Skip to content

Commit

Permalink
Added missing syslog invocation for scan error, Added file header to …
Browse files Browse the repository at this point in the history
…CSV log file. See #230 and #178 v2.7.1.
  • Loading branch information
xeraph committed Jan 2, 2022
1 parent 8ca2110 commit 9e0f65a
Show file tree
Hide file tree
Showing 5 changed files with 36 additions and 16 deletions.
20 changes: 10 additions & 10 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,16 +3,16 @@
log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch. It also supports nested JAR file scanning and patch. It also detects CVE-2021-45046 (log4j 2.15.0), CVE-2021-45105 (log4j 2.16.0), CVE-2021-44832 (log4j 2.17.0), CVE-2021-4104 (log4j 1.x), and CVE-2021-42550 (logback 0.9-1.2.7) vulnerabilities.

### Download
* [log4j2-scan 2.7.0 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.7.0/logpresso-log4j2-scan-2.7.0-win64.7z)
* [log4j2-scan 2.7.0 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.7.0/logpresso-log4j2-scan-2.7.0-win64.zip)
* [log4j2-scan 2.7.1 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.7.1/logpresso-log4j2-scan-2.7.1-win64.7z)
* [log4j2-scan 2.7.1 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.7.1/logpresso-log4j2-scan-2.7.1-win64.zip)
* If you get `VCRUNTIME140.dll not found` error, install [Visual C++ Redistributable](https://docs.microsoft.com/en-US/cpp/windows/latest-supported-vc-redist?view=msvc-170).
* If native executable doesn't work, use the JAR instead. 32bit is not supported.
* 7zip is available from www.7zip.org, and is open source and free.
* [log4j2-scan 2.7.0 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.7.0/logpresso-log4j2-scan-2.7.0-linux.tar.gz)
* [log4j2-scan 2.7.0 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.7.0/logpresso-log4j2-scan-2.7.0-linux-aarch64.tar.gz)
* [log4j2-scan 2.7.1 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.7.1/logpresso-log4j2-scan-2.7.1-linux.tar.gz)
* [log4j2-scan 2.7.1 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.7.1/logpresso-log4j2-scan-2.7.1-linux-aarch64.tar.gz)
* If native executable doesn't work, use the JAR instead. 32bit is not supported.
* [log4j2-scan 2.7.0 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.7.0/logpresso-log4j2-scan-2.7.0-darwin.zip)
* [log4j2-scan 2.7.0 (Any OS, 620KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.7.0/logpresso-log4j2-scan-2.7.0.jar)
* [log4j2-scan 2.7.1 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.7.1/logpresso-log4j2-scan-2.7.1-darwin.zip)
* [log4j2-scan 2.7.1 (Any OS, 620KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.7.1/logpresso-log4j2-scan-2.7.1.jar)

### Build
* [How to build Native Image](https://github.com/logpresso/CVE-2021-44228-Scanner/wiki/FAQ#how-to-build-native-image)
Expand All @@ -22,15 +22,15 @@ Just run log4j2-scan.exe or log4j2-scan with target directory path. The logpress

`--fix` option is supported for following vulnerabilities:
* Log4j v2 - CVE-2021-44228 (JndiLookup), CVE-2021-45046 (JndiLookup)
* Log4j v1 - CVE-2021-4104 (JMSAppender), CVE-2019-17571 (SocketServer), CVE-2017-5645(SocketServer), CVE-2020-9488 (SMTPAppender)
* Log4j v1 - CVE-2021-4104 (JMSAppender), CVE-2019-17571 (SocketServer), CVE-2017-5645 (SocketServer), CVE-2020-9488 (SMTPAppender)

`--fix` option doesn't mitigate following vulnerabilities:
* Log4j v2 - CVE-2021-45105 (DoS), CVE-2021-44832 (JDBCAppender)
* Logback - CVE-2021-42550

Usage
```
Logpresso CVE-2021-44228 Vulnerability Scanner 2.7.0 (2022-01-02)
Logpresso CVE-2021-44228 Vulnerability Scanner 2.7.1 (2022-01-02)
Usage: log4j2-scan [--scan-log4j1] [--fix] target_path1 target_path2
-f [config_file_path]
Expand Down Expand Up @@ -73,7 +73,7 @@ Usage: log4j2-scan [--scan-log4j1] [--fix] target_path1 target_path2
--exclude-file-config [config_file_path]
Specify exclude file path list in text file. Paths should be separated by new line. Prepend # for comment.
--exclude-fs nfs,tmpfs
Exclude paths by file system type. nfs, nfs3, nfs4, afs, cifs, autofs, tmpfs, devtmpfs, fuse.sshfs and iso9660 is ignored by default.
Exclude paths by file system type. nfs, nfs3, nfs4, afs, cifs, autofs, tmpfs, devtmpfs, fuse.sshfs and iso9660 is ignored by default.
--syslog-udp [host:port]
Send reports to remote syslog host.
Send vulnerable, potentially vulnerable, and mitigated reports by default.
Expand Down Expand Up @@ -122,7 +122,7 @@ On Linux
```
On UNIX (AIX, Solaris, and so on)
```
java -jar logpresso-log4j2-scan-2.7.0.jar [--fix] target_path
java -jar logpresso-log4j2-scan-2.7.1.jar [--fix] target_path
```

