diff --git a/docs/blog/2021-12-12-log4j-zero-day-mitigation-guide.mdx b/docs/blog/2021-12-12-log4j-zero-day-mitigation-guide.mdx index fb60dde9f..bb21cee14 100644 --- a/docs/blog/2021-12-12-log4j-zero-day-mitigation-guide.mdx +++ b/docs/blog/2021-12-12-log4j-zero-day-mitigation-guide.mdx @@ -62,86 +62,51 @@ primarily Java, but other languages like Scala, Groovy, or Clojure are also impa ### Automatically Scanning Your Package -We've built a command line utility that can check `.jar` and `.war` files in your project directory and report if any are vulnerable. -It works by scanning for hashes of [known vulnerable log4j classes](https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes). -If you have a vulnerable version of a log4j in your built Java project, the hash will match a one -of the hashes in the list. +We've built a cross-platform command line utility that can check your project's dependencies and report if any are vulnerable. +It works by scanning for class files which belong to a known vulnerable Log4j version. The library versions our scanner identifies +[is kept up to date](https://github.com/lunasec-io/lunasec/blob/master/tools/log4shell/log4j-library-hashes.json) with all +known information about known Log4j CVEs. If you use another scanner to scan your project, be aware +that it might not identify all known vulnerable versions. We have seen scanners which are not complete in their scanning and +can leave you vulnerable. -**[Download from GitHub](https://github.com/lunasec-io/lunasec/releases/)** +**Download our `log4shell` scanner from [GitHub](https://github.com/lunasec-io/lunasec/releases/)** -_Make sure you download the right version for your Operating System and CPU architecture._ Once downloaded, you can extract -it and run the `log4shell` command in your terminal. The tool can scan individual files or whole directories. +_Make sure you download the right version for your Operating System and CPU architecture._ Once downloaded, run the `log4shell` +command in your terminal. The tool can scan individual files or whole directories. - - -**Linux** -```shell title="Example Linux Command" +```shell title="Linux and OSX" log4shell scan your-project-dir/ ``` -**OSX** -```shell title="Example OSX Commands" -# Replace `` with your path, eg: `~/Downloads` -cp /log4shell_1.4.1-log4shell_Darwin_x86_64 /usr/local/bin/log4shell -chmod +x /usr/local/bin/log4shell -log4shell scan your-project-dir -``` - -**Windows** -```shell title="Example Windows Command" +```shell title="Windows" log4shell.exe scan your-project-dir/ ``` + Because the tool contains exploit strings needed for the `livepatch` command, it might be falsely recognized as malware by some virus scanners on Windows. Please add an exception for it. -**Example Output** +**Scan a directory** ```shell -8:08AM INF identified vulnerable path fileName=org/apache/logging/log4j/core/net/JndiManager$1.class path=test/struts-2.5.28-all/struts-2.5.28/apps/struts2-rest-showcase.war::WEB-INF/lib/log4j-core-2.12.1.jar versionInfo="log4j 2.8.2-2.12.0" +$ log4shell scan test/vulnerable-log4j2-versions/apache +5:26AM Scan Result: Identified vulnerable path + cve: CVE-2021-44228 + fileName: org/apache/logging/log4j/core/lookup/JndiLookup.class + hash: 39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8 + path: test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-beta9-bin/log4j-core-2.0-beta9.jar + severity: 10.0 + versionInfo: "2.0.0-beta9, 2.0.0-rc1" ``` -Here is the help text: -```shell -$ log4shell -NAME: - log4shell - A new cli application - -USAGE: - log4shell [global options] command [command options] [arguments...] - -VERSION: - 1.0.0 - -DESCRIPTION: - Identify code dependencies that are vulnerable to the log4shell vulnerability. Read more at log4shell.com. -COMMANDS: - scan, s Scan directories, passed as arguments, for archives (.jar, .war) which contain class files that are vulnerable to the log4shell vulnerability. - help, h Shows a list of commands or help for one command - -GLOBAL OPTIONS: - --verbose Display verbose information when running commands. (default: false) - --json