Failing to detect nested log4j 2.12.1 in scanner versions >= 2.3.0
See original GitHub issueOne of my users came to me after they discovered that a recent version of the scanner no longer detected a vulnerable file with a nested log4j 2.12.1
I took the time to write a test suite, and ran it against all of the releases in this repo. Versions up to release 2.2.2 correctly identify this jar as vulnerable, versions 2.3.0 and higher do not catch it.
Release 2.5.3:
» java -jar scanner/v2.5.3/jar/logpresso-log4j2-scan-2.5.3.jar --trace --debug ./nested-log4j-2.12.1-ingoperations
Logpresso CVE-2021-44228 Vulnerability Scanner 2.5.3 (2021-12-22)
Scanning directory: ./nested-log4j-2.12.1-ingoperations
Scanning directory: /Users/mike.adams/code/cve-2021-44228-scanner-tests/test_artifacts/./nested-log4j-2.12.1-ingoperations
Scanning file: /Users/mike.adams/code/cve-2021-44228-scanner-tests/test_artifacts/./nested-log4j-2.12.1-ingoperations/ingoperations.jar
Scanned 1 directories and 1 files
Found 0 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 0.01 seconds
Release: 2.2.2:
» java -jar scanner/v2.2.2/jar/logpresso-log4j2-scan-2.2.2.jar --trace --debug ./nested-log4j-2.12.1-ingoperations
Logpresso CVE-2021-44228 Vulnerability Scanner 2.2.2 (2021-12-18)
Scanning directory: ./nested-log4j-2.12.1-ingoperations
Scanning directory: /Users/mike.adams/code/cve-2021-44228-scanner-tests/test_artifacts/./nested-log4j-2.12.1-ingoperations
Scanning file: /Users/mike.adams/code/cve-2021-44228-scanner-tests/test_artifacts/./nested-log4j-2.12.1-ingoperations/ingoperations.jar
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /Users/mike.adams/code/cve-2021-44228-scanner-tests/test_artifacts/./nested-log4j-2.12.1-ingoperations/ingoperations.jar (BOOT-INF/lib/log4j-core-2.12.1.jar), log4j 2.12.1
Scanned 1 directories and 1 files
Found 1 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 0.55 seconds
Here’s the relevant bit from jar tvf
:
» jar tvf ingoperations.jar | grep -i log4j
406 Thu Jun 11 12:39:42 PDT 2020 BOOT-INF/lib/spring-boot-starter-log4j2-2.2.8.RELEASE.jar
23518 Tue Aug 06 20:47:38 PDT 2019 BOOT-INF/lib/log4j-slf4j-impl-2.12.1.jar
276771 Tue Aug 06 20:43:52 PDT 2019 BOOT-INF/lib/log4j-api-2.12.1.jar
1674433 Tue Aug 06 20:45:42 PDT 2019 BOOT-INF/lib/log4j-core-2.12.1.jar
If I expand the jar file, log4j gets detected:
Release 2.5.3:
» java -jar scanner/v2.5.3/jar/logpresso-log4j2-scan-2.5.3.jar ./nested-log4j-2.12.1-ingoperations/expanded 130 ↵
Logpresso CVE-2021-44228 Vulnerability Scanner 2.5.3 (2021-12-22)
Scanning directory: ./nested-log4j-2.12.1-ingoperations/expanded
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /Users/mike.adams/code/cve-2021-44228-scanner-tests/test_artifacts/./nested-log4j-2.12.1-ingoperations/expanded/BOOT-INF/lib/log4j-core-2.12.1.jar, log4j 2.12.1
Scanned 20 directories and 136 files
Found 1 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 0.52 seconds
Release 2.2.2:
» java -jar scanner/v2.2.2/jar/logpresso-log4j2-scan-2.2.2.jar ./nested-log4j-2.12.1-ingoperations/expanded 1 ↵
Logpresso CVE-2021-44228 Vulnerability Scanner 2.2.2 (2021-12-18)
Scanning directory: ./nested-log4j-2.12.1-ingoperations/expanded
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /Users/mike.adams/code/cve-2021-44228-scanner-tests/test_artifacts/./nested-log4j-2.12.1-ingoperations/expanded/BOOT-INF/lib/log4j-core-2.12.1.jar, log4j 2.12.1
Scanned 20 directories and 136 files
Found 1 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 0.08 seconds
Issue Analytics
- State:
- Created 2 years ago
- Comments:7 (4 by maintainers)
Top Results From Across the Web
GitHub - mergebase/log4j-detector
Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system ... Failed to load latest commit information.
Read more >Log4j – Changes - Apache Logging Services
The DirectWriteRolloverStrategy was not detecting the correct index to use during startup. Fixes LOG4J2-3490. rgoers. Update, Move perf tests to ...
Read more >Find and Fix Log4j - Sonatype Help
It has been determined that the fix for CVE-2021-44228 committed in v2.15 was insufficient in limiting nested message lookups in log4j. This ...
Read more >Caused By: java.lang.NoClassDefFoundError: org/apache ...
Since org.apache.log4j.Logger class belongs to this JAR file, if it's not available at run-time then your program will fail.
Read more >What is Apache Log4J Vulnerability and How to Prevent It?
Log4j Vulnerability Scanning & Detection Tools; 8. Conclusion ... Versions Affected: All versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.14.1.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Ran my test suite against this version and it passed every single test. Bravo!
@adammike Thank you for file sharing again. The file was crucial for debugging. 😄