log4j-remediation-tools
log4j-remediation-tools copied to clipboard
Error trying to execute confirm-vulnerabilities
Hi, thank you for creating this tool. I had errors when I tried to run
java -jar target/is-it-vulnerable-1.0-SNAPSHOT.jar
The error is
18:38:14 ❯ java -jar target/is-it-vulnerable-1.0-SNAPSHOT.jar
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.stripe.log4j.isitvuln.ProcessInfo (file:/Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT.jar) to field sun.management.RuntimeImpl.jvm
WARNING: Please consider reporting this to the maintainers of com.stripe.log4j.isitvuln.ProcessInfo
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Will use this jar for agent: /Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT.jar
date,host,tool,version,pid,path,jre,log4j,log4j version,formatMsgNoLookups,ldap trustURLCodebase,rmi trustURLCodebase,cosnaming trustURLCodebase,exploited
When I tried --illegal-access=permit
, same problem.
When I tried --illegal-access=warn
, I got
18:38:33 ❯ java --illegal-access=warn -jar target/is-it-vulnerable-1.0-SNAPSHOT.jar
WARNING: Illegal reflective access by com.stripe.log4j.isitvuln.ProcessInfo (file:/Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT.jar) to field sun.management.RuntimeImpl.jvm
WARNING: Illegal reflective access by com.stripe.log4j.isitvuln.ProcessInfo (file:/Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT.jar) to method sun.management.VMManagementImpl.getProcessId()
Will use this jar for agent: /Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT.jar
date,host,tool,version,pid,path,jre,log4j,log4j version,formatMsgNoLookups,ldap trustURLCodebase,rmi trustURLCodebase,cosnaming trustURLCodebase,exploited
I was able to build with maven without any issue
[INFO] Replacing original artifact with shaded artifact.
[INFO] Replacing /Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT.jar with /Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT-shaded.jar
[INFO] Dependency-reduced POM written at: /Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/dependency-reduced-pom.xml
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.659 s
[INFO] Finished at: 2021-12-17T18:15:41-08:00
[INFO] ------------------------------------------------------------------------
I am not sure if I am missing anything.
Thank you