Display findings in json format. (default: false) - --debug Display helpful information while debugging the CLI. (default: false) - --help, -h show help (default: false) - --version, -v print the version (default: false) -``` - -**Scanning a Java JAR file (vulnerable log4j detected)** -```shell -$ log4shell scan your-java-project.jar -8:08AM INF identified vulnerable path fileName=org/apache/logging/log4j/core/net/JndiManager$1.class path=test/struts-2.5.28-all/struts-2.5.28/apps/struts2-rest-showcase.war::WEB-INF/lib/log4j-core-2.12.1.jar versionInfo="log4j 2.8.2-2.12.0" -8:08AM INF identified vulnerable path fileName=org/apache/logging/log4j/core/pattern/MessagePatternConverter.class path=test/struts-2.5.28-all/struts-2.5.28/apps/struts2-rest-showcase.war::WEB-INF/lib/log4j-core-2.12.1.jar versionInfo="log4j 2.12" -8:08AM INF identified vulnerable path fileName=org/apache/logging/log4j/core/net/JndiManager$JndiManagerFactory.class path=test/struts-2.5.28-all/struts-2.5.28/apps/struts2-rest-showcase.war::WEB-INF/lib/log4j-core-2.12.1.jar versionInfo="log4j 2.12.0-2.12.1" -8:08AM INF identified vulnerable path fileName=org/apache/logging/log4j/core/net/JndiManager.class path=test/struts-2.5.28-all/struts-2.5.28/apps/struts2-rest-showcase.war::WEB-INF/lib/log4j-core-2.12.1.jar versionInfo="log4j 2.12.0-2.12.1" -8:08AM INF identified vulnerable path fileName=org/apache/logging/log4j/core/net/JndiManager$1.class path=test/struts-2.5.28-all/struts-2.5.28/apps/struts2-showcase.war::WEB-INF/lib/log4j-core-2.12.1.jar versionInfo="log4j 2.8.2-2.12.0" -8:08AM INF identified vulnerable path fileName=org/apache/logging/log4j/core/pattern/MessagePatternConverter.class path=test/struts-2.5.28-all/struts-2.5.28/apps/struts2-showcase.war::WEB-INF/lib/log4j-core-2.12.1.jar versionInfo="log4j 2.12" -8:08AM INF identified vulnerable path fileName=org/apache/logging/log4j/core/net/JndiManager$JndiManagerFactory.class path=test/struts-2.5.28-all/struts-2.5.28/apps/struts2-showcase.war::WEB-INF/lib/log4j-core-2.12.1.jar versionInfo="log4j 2.12.0-2.12.1" -8:08AM INF identified vulnerable path fileName=org/apache/logging/log4j/core/net/JndiManager.class path=test/struts-2.5.28-all/struts-2.5.28/apps/struts2-showcase.war::WEB-INF/lib/log4j-core-2.12.1.jar versionInfo="log4j 2.12.0-2.12.1" -``` - -**Installing the Package on *nix systems (optional)** +**Scan a specific Java JAR file** ```shell -$ sudo cp log4shell /usr/local/bin -$ log4shell +$ log4shell scan test/vulnerable-log4j2-versions/apache/apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar +5:28AM Scan Result: Identified vulnerable path + cve: CVE-2021-44228 + fileName: org/apache/logging/log4j/core/net/JndiManager.class + hash: 77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6 + path: test/vulnerable-log4j2-versions/apache/apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar + severity: 10.0 + versionInfo: "2.14.0, 2.14.1" ``` :::note @@ -253,13 +218,9 @@ default and removes the message lookup feature. We recommend you upgrade, if possible. For most people, this is the final and correct solution to the issue. -:::caution Version 2.15.0 still may be vulnerable -Log4j version `2.15.0` which was previously thought to be secure has been found to still have a [limited vulnerability](https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f), -that could result in a DOS (but not RCE), users must update to `>= 2.16.0`. -::: - :::caution Version 2.16.0 vulnerable to DOS If you have updated Log4j to version `2.16.0`, a Denial of Service (DOS) attack is still present in [certain logging circumstances](https://logging.apache.org/log4j/2.x/security.html). +Please update to `>=2.17.0` ::: ### Option 2: Enable `formatMsgNoLookups` diff --git a/tools/log4shell/Dockerfile b/tools/log4shell/Dockerfile index a9d62947f..2623480cb 100644 --- a/tools/log4shell/Dockerfile +++ b/tools/log4shell/Dockerfile @@ -14,7 +14,7 @@ WORKDIR /build COPY . /build COPY --from=java-build /build/hotpatch-payload/target/classes/Log4ShellHotpatch.class /build -RUN go build -o log4shell . +RUN CGO_ENABLED=0 go build -o log4shell . FROM alpine