md

* Slightly improve example code

* log4j download page (#269)

Apache projects' primary approach to releases is to provide downloads via the apache project web sites - not via github.

* update yarn.lock

* Regenerate lockfile, fix CLI arguments for hosted demo

* Disable Nginx volume

* Fix a yarn error

* Fix yarn.lock

* Remove extraneous workdir statement

* Uncomment nginx

* Remove second build step from demo back end build

* Revert build change

* no fork pm2

* switch to pm2-runtime

* change nolookups compatibility

The `nolookups` work-around mentioned only works on versions >= 2.7.

Fixes #274.

* Update log4j post title

* Add log4shell CLI tool

* Fix bad path

* Fix entrypoint for package

* Change version to beta

* Fix script to work with both a specific path or in the current folder

* WIP blog post

* Bump version

* make hash downloading automatic even if not using NPM

* also find war files

* move log4shell to tools

* improve DNS test paragraph

* Update 2021-12-09-log4j-zero-day.md

* more small post edits like date, forrest as an author

* get date out of title because title too long and date updated properly now

* log4shell scanning cli initial commit

* Enabled options for printing out json for parsing results.

* Add option to write outputs to a file.

* update binary name to log4shell

* Write up the rest of the blog post

* when scanning archives, scan nested ones

* Wrap up the Log4Shell Mitigation Guide doc

* More post cleanup

* More post cleanup

* Fix Master CI

* Fix grammar in mitigation guide

* Fix bad link in blog post

* Fix typo

* blog edits to header example

* Add social links and update main Readme

* Remove thank you line

* big mitigation edits

* Add CVE number back to first line of text for SEO

* Content reworking

* Add log4j to first sentence

* few tiny edits

* small edits linking two blog posts together and other nits

* Mitigation edits forrest (#295)

* big mitigation edits

* Add CVE number back to first line of text for SEO

* Content reworking

* Add log4j to first sentence

* few tiny edits

* small edits linking two blog posts together and other nits

Co-authored-by: Free Wortley <free@lunasec.io>

* Adding command for running log4shell hotpatch server. The command brings
up the servers, but they currently do not work.

* fix package mistake

* mention log4j 2.16

* add contact form, what a doozy

* remove bad dep and eslint ignore something

* add mui types

* verbose start in CI

* yarn install

* made bucket script wait for file and brought back the use of a precache container

* switch cli workdir to repo

* Hotpatching works when being tested locally again vulnerable spring
server.

* Fix renamed directory

* add warnings about 2.15 and flag

* better warning

* fix typo and add CVE name

* more CVE mentions

* Update 2021-12-09-log4j-zero-day.md

* Update 2021-12-09-log4j-zero-day.md

* fix english (#304)

* Add new blog post on 2nd log4j vulnerability

* update Log4ShellHotpatch

* Add updated dates

* Add disclaimer about log format still being vulnerable

* Add disclaimer about log format still being vulnerable

* Added post content for follow up CVE under certain circumstances

* Update times in doc

* Scanner finds 2.15 (#305)

