question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Failing to detect nested log4j 2.12.1 in scanner versions >= 2.3.0

See original GitHub issue

One of my users came to me after they discovered that a recent version of the scanner no longer detected a vulnerable file with a nested log4j 2.12.1

I took the time to write a test suite, and ran it against all of the releases in this repo. Versions up to release 2.2.2 correctly identify this jar as vulnerable, versions 2.3.0 and higher do not catch it.

Release 2.5.3:

» java -jar scanner/v2.5.3/jar/logpresso-log4j2-scan-2.5.3.jar --trace --debug ./nested-log4j-2.12.1-ingoperations
Logpresso CVE-2021-44228 Vulnerability Scanner 2.5.3 (2021-12-22)
Scanning directory: ./nested-log4j-2.12.1-ingoperations
Scanning directory: /Users/mike.adams/code/cve-2021-44228-scanner-tests/test_artifacts/./nested-log4j-2.12.1-ingoperations
Scanning file: /Users/mike.adams/code/cve-2021-44228-scanner-tests/test_artifacts/./nested-log4j-2.12.1-ingoperations/ingoperations.jar

Scanned 1 directories and 1 files
Found 0 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 0.01 seconds

Release: 2.2.2:

» java -jar scanner/v2.2.2/jar/logpresso-log4j2-scan-2.2.2.jar --trace --debug ./nested-log4j-2.12.1-ingoperations
Logpresso CVE-2021-44228 Vulnerability Scanner 2.2.2 (2021-12-18)
Scanning directory: ./nested-log4j-2.12.1-ingoperations
Scanning directory: /Users/mike.adams/code/cve-2021-44228-scanner-tests/test_artifacts/./nested-log4j-2.12.1-ingoperations
Scanning file: /Users/mike.adams/code/cve-2021-44228-scanner-tests/test_artifacts/./nested-log4j-2.12.1-ingoperations/ingoperations.jar
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /Users/mike.adams/code/cve-2021-44228-scanner-tests/test_artifacts/./nested-log4j-2.12.1-ingoperations/ingoperations.jar (BOOT-INF/lib/log4j-core-2.12.1.jar), log4j 2.12.1

Scanned 1 directories and 1 files
Found 1 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 0.55 seconds

Here’s the relevant bit from jar tvf:

» jar tvf ingoperations.jar | grep -i log4j
   406 Thu Jun 11 12:39:42 PDT 2020 BOOT-INF/lib/spring-boot-starter-log4j2-2.2.8.RELEASE.jar
 23518 Tue Aug 06 20:47:38 PDT 2019 BOOT-INF/lib/log4j-slf4j-impl-2.12.1.jar
276771 Tue Aug 06 20:43:52 PDT 2019 BOOT-INF/lib/log4j-api-2.12.1.jar
1674433 Tue Aug 06 20:45:42 PDT 2019 BOOT-INF/lib/log4j-core-2.12.1.jar

If I expand the jar file, log4j gets detected:

Release 2.5.3:

» java -jar scanner/v2.5.3/jar/logpresso-log4j2-scan-2.5.3.jar ./nested-log4j-2.12.1-ingoperations/expanded                             130 ↵
Logpresso CVE-2021-44228 Vulnerability Scanner 2.5.3 (2021-12-22)
Scanning directory: ./nested-log4j-2.12.1-ingoperations/expanded
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /Users/mike.adams/code/cve-2021-44228-scanner-tests/test_artifacts/./nested-log4j-2.12.1-ingoperations/expanded/BOOT-INF/lib/log4j-core-2.12.1.jar, log4j 2.12.1

Scanned 20 directories and 136 files
Found 1 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 0.52 seconds

Release 2.2.2:

» java -jar scanner/v2.2.2/jar/logpresso-log4j2-scan-2.2.2.jar ./nested-log4j-2.12.1-ingoperations/expanded                               1 ↵
Logpresso CVE-2021-44228 Vulnerability Scanner 2.2.2 (2021-12-18)
Scanning directory: ./nested-log4j-2.12.1-ingoperations/expanded
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /Users/mike.adams/code/cve-2021-44228-scanner-tests/test_artifacts/./nested-log4j-2.12.1-ingoperations/expanded/BOOT-INF/lib/log4j-core-2.12.1.jar, log4j 2.12.1

Scanned 20 directories and 136 files
Found 1 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 0.08 seconds

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:7 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
adammikecommented, Dec 22, 2021

Ran my test suite against this version and it passed every single test. Bravo!

0reactions
xeraphcommented, Dec 23, 2021

@adammike Thank you for file sharing again. The file was crucial for debugging. 😄

Read more comments on GitHub >

github_iconTop Results From Across the Web

GitHub - mergebase/log4j-detector
Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system ... Failed to load latest commit information.
Read more >
Log4j – Changes - Apache Logging Services
The DirectWriteRolloverStrategy was not detecting the correct index to use during startup. Fixes LOG4J2-3490. rgoers. Update, Move perf tests to ...
Read more >
Find and Fix Log4j - Sonatype Help
It has been determined that the fix for CVE-2021-44228 committed in v2.15 was insufficient in limiting nested message lookups in log4j. This ...
Read more >
Caused By: java.lang.NoClassDefFoundError: org/apache ...
Since org.apache.log4j.Logger class belongs to this JAR file, if it's not available at run-time then your program will fail.
Read more >
What is Apache Log4J Vulnerability and How to Prevent It?
Log4j Vulnerability Scanning & Detection Tools; 8. Conclusion ... Versions Affected: All versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.14.1.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found