Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update wording in blog to be more clear that the cli is not an archive #386

Merged
merged 2 commits into from
Dec 27, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
101 changes: 31 additions & 70 deletions docs/blog/2021-12-12-log4j-zero-day-mitigation-guide.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -62,86 +62,51 @@ primarily Java, but other languages like Scala, Groovy, or Clojure are also impa

### Automatically Scanning Your Package

We've built a command line utility that can check `.jar` and `.war` files in your project directory and report if any are vulnerable.
It works by scanning for hashes of [known vulnerable log4j classes](https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes).
If you have a vulnerable version of a log4j in your built Java project, the hash will match a one
of the hashes in the list.
We've built a cross-platform command line utility that can check your project's dependencies and report if any are vulnerable.
It works by scanning for class files which belong to a known vulnerable Log4j version. The library versions our scanner identifies
[is kept up to date](https://github.com/lunasec-io/lunasec/blob/master/tools/log4shell/log4j-library-hashes.json) with all
known information about known Log4j CVEs. If you use another scanner to scan your project, be aware
that it might not identify all known vulnerable versions. We have seen scanners which are not complete in their scanning and
can leave you vulnerable.

**[Download from GitHub](https://github.com/lunasec-io/lunasec/releases/)**
**Download our `log4shell` scanner from [GitHub](https://github.com/lunasec-io/lunasec/releases/)**

_Make sure you download the right version for your Operating System and CPU architecture._ Once downloaded, you can extract
it and run the `log4shell` command in your terminal. The tool can scan individual files or whole directories.
_Make sure you download the right version for your Operating System and CPU architecture._ Once downloaded, run the `log4shell`
command in your terminal. The tool can scan individual files or whole directories.



**Linux**
```shell title="Example Linux Command"
```shell title="Linux and OSX"
log4shell scan your-project-dir/
```

**OSX**
```shell title="Example OSX Commands"
# Replace `<PATH_ON_YOUR_MACHINE>` with your path, eg: `~/Downloads`
cp <PATH_ON_YOUR_MACHINE>/log4shell_1.4.1-log4shell_Darwin_x86_64 /usr/local/bin/log4shell
chmod +x /usr/local/bin/log4shell
log4shell scan your-project-dir
```

**Windows**
```shell title="Example Windows Command"
```shell title="Windows"
log4shell.exe scan your-project-dir/
```

Because the tool contains exploit strings needed for the `livepatch` command, it might be falsely recognized as malware by some
virus scanners on Windows. Please add an exception for it.

**Example Output**
**Scan a directory**
```shell
8:08AM INF identified vulnerable path fileName=org/apache/logging/log4j/core/net/JndiManager$1.class path=test/struts-2.5.28-all/struts-2.5.28/apps/struts2-rest-showcase.war::WEB-INF/lib/log4j-core-2.12.1.jar versionInfo="log4j 2.8.2-2.12.0"
$ log4shell scan test/vulnerable-log4j2-versions/apache
5:26AM Scan Result: Identified vulnerable path
cve: CVE-2021-44228
fileName: org/apache/logging/log4j/core/lookup/JndiLookup.class
hash: 39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8
path: test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-beta9-bin/log4j-core-2.0-beta9.jar
severity: 10.0
versionInfo: "2.0.0-beta9, 2.0.0-rc1"
```
Here is the help text:
```shell
$ log4shell
NAME:
log4shell - A new cli application

USAGE:
log4shell [global options] command [command options] [arguments...]

VERSION:
1.0.0

DESCRIPTION:
Identify code dependencies that are vulnerable to the log4shell vulnerability. Read more at log4shell.com.

COMMANDS:
scan, s Scan directories, passed as arguments, for archives (.jar, .war) which contain class files that are vulnerable to the log4shell vulnerability.
help, h Shows a list of commands or help for one command

GLOBAL OPTIONS:
--verbose Display verbose information when running commands. (default: false)
--json Display findings in json format. (default: false)
--debug Display helpful information while debugging the CLI. (default: false)
--help, -h show help (default: false)
--version, -v print the version (default: false)
```