* first draft of adding severity rating to vulns

* duplicate flags onto scan command because its more natural UX

* added 2.15 hashes and confirmed they work

* Update vulnerablehashes.go

* Update vulnerablehashes.go

* Severity 9.8 for log4j v1 vulns

* Swap from Severity to CVE

* put severity back in

Co-authored-by: Johnathan Free Wortley <free@lunasec.io>

* Cleanup content

* update some wording in the blog post

* blog mentions hot patch cli

* Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx

* Change links to the generic Releases page

* print payload string from CLI

* prettier output

* bump version

* make goreleaser just do binaries

* added more options to the hotpatch server and added a landing page

* update hotpatch server to have more descriptive text

* Update Patch section with new notes

* Update timestamps

* Wordsmithing

* add live patch blog post

* Fix image links to be persistent

* Fix image link for bad image also

* Fix bad image links by using MDX syntax instead

* change dependency to not panic

* bump version of log4shell cli

* add docker-compose and update readme with some commands

* update blog posts

* Blog post updates

* Fix formatting

* Tweaks

* fix typo

* scan library before browsing it

* Fix some typos

* Better phrasing

* feat: scan into zip archives in addition to jar+war

* script for downloading all log4j versions

* try again in CI

* add payload url to the print out in the cli

* update blog post to fix changes suggested in issues

* CLI UX improvements and more legalish warnings

* use webarchive to reference zero day tweet

* increase max mocked s3 body size in nginx for live demo

* fix nginx args

* Basic technical analysis of the Log4Shell exploit

* pull all maven and apache versions of log4j

* update blog to include java decomp

* log4shell and 2.15.0 cves are distinct in findings now

* bump version

* add zip and ear extensions to allow deep scans

* include 1.2.17 in scanning log4j1

* bump version

* bump cli version to 1.3.2

* warning about virus scanners in blog post

* resolve symlinks while scanning

* switch all logs to stdout and prettier formatting for scan results

* Add links back to other posts

* slightly better log level printing

* Add links to other blog posts and update phrasing

* update CTA size

* Add FUNDING.yml file for GitHub Sponsors

* Update README.md

* add manual releasing instructions

* fix false positive for 2.16.0 and 2.15.0

* analyzer has better semver version checking

* improve log colors

* version change is more than a patch, version should reflect this

* global flags are recognized by the cli if they have a name collision in
a subcommand

* create blog post discussing follow up issues for cve

* add --no-follow-symlinks

* increase severity of cve-2021-45046 finding

* add details about the latest updates about the log4shell cves

* update date

* Fix bug in the new CVSS post

* One more change

* Add bypass payload to post

* Fix bad date

* Update issue templates

* broken symlinks no longer stop scanning

* bump version

* WIP OSS patching blog post (#348)

* WIP OSS patching blog post

* small post edits

* oss patching blog post drafted

* update date and truncate

* get license out of PR template and add to ignore file

* explain more why people need to know to security patch

* update intro wording

* edits to include githubs tooling

* more credit to google

* nits

* change a link

Co-authored-by: breadchris <chris@lunasec.io>

* typo 'and' should be 'an'

* update guidance to use 2.17.0

* Update guidance across all posts

* better osx instructions

* Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx

* Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx

* Update the malicious links to be our domain everywhere

* close read which is left open

* fix admonitions

* yarn stuff

* include more install steps in the precache

* stop demo back end from starting prematurely

* delete &&, it wasnt needed

* rename integration test workflow to just test

Co-authored-by: Forrest <forrest@lunasec.io>
Co-authored-by: Stu Tomlinson <stu@nosnilmot.com>
Co-authored-by: Moya <moya@asofterspace.com>
Co-authored-by: PJ Fanning <pjfanning@users.noreply.github.com>
Co-authored-by: Thompson, Brian <foss.systems@icloud.com>
Co-authored-by: breadchris <chris@lunasec.io>
Co-authored-by: Sebastian Lövdahl <slovdahl@hibox.fi>
Co-authored-by: Pascal Verdage <pascal.verdage@sgcib.com>
Co-authored-by: Dan Hoizner <dan.hoizner@collibra.com>
Co-authored-by: Alex Collignon <colligno@adobe.com>
Co-authored-by: Forrest <light24bulbs@gmail.com>
Co-authored-by: Tobi Lehman <mail@tobilehman.com>
ajvpot pushed a commit that referenced this pull request Dec 16, 2022
* improve lunasec plug

* improve iphone words

* clean up the secondary attack vector explanation

* a word

* update docusaurus to fix blogs and fix the awful looking admonition from beta 12

* clearer warning about dnslog.cn

* remove sentence saying there was no stable release, no longer relevant

* Better CTAs on the page

* Add social info

* Remove random stuff

* Fix example to use log4j2

pedantry: make the example code actually valid log4j2 use, not log4j 1.x

* make demo backend use pm2

* Update 2021-12-09-log4j-zero-day.md

* Slightly improve example code

* log4j download page (#269)

Apache projects' primary approach to releases is to provide downloads via the apache project web sites - not via github.

