Hashes might not match in all instances/deployments

[dondiimperial]

I tested on a project that is known to use log4j-2.14.0 and the hashes do not match those from these lists. It might be a good idea to also check for file names but obviously that comes with its own set of problems.

Here's the PoC

cat <<EOF | docker run -i --rm  -e NEO4J_AUTH=neo4j/s3cr3t neo4j:4.3.0 sh
find / -name "*.jar" | grep log4 | xargs -I {} sh -c "echo 'checking {}' && md5sum {} && sha1sum {} && sha256sum {}"
EOF

[amottier]

log4j jar file from Maven Central (https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.11.1/log4j-core-2.11.1.jar) as a different checksum compare to the version distribute in the binary zip archive download from https://archive.apache.org/dist/logging/log4j/2.11.1/apache-log4j-2.11.1-bin.zip