log4j-detector
log4j-detector copied to clipboard
mergebase
Simple test using sample files outputs no status
Testing sample files, getting strange "Not actually a zip!?! (no magic number)" line endings, instead of status.:
testuser:log4j-detector testuser$ java -jar log4j-detector-2021.12.20.jar ./test-files/ -- github.com/mergebase/log4j-detector v2021.12.20 (by mergebase.com) analyzing paths (could take a while). -- Note: specify the '--verbose' flag to have every file examined printed to STDERR. -- Problem: /Users/testuser/Desktop/log4j-detector/test-files/log4j-1.1.3.jar - Not actually a zip!?! (no magic number) -- Problem: /Users/testuser/Desktop/log4j-detector/test-files/log4j-1.2.17.jar - Not actually a zip!?! (no magic number) -- Problem: /Users/testuser/Desktop/log4j-detector/test-files/log4j-core-2.0-beta2.jar - Not actually a zip!?! (no magic number) -- Problem: /Users/testuser/Desktop/log4j-detector/test-files/log4j-core-2.0-beta9.jar - Not actually a zip!?! (no magic number) -- Problem: /Users/testuser/Desktop/log4j-detector/test-files/log4j-core-2.10.0.jar - Not actually a zip!?! (no magic number) -- Problem: /Users/testuser/Desktop/log4j-detector/test-files/log4j-core-2.10.0.zip - Not actually a zip!?! (no magic number) -- Problem: /Users/testuser/Desktop/log4j-detector/test-files/log4j-core-2.15.0.jar - Not actually a zip!?! (no magic number) -- Problem: /Users/testuser/Desktop/log4j-detector/test-files/log4j-core-2.9.1.jar - Not actually a zip!?! (no magic number) -- No vulnerable Log4J 2.x samples found in supplied paths: [./test-files/] -- Congratulations, the supplied paths are not vulnerable to CVE-2021-44228 or CVE-2021-45046 ! :-) testuser:log4j-detector testuser$
How did you get the test-files?
I am maintaining a collection of test-files here, too, by the way: https://github.com/mergebase/log4j-samples
@donmontalvo Can you provide some more information about your setup? I can't reproduce this with either 2021.12.20 or 2021.12.22.
$ git clone https://github.com/mergebase/log4j-samples.git
$ java -jar log4j-detector-2021.12.20.jar log4j-samples/
-- github.com/mergebase/log4j-detector v2021.12.20 (by mergebase.com) analyzing paths (could take a while).
-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
/tmp/log4j-samples/false-hits/exploded/2.12.2/org/apache/logging/log4j contains Log4J-2.x >= 2.12.2 _SAFE_
/tmp/log4j-samples/false-hits/log4j-core-2.12.2.jar contains Log4J-2.x >= 2.12.2 _SAFE_
/tmp/log4j-samples/false-hits/log4j-core-2.16.0.jar contains Log4J-2.x == 2.16.0 _OKAY_
/tmp/log4j-samples/old-hits/log4j-1.1.3.jar contains Log4J-1.x <= 1.2.17 _OLD_
/tmp/log4j-samples/old-hits/log4j-1.2.17.jar contains Log4J-1.x <= 1.2.17 _OLD_
/tmp/log4j-samples/old-hits/log4j-core-2.0-beta2.jar contains Log4J-2.x <= 2.0-beta8 _POTENTIALLY_SAFE_ (Did you remove JndiLookup.class?)
/tmp/log4j-samples/true-hits/exploded/2.12.1/org/apache/logging/log4j contains Log4J-2.x >= 2.10.0 _VULNERABLE_
/tmp/log4j-samples/true-hits/log4j-core-2.0-beta9.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) _VULNERABLE_
/tmp/log4j-samples/true-hits/log4j-core-2.10.0.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_
/tmp/log4j-samples/true-hits/log4j-core-2.10.0.zip contains Log4J-2.x >= 2.10.0 _VULNERABLE_
/tmp/log4j-samples/true-hits/log4j-core-2.15.0.jar contains Log4J-2.x == 2.15.0 _OKAY_
/tmp/log4j-samples/true-hits/log4j-core-2.9.1.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) _VULNERABLE_
/tmp/log4j-samples/true-hits/shaded/clt-1.0-SNAPSHOT.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_
/tmp/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.ear!/WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_
/tmp/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.jar!/WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_
/tmp/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.war!/WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_
/tmp/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.zip!/WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_
/tmp/log4j-samples/true-hits/uber/infinispan-embedded-query-8.2.12.Final.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) _VULNERABLE_
Did you click on them before downloading them?
I've noticed a problem with Github where people right-click the "file-1.2.3.jar" links like this: "https://github.com/mergebase/log4j-samples/blob/master/true-hits/log4j-core-2.10.0.jar". It seems to download as a jar file, but it's not. It's an html file.
It's important when downloading to make sure the URL has the word "/raw/" in it, like so:
https://github.com/mergebase/log4j-samples/raw/master/true-hits/log4j-core-2.15.0.jar
I've noticed a problem with Github where people right-click download links like this: "https://github.com/mergebase/log4j-samples/blob/master/true-hits/log4j-core-2.10.0.jar". It seems to download as a jar file, but it's not. It's an html file.
I think you're right:
$ java -jar log4j-detector-2021.12.20.jar log4j-core-2.15.0.jar
-- github.com/mergebase/log4j-detector v2021.12.20 (by mergebase.com) analyzing paths (could take a while).
-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
-- Problem: /tmp/log4j-core-2.15.0.jar - Not actually a zip!?! (no magic number)
-- No vulnerable Log4J 2.x samples found in supplied paths: [log4j-core-2.15.0.jar]
-- Congratulations, the supplied paths are not vulnerable to CVE-2021-44228 or CVE-2021-45046 ! :-)
I always click the URL to be taken to the downloadable jar file. No different from what I did with previous versions. Seems to be working now.
Spoke too soon. It's giving strange output on ZIP files.
I think that's related to #56
Try right-click downloading this: https://github.com/mergebase/log4j-samples/blob/master/true-hits/log4j-core-2.10.0.jar (it will be corrupt).
Whereas if you left-click on it, you arrive here:
From there you can right-click the little [Download] button on the far right, and then it works.
Are you able to open up the corrupt files you downloaded using zip? Or "vi" (which should show html). Or hexdump ?