* update yarn.lock

* Regenerate lockfile, fix CLI arguments for hosted demo

* Disable Nginx volume

* Fix a yarn error

* Fix yarn.lock

* Remove extraneous workdir statement

* Uncomment nginx

* Remove second build step from demo back end build

* Revert build change

* no fork pm2

* switch to pm2-runtime

* change nolookups compatibility

The `nolookups` work-around mentioned only works on versions >= 2.7.

Fixes #274.

* Update log4j post title

* Add log4shell CLI tool

* Fix bad path

* Fix entrypoint for package

* Change version to beta

* Fix script to work with both a specific path or in the current folder

* WIP blog post

* Bump version

* make hash downloading automatic even if not using NPM

* also find war files

* move log4shell to tools

* improve DNS test paragraph

* Update 2021-12-09-log4j-zero-day.md

* more small post edits like date, forrest as an author

* get date out of title because title too long and date updated properly now

* log4shell scanning cli initial commit

* Enabled options for printing out json for parsing results.

* Add option to write outputs to a file.

* update binary name to log4shell

* Write up the rest of the blog post

* when scanning archives, scan nested ones

* Wrap up the Log4Shell Mitigation Guide doc

* More post cleanup

* More post cleanup

* Fix Master CI

* Fix grammar in mitigation guide

* Fix bad link in blog post

* Fix typo

* blog edits to header example

* Add social links and update main Readme

* Remove thank you line

* big mitigation edits

* Add CVE number back to first line of text for SEO

* Content reworking

* Add log4j to first sentence

* few tiny edits

* small edits linking two blog posts together and other nits

* Mitigation edits forrest (#295)

* big mitigation edits

* Add CVE number back to first line of text for SEO

* Content reworking

* Add log4j to first sentence

* few tiny edits

* small edits linking two blog posts together and other nits

Co-authored-by: Free Wortley <free@lunasec.io>

* Adding command for running log4shell hotpatch server. The command brings
up the servers, but they currently do not work.

* fix package mistake

* mention log4j 2.16

* add contact form, what a doozy

* remove bad dep and eslint ignore something

* add mui types

* verbose start in CI

* yarn install

* made bucket script wait for file and brought back the use of a precache container

* switch cli workdir to repo

* Hotpatching works when being tested locally again vulnerable spring
server.

* Fix renamed directory

* add warnings about 2.15 and flag

* better warning

* fix typo and add CVE name

* more CVE mentions

* Update 2021-12-09-log4j-zero-day.md

* Update 2021-12-09-log4j-zero-day.md

* fix english (#304)

* Add new blog post on 2nd log4j vulnerability

* update Log4ShellHotpatch

* Add updated dates

* Add disclaimer about log format still being vulnerable

* Add disclaimer about log format still being vulnerable

* Added post content for follow up CVE under certain circumstances

* Update times in doc

* Scanner finds 2.15 (#305)