If you add `--fix` option, this program will copy vulnerable original JAR file to .bak file, and create new JAR file without `org/apache/logging/log4j/core/lookup/JndiLookup.class` entry. All .bak files are archived into the single zip file which is named by `log4j2_scan_backup_yyyyMMdd_HHmmss.zip`, then deleted safely. In most environments, JNDI lookup feature will not be used. However, you must use this option at your own risk. You can easily restore original vulnerable JAR files using `--restore` option.
Expand Down
2 changes: 1 addition & 1 deletion pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>com.logpresso</groupId>
<artifactId>log4j2-scanner</artifactId>
<version>2.7.0</version>
<version>2.7.1</version>
<packaging>jar</packaging>
<name>Logpresso Log4j2 Scanner</name>

Expand Down
15 changes: 14 additions & 1 deletion src/main/java/com/logpresso/scanner/Detector.java
Original file line number Diff line number Diff line change
Expand Up @@ -479,9 +479,22 @@ private void printDetectionForLogback(File jarFile, List<String> pathChain, Stri
public void addErrorReport(File jarFile, String error) {
errorCount++;

ReportEntry entry = new ReportEntry(jarFile, error);

// heap guard for error exploding
if (errorReports.size() < 100000)
errorReports.add(new ReportEntry(jarFile, error));
errorReports.add(entry);

// invoke listeners
for (LogListener listener : logListeners) {
try {
listener.onError(entry);
} catch (Throwable t) {
// listener should not throw any exception
if (config.isDebug())
t.printStackTrace();
}
}
}

private void addReport(File jarFile, List<String> pathChain, String product, String version, String cve, boolean mitigated,
Expand Down
2 changes: 1 addition & 1 deletion src/main/java/com/logpresso/scanner/Log4j2Scanner.java
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
import com.logpresso.scanner.utils.ZipUtils;

public class Log4j2Scanner {
public static final String VERSION = "2.7.0";
public static final String VERSION = "2.7.1";
public static final String RELEASE_DATE = "2022-01-02";
public static final String BANNER = "Logpresso CVE-2021-44228 Vulnerability Scanner " + VERSION + " (" + RELEASE_DATE + ")";

Expand Down
13 changes: 10 additions & 3 deletions src/main/java/com/logpresso/scanner/LogGenerator.java
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,16 @@ public LogGenerator(Configuration config) throws IOException {
if (config.getUdpSyslogAddr() != null)
socket = new DatagramSocket();

if (config.getCsvLogPath() != null)
if (config.getCsvLogPath() != null) {
boolean addHeader = !config.getCsvLogPath().exists();
csvFileOutput = new FileOutputStream(config.getCsvLogPath(), APPEND);
if (addHeader) {
String header = String
.format("\"Hostname\",\"Path\",\"Entry\",\"Product\",\"Version\",\"CVE\",\"Status\",\"Fixed\",\"Detected at\"%n");
csvFileOutput.write(header.getBytes("utf-8"));
csvFileOutput.flush();
}
}

if (config.getJsonLogPath() != null)
jsonFileOutput = new FileOutputStream(config.getJsonLogPath(), APPEND);
Expand Down Expand Up @@ -158,14 +166,13 @@ private void sendErrorSyslog(ReportEntry entry) {

private byte[] formatSyslog(String pri, String msgId, String msg) throws UnsupportedEncodingException {
if (config.isRfc5424()) {

// https://datatracker.ietf.org/doc/html/rfc5424#section-6
// PRI VERSION SP TIMESTAMP SP HOSTNAME SP APP-NAME SP PROCID SP MSGID SP
// STRUCTURED-DATA SP MSG
SimpleDateFormat df = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ssZ");
String timestamp = df.format(new Date());

byte[] header = String.format("%s1 %s %s LOPGRESSO LOG4J2-SCAN %s - ", pri, timestamp, hostname, msgId)
byte[] header = String.format("%s1 %s %s LOGPRESSO LOG4J2-SCAN %s - ", pri, timestamp, hostname, msgId)
.getBytes("utf-8");
byte[] body = msg.getBytes("utf-8");

Expand Down

0 comments on commit 9e0f65a

Please sign in to comment.