**Scanning a Java JAR file (vulnerable log4j detected)**
```shell
$ log4shell scan your-java-project.jar
8:08AM INF identified vulnerable path fileName=org/apache/logging/log4j/core/net/JndiManager$1.class path=test/struts-2.5.28-all/struts-2.5.28/apps/struts2-rest-showcase.war::WEB-INF/lib/log4j-core-2.12.1.jar versionInfo="log4j 2.8.2-2.12.0"
8:08AM INF identified vulnerable path fileName=org/apache/logging/log4j/core/pattern/MessagePatternConverter.class path=test/struts-2.5.28-all/struts-2.5.28/apps/struts2-rest-showcase.war::WEB-INF/lib/log4j-core-2.12.1.jar versionInfo="log4j 2.12"
8:08AM INF identified vulnerable path fileName=org/apache/logging/log4j/core/net/JndiManager$JndiManagerFactory.class path=test/struts-2.5.28-all/struts-2.5.28/apps/struts2-rest-showcase.war::WEB-INF/lib/log4j-core-2.12.1.jar versionInfo="log4j 2.12.0-2.12.1"
8:08AM INF identified vulnerable path fileName=org/apache/logging/log4j/core/net/JndiManager.class path=test/struts-2.5.28-all/struts-2.5.28/apps/struts2-rest-showcase.war::WEB-INF/lib/log4j-core-2.12.1.jar versionInfo="log4j 2.12.0-2.12.1"
8:08AM INF identified vulnerable path fileName=org/apache/logging/log4j/core/net/JndiManager$1.class path=test/struts-2.5.28-all/struts-2.5.28/apps/struts2-showcase.war::WEB-INF/lib/log4j-core-2.12.1.jar versionInfo="log4j 2.8.2-2.12.0"
8:08AM INF identified vulnerable path fileName=org/apache/logging/log4j/core/pattern/MessagePatternConverter.class path=test/struts-2.5.28-all/struts-2.5.28/apps/struts2-showcase.war::WEB-INF/lib/log4j-core-2.12.1.jar versionInfo="log4j 2.12"
8:08AM INF identified vulnerable path fileName=org/apache/logging/log4j/core/net/JndiManager$JndiManagerFactory.class path=test/struts-2.5.28-all/struts-2.5.28/apps/struts2-showcase.war::WEB-INF/lib/log4j-core-2.12.1.jar versionInfo="log4j 2.12.0-2.12.1"
8:08AM INF identified vulnerable path fileName=org/apache/logging/log4j/core/net/JndiManager.class path=test/struts-2.5.28-all/struts-2.5.28/apps/struts2-showcase.war::WEB-INF/lib/log4j-core-2.12.1.jar versionInfo="log4j 2.12.0-2.12.1"
```

**Installing the Package on *nix systems (optional)**
**Scan a specific Java JAR file**
```shell
$ sudo cp log4shell /usr/local/bin
$ log4shell
$ log4shell scan test/vulnerable-log4j2-versions/apache/apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar
5:28AM Scan Result: Identified vulnerable path
cve: CVE-2021-44228
fileName: org/apache/logging/log4j/core/net/JndiManager.class
hash: 77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6
path: test/vulnerable-log4j2-versions/apache/apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar
severity: 10.0
versionInfo: "2.14.0, 2.14.1"
```

:::note
Expand Down Expand Up @@ -253,13 +218,9 @@ default and removes the message lookup feature.

We recommend you upgrade, if possible. For most people, this is the final and correct solution to the issue.

:::caution Version 2.15.0 still may be vulnerable
Log4j version `2.15.0` which was previously thought to be secure has been found to still have a [limited vulnerability](https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f),
that could result in a DOS (but not RCE), users must update to `>= 2.16.0`.
:::

:::caution Version 2.16.0 vulnerable to DOS
If you have updated Log4j to version `2.16.0`, a Denial of Service (DOS) attack is still present in [certain logging circumstances](https://logging.apache.org/log4j/2.x/security.html).
Please update to `>=2.17.0`
:::

### Option 2: Enable `formatMsgNoLookups`
Expand Down
2 changes: 1 addition & 1 deletion tools/log4shell/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ WORKDIR /build
COPY . /build
COPY --from=java-build /build/hotpatch-payload/target/classes/Log4ShellHotpatch.class /build

RUN go build -o log4shell .
RUN CGO_ENABLED=0 go build -o log4shell .

FROM alpine

Expand Down