* first draft of adding severity rating to vulns

* duplicate flags onto scan command because its more natural UX

* added 2.15 hashes and confirmed they work

* Update vulnerablehashes.go

* Update vulnerablehashes.go

* Severity 9.8 for log4j v1 vulns

* Swap from Severity to CVE

* put severity back in

Co-authored-by: Johnathan Free Wortley <free@lunasec.io>

* Cleanup content

* update some wording in the blog post

* blog mentions hot patch cli

* Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx

* Change links to the generic Releases page

* print payload string from CLI

* prettier output

* bump version

* make goreleaser just do binaries

* added more options to the hotpatch server and added a landing page

* update hotpatch server to have more descriptive text

* Update Patch section with new notes

* Update timestamps

* Wordsmithing

* add live patch blog post

* Fix image links to be persistent

* Fix image link for bad image also

* Fix bad image links by using MDX syntax instead

* change dependency to not panic

* bump version of log4shell cli

* add docker-compose and update readme with some commands

* update blog posts

* Blog post updates

* Fix formatting

* Tweaks

* fix typo

* scan library before browsing it

* Fix some typos

* Better phrasing

* feat: scan into zip archives in addition to jar+war

* script for downloading all log4j versions

* try again in CI

* add payload url to the print out in the cli

* update blog post to fix changes suggested in issues

* CLI UX improvements and more legalish warnings

* use webarchive to reference zero day tweet

* increase max mocked s3 body size in nginx for live demo

* fix nginx args

* Basic technical analysis of the Log4Shell exploit

* pull all maven and apache versions of log4j

* update blog to include java decomp

* log4shell and 2.15.0 cves are distinct in findings now

* bump version

* add zip and ear extensions to allow deep scans

* include 1.2.17 in scanning log4j1

* bump version

* bump cli version to 1.3.2

* warning about virus scanners in blog post

* resolve symlinks while scanning

* switch all logs to stdout and prettier formatting for scan results

* Add links back to other posts

* slightly better log level printing

* Add links to other blog posts and update phrasing

* update CTA size

* Add FUNDING.yml file for GitHub Sponsors

* Update README.md

* add manual releasing instructions

* fix false positive for 2.16.0 and 2.15.0

* analyzer has better semver version checking

* improve log colors

* version change is more than a patch, version should reflect this

* global flags are recognized by the cli if they have a name collision in
a subcommand

* create blog post discussing follow up issues for cve

* add --no-follow-symlinks

* increase severity of cve-2021-45046 finding

* add details about the latest updates about the log4shell cves

* update date

* Fix bug in the new CVSS post

* One more change

* Add bypass payload to post

* Fix bad date

* Update issue templates

* broken symlinks no longer stop scanning

* bump version

* WIP OSS patching blog post (#348)

* WIP OSS patching blog post

* small post edits

* oss patching blog post drafted

* update date and truncate

* get license out of PR template and add to ignore file

* explain more why people need to know to security patch

* update intro wording

* edits to include githubs tooling

* more credit to google

* nits

* change a link

Co-authored-by: breadchris <chris@lunasec.io>

* typo 'and' should be 'an'

* update guidance to use 2.17.0

* Update guidance across all posts

* better osx instructions

* Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx

* Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx

* Update the malicious links to be our domain everywhere

* close read which is left open

* fix admonitions

* yarn stuff

* include more install steps in the precache

* stop demo back end from starting prematurely

* delete &&, it wasnt needed

* rename integration test workflow to just test

Co-authored-by: Forrest <forrest@lunasec.io>
Co-authored-by: Stu Tomlinson <stu@nosnilmot.com>
Co-authored-by: Moya <moya@asofterspace.com>
Co-authored-by: PJ Fanning <pjfanning@users.noreply.github.com>
Co-authored-by: Thompson, Brian <foss.systems@icloud.com>
Co-authored-by: breadchris <chris@lunasec.io>
Co-authored-by: Sebastian Lövdahl <slovdahl@hibox.fi>
Co-authored-by: Pascal Verdage <pascal.verdage@sgcib.com>
Co-authored-by: Dan Hoizner <dan.hoizner@collibra.com>
Co-authored-by: Alex Collignon <colligno@adobe.com>
Co-authored-by: Forrest <light24bulbs@gmail.com>
Co-authored-by: Tobi Lehman <mail@tobilehman.com>
ajvpot pushed a commit that referenced this pull request Dec 17, 2022
* improve lunasec plug

* improve iphone words

* clean up the secondary attack vector explanation

* a word

* update docusaurus to fix blogs and fix the awful looking admonition from beta 12

* clearer warning about dnslog.cn

* remove sentence saying there was no stable release, no longer relevant

* Better CTAs on the page

* Add social info

* Remove random stuff

* Fix example to use log4j2

pedantry: make the example code actually valid log4j2 use, not log4j 1.x

* make demo backend use pm2

* Update 2021-12-09-log4j-zero-day.md

* Slightly improve example code

* log4j download page (#269)

Apache projects' primary approach to releases is to provide downloads via the apache project web sites - not via github.

