diff --git a/README.md b/README.md index 4fb7532..9a65edc 100644 --- a/README.md +++ b/README.md @@ -3,16 +3,16 @@ log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch. It also supports nested JAR file scanning and patch. It also detects CVE-2021-45046 (log4j 2.15.0), CVE-2021-45105 (log4j 2.16.0), CVE-2021-44832 (log4j 2.17.0), CVE-2021-4104, CVE-2019-17571, CVE-2017-5645, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307 (log4j 1.x), and CVE-2021-42550 (logback 0.9-1.2.7) vulnerabilities. ### Download -* [log4j2-scan 2.8.1 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.8.1/logpresso-log4j2-scan-2.8.1-win64.7z) -* [log4j2-scan 2.8.1 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.8.1/logpresso-log4j2-scan-2.8.1-win64.zip) +* [log4j2-scan 2.9.0 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.9.0/logpresso-log4j2-scan-2.9.0-win64.7z) +* [log4j2-scan 2.9.0 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.9.0/logpresso-log4j2-scan-2.9.0-win64.zip) * If you get `VCRUNTIME140.dll not found` error, install [Visual C++ Redistributable](https://docs.microsoft.com/en-US/cpp/windows/latest-supported-vc-redist?view=msvc-170). * If native executable doesn't work, use the JAR instead. 32bit is not supported. * 7zip is available from www.7zip.org, and is open source and free. -* [log4j2-scan 2.8.1 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.8.1/logpresso-log4j2-scan-2.8.1-linux.tar.gz) -* [log4j2-scan 2.8.1 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.8.1/logpresso-log4j2-scan-2.8.1-linux-aarch64.tar.gz) +* [log4j2-scan 2.9.0 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.9.0/logpresso-log4j2-scan-2.9.0-linux.tar.gz) +* [log4j2-scan 2.9.0 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.9.0/logpresso-log4j2-scan-2.9.0-linux-aarch64.tar.gz) * If native executable doesn't work, use the JAR instead. 32bit is not supported. -* [log4j2-scan 2.8.1 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.8.1/logpresso-log4j2-scan-2.8.1-darwin.zip) -* [log4j2-scan 2.8.1 (Any OS, 620KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.8.1/logpresso-log4j2-scan-2.8.1.jar) +* [log4j2-scan 2.9.0 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.9.0/logpresso-log4j2-scan-2.9.0-darwin.zip) +* [log4j2-scan 2.9.0 (Any OS, 620KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.9.0/logpresso-log4j2-scan-2.9.0.jar) ### Build * [How to build Native Image](https://github.com/logpresso/CVE-2021-44228-Scanner/wiki/FAQ#how-to-build-native-image) @@ -134,7 +134,7 @@ On Linux ``` On UNIX (AIX, Solaris, and so on) ``` -java -jar logpresso-log4j2-scan-2.8.1.jar [--fix] target_path +java -jar logpresso-log4j2-scan-2.9.0.jar [--fix] target_path ``` If you add `--fix` option, this program will copy vulnerable original JAR file to .bak file, and create new JAR file without `org/apache/logging/log4j/core/lookup/JndiLookup.class` entry. All .bak files are archived into the single zip file which is named by `log4j2_scan_backup_yyyyMMdd_HHmmss.zip`, then deleted safely. In most environments, JNDI lookup feature will not be used. However, you must use this option at your own risk. You can easily restore original vulnerable JAR files using `--restore` option.