* update yarn.lock

* Regenerate lockfile, fix CLI arguments for hosted demo

* Disable Nginx volume

* Fix a yarn error

* Fix yarn.lock

* Remove extraneous workdir statement

* Uncomment nginx

* Remove second build step from demo back end build

* Revert build change

* no fork pm2

* switch to pm2-runtime

* change nolookups compatibility

The `nolookups` work-around mentioned only works on versions >= 2.7.

Fixes #274.

* Update log4j post title

* Add log4shell CLI tool

* Fix bad path

* Fix entrypoint for package

* Change version to beta

* Fix script to work with both a specific path or in the current folder

* WIP blog post

* Bump version

* make hash downloading automatic even if not using NPM

* also find war files

* move log4shell to tools

* improve DNS test paragraph

* Update 2021-12-09-log4j-zero-day.md

* more small post edits like date, forrest as an author

* get date out of title because title too long and date updated properly now

* log4shell scanning cli initial commit

* Enabled options for printing out json for parsing results.

* Add option to write outputs to a file.

* update binary name to log4shell

* Write up the rest of the blog post

* when scanning archives, scan nested ones

* Wrap up the Log4Shell Mitigation Guide doc

* More post cleanup

* More post cleanup

* Fix Master CI

* Fix grammar in mitigation guide

* Fix bad link in blog post

* Fix typo

* blog edits to header example

* Add social links and update main Readme

* Remove thank you line

* big mitigation edits

* Add CVE number back to first line of text for SEO

* Content reworking

* Add log4j to first sentence

* few tiny edits

* small edits linking two blog posts together and other nits

* Mitigation edits forrest (#295)

* big mitigation edits

* Add CVE number back to first line of text for SEO

* Content reworking

* Add log4j to first sentence

* few tiny edits

* small edits linking two blog posts together and other nits

Co-authored-by: Free Wortley <free@lunasec.io>

* Adding command for running log4shell hotpatch server. The command brings
up the servers, but they currently do not work.

* fix package mistake

* mention log4j 2.16

* add contact form, what a doozy

* remove bad dep and eslint ignore something

* add mui types

* verbose start in CI

* yarn install

* made bucket script wait for file and brought back the use of a precache container

* switch cli workdir to repo

* Hotpatching works when being tested locally again vulnerable spring
server.

* Fix renamed directory

* add warnings about 2.15 and flag

* better warning

* fix typo and add CVE name

* more CVE mentions

* Update 2021-12-09-log4j-zero-day.md

* Update 2021-12-09-log4j-zero-day.md

* fix english (#304)

* Add new blog post on 2nd log4j vulnerability

* update Log4ShellHotpatch

* Add updated dates

* Add disclaimer about log format still being vulnerable

* Add disclaimer about log format still being vulnerable

* Added post content for follow up CVE under certain circumstances

* Update times in doc

* Scanner finds 2.15 (#305)

* first draft of adding severity rating to vulns

* duplicate flags onto scan command because its more natural UX

* added 2.15 hashes and confirmed they work

* Update vulnerablehashes.go

* Update vulnerablehashes.go

* Severity 9.8 for log4j v1 vulns

* Swap from Severity to CVE

* put severity back in

Co-authored-by: Johnathan Free Wortley <free@lunasec.io>

* Cleanup content

* update some wording in the blog post

* blog mentions hot patch cli

* Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx

* Change links to the generic Releases page

* print payload string from CLI

* prettier output

* bump version

* make goreleaser just do binaries

* added more options to the hotpatch server and added a landing page

* update hotpatch server to have more descriptive text

* Update Patch section with new notes

* Update timestamps

* Wordsmithing

* add live patch blog post

* Fix image links to be persistent

* Fix image link for bad image also

* Fix bad image links by using MDX syntax instead

* change dependency to not panic

* bump version of log4shell cli

* add docker-compose and update readme with some commands

* update blog posts

* Blog post updates

* Fix formatting

* Tweaks

* fix typo

* scan library before browsing it

* Fix some typos

* Better phrasing

* feat: scan into zip archives in addition to jar+war

* script for downloading all log4j versions

* try again in CI

* add payload url to the print out in the cli

* update blog post to fix changes suggested in issues

* CLI UX improvements and more legalish warnings

* use webarchive to reference zero day tweet

* increase max mocked s3 body size in nginx for live demo

* fix nginx args

* Basic technical analysis of the Log4Shell exploit

* pull all maven and apache versions of log4j

* update blog to include java decomp

* log4shell and 2.15.0 cves are distinct in findings now

* bump version

* add zip and ear extensions to allow deep scans

* include 1.2.17 in scanning log4j1

* bump version

* bump cli version to 1.3.2

* warning about virus scanners in blog post

* resolve symlinks while scanning

* switch all logs to stdout and prettier formatting for scan results

* Add links back to other posts

* slightly better log level printing

* Add links to other blog posts and update phrasing

* update CTA size

* Add FUNDING.yml file for GitHub Sponsors

* Update README.md

* add manual releasing instructions

* fix false positive for 2.16.0 and 2.15.0

* analyzer has better semver version checking

* improve log colors

* version change is more than a patch, version should reflect this

* global flags are recognized by the cli if they have a name collision in
a subcommand

* create blog post discussing follow up issues for cve

* add --no-follow-symlinks

* increase severity of cve-2021-45046 finding

* add details about the latest updates about the log4shell cves

* update date

* Fix bug in the new CVSS post

* One more change

* Add bypass payload to post

* Fix bad date

* Update issue templates

* broken symlinks no longer stop scanning

* bump version

* WIP OSS patching blog post (#348)

* WIP OSS patching blog post

* small post edits

* oss patching blog post drafted

* update date and truncate

* get license out of PR template and add to ignore file

* explain more why people need to know to security patch

* update intro wording

* edits to include githubs tooling

* more credit to google

* nits

* change a link

Co-authored-by: breadchris <chris@lunasec.io>

* typo 'and' should be 'an'

* update guidance to use 2.17.0

* Update guidance across all posts

* better osx instructions

* Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx

* Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx

* Update the malicious links to be our domain everywhere

* close read which is left open

* fix admonitions

* yarn stuff

* include more install steps in the precache

* stop demo back end from starting prematurely

* delete &&, it wasnt needed

* rename integration test workflow to just test

Co-authored-by: Forrest <forrest@lunasec.io>
Co-authored-by: Stu Tomlinson <stu@nosnilmot.com>
Co-authored-by: Moya <moya@asofterspace.com>
Co-authored-by: PJ Fanning <pjfanning@users.noreply.github.com>
Co-authored-by: Thompson, Brian <foss.systems@icloud.com>
Co-authored-by: breadchris <chris@lunasec.io>
Co-authored-by: Sebastian Lövdahl <slovdahl@hibox.fi>
Co-authored-by: Pascal Verdage <pascal.verdage@sgcib.com>
Co-authored-by: Dan Hoizner <dan.hoizner@collibra.com>
Co-authored-by: Alex Collignon <colligno@adobe.com>
Co-authored-by: Forrest <light24bulbs@gmail.com>
Co-authored-by: Tobi Lehman <mail@tobilehman.com>
ajvpot pushed a commit that referenced this pull request Dec 17, 2022
* improve lunasec plug

* improve iphone words

* clean up the secondary attack vector explanation

* a word

* update docusaurus to fix blogs and fix the awful looking admonition from beta 12

* clearer warning about dnslog.cn

* remove sentence saying there was no stable release, no longer relevant

* Better CTAs on the page

* Add social info

* Remove random stuff

* Fix example to use log4j2

pedantry: make the example code actually valid log4j2 use, not log4j 1.x

* make demo backend use pm2

* Update 2021-12-09-log4j-zero-day.md

* Slightly improve example code

* log4j download page (#269)

Apache projects' primary approach to releases is to provide downloads via the apache project web sites - not via github.

* update yarn.lock

* Regenerate lockfile, fix CLI arguments for hosted demo

* Disable Nginx volume

* Fix a yarn error

* Fix yarn.lock

* Remove extraneous workdir statement

* Uncomment nginx

* Remove second build step from demo back end build

* Revert build change

* no fork pm2

* switch to pm2-runtime

* change nolookups compatibility

The `nolookups` work-around mentioned only works on versions >= 2.7.

Fixes #274.

* Update log4j post title

* Add log4shell CLI tool

* Fix bad path

* Fix entrypoint for package

* Change version to beta

* Fix script to work with both a specific path or in the current folder

* WIP blog post

* Bump version

* make hash downloading automatic even if not using NPM

* also find war files

* move log4shell to tools

* improve DNS test paragraph

* Update 2021-12-09-log4j-zero-day.md

* more small post edits like date, forrest as an author

* get date out of title because title too long and date updated properly now

* log4shell scanning cli initial commit

* Enabled options for printing out json for parsing results.

* Add option to write outputs to a file.

* update binary name to log4shell

* Write up the rest of the blog post

* when scanning archives, scan nested ones

* Wrap up the Log4Shell Mitigation Guide doc

* More post cleanup

* More post cleanup

* Fix Master CI

* Fix grammar in mitigation guide

* Fix bad link in blog post

* Fix typo

* blog edits to header example

* Add social links and update main Readme

* Remove thank you line

* big mitigation edits

* Add CVE number back to first line of text for SEO

* Content reworking

* Add log4j to first sentence

* few tiny edits

* small edits linking two blog posts together and other nits

* Mitigation edits forrest (#295)

* big mitigation edits

* Add CVE number back to first line of text for SEO

* Content reworking

* Add log4j to first sentence

* few tiny edits

* small edits linking two blog posts together and other nits

Co-authored-by: Free Wortley <free@lunasec.io>

* Adding command for running log4shell hotpatch server. The command brings
up the servers, but they currently do not work.

* fix package mistake

* mention log4j 2.16

* add contact form, what a doozy

* remove bad dep and eslint ignore something

* add mui types

* verbose start in CI

* yarn install

* made bucket script wait for file and brought back the use of a precache container

* switch cli workdir to repo

* Hotpatching works when being tested locally again vulnerable spring
server.

* Fix renamed directory

* add warnings about 2.15 and flag

* better warning

* fix typo and add CVE name

* more CVE mentions

* Update 2021-12-09-log4j-zero-day.md

* Update 2021-12-09-log4j-zero-day.md

* fix english (#304)

* Add new blog post on 2nd log4j vulnerability

* update Log4ShellHotpatch

* Add updated dates

* Add disclaimer about log format still being vulnerable

* Add disclaimer about log format still being vulnerable

* Added post content for follow up CVE under certain circumstances

* Update times in doc

* Scanner finds 2.15 (#305)

* first draft of adding severity rating to vulns

* duplicate flags onto scan command because its more natural UX

* added 2.15 hashes and confirmed they work

* Update vulnerablehashes.go

* Update vulnerablehashes.go

* Severity 9.8 for log4j v1 vulns

* Swap from Severity to CVE

* put severity back in

Co-authored-by: Johnathan Free Wortley <free@lunasec.io>

* Cleanup content

* update some wording in the blog post

* blog mentions hot patch cli

* Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx

* Change links to the generic Releases page

* print payload string from CLI

* prettier output

* bump version

* make goreleaser just do binaries

* added more options to the hotpatch server and added a landing page

* update hotpatch server to have more descriptive text

* Update Patch section with new notes

* Update timestamps

* Wordsmithing

* add live patch blog post

* Fix image links to be persistent

* Fix image link for bad image also

* Fix bad image links by using MDX syntax instead

* change dependency to not panic

* bump version of log4shell cli

* add docker-compose and update readme with some commands

* update blog posts

* Blog post updates

* Fix formatting

* Tweaks

* fix typo

* scan library before browsing it

* Fix some typos

* Better phrasing

* feat: scan into zip archives in addition to jar+war

* script for downloading all log4j versions

* try again in CI

* add payload url to the print out in the cli

* update blog post to fix changes suggested in issues

* CLI UX improvements and more legalish warnings

* use webarchive to reference zero day tweet

* increase max mocked s3 body size in nginx for live demo

* fix nginx args

* Basic technical analysis of the Log4Shell exploit

* pull all maven and apache versions of log4j

* update blog to include java decomp

* log4shell and 2.15.0 cves are distinct in findings now

* bump version

* add zip and ear extensions to allow deep scans

* include 1.2.17 in scanning log4j1

* bump version

* bump cli version to 1.3.2

* warning about virus scanners in blog post

* resolve symlinks while scanning

* switch all logs to stdout and prettier formatting for scan results

* Add links back to other posts

* slightly better log level printing

* Add links to other blog posts and update phrasing

* update CTA size

* Add FUNDING.yml file for GitHub Sponsors

* Update README.md

* add manual releasing instructions

* fix false positive for 2.16.0 and 2.15.0

* analyzer has better semver version checking

* improve log colors

* version change is more than a patch, version should reflect this

* global flags are recognized by the cli if they have a name collision in
a subcommand

* create blog post discussing follow up issues for cve

* add --no-follow-symlinks

* increase severity of cve-2021-45046 finding

* add details about the latest updates about the log4shell cves

* update date

* Fix bug in the new CVSS post

* One more change

* Add bypass payload to post

* Fix bad date

* Update issue templates

* broken symlinks no longer stop scanning

* bump version

* WIP OSS patching blog post (#348)

* WIP OSS patching blog post

* small post edits

* oss patching blog post drafted

* update date and truncate

* get license out of PR template and add to ignore file

* explain more why people need to know to security patch

* update intro wording

* edits to include githubs tooling

* more credit to google

* nits

* change a link

Co-authored-by: breadchris <chris@lunasec.io>

* typo 'and' should be 'an'

* update guidance to use 2.17.0

* Update guidance across all posts

* better osx instructions

* Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx

* Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx

* Update the malicious links to be our domain everywhere

* close read which is left open

* fix admonitions

* yarn stuff

* include more install steps in the precache

* stop demo back end from starting prematurely

* delete &&, it wasnt needed

* rename integration test workflow to just test

Co-authored-by: Forrest <forrest@lunasec.io>
Co-authored-by: Stu Tomlinson <stu@nosnilmot.com>
Co-authored-by: Moya <moya@asofterspace.com>
Co-authored-by: PJ Fanning <pjfanning@users.noreply.github.com>
Co-authored-by: Thompson, Brian <foss.systems@icloud.com>
Co-authored-by: breadchris <chris@lunasec.io>
Co-authored-by: Sebastian Lövdahl <slovdahl@hibox.fi>
Co-authored-by: Pascal Verdage <pascal.verdage@sgcib.com>
Co-authored-by: Dan Hoizner <dan.hoizner@collibra.com>
Co-authored-by: Alex Collignon <colligno@adobe.com>
Co-authored-by: Forrest <light24bulbs@gmail.com>
Co-authored-by: Tobi Lehman <mail@tobilehman.com>
Former-commit-id: a503b02
Former-commit-id: ee712a38177db4be394be0634d3c82fccb223a2e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants