v2.6.5

• Detect also CVE-2021-44832 RCE vulnerability for log4j 2.17.0, 2.12.3, 2.3.1. See #218
  • https://nvd.nist.gov/vuln/detail/CVE-2021-44832
  • https://logging.apache.org/log4j/2.x/security.html
  • --fix option does not mitigate 2.17.0. It should be upgraded.

2.6.4 Release

• Do not use this version. --fix option should not touch 2.17.0 binary.
• Detect also CVE-2021-44832 RCE vulnerability for log4j 2.17.0, 2.12.3, 2.3.1. See #218
  • https://nvd.nist.gov/vuln/detail/CVE-2021-44832
  • https://logging.apache.org/log4j/2.x/security.html

2.6.3 Release

• Do not detect Log4j 2.3.1 (for jdk6) and Log4j 2.12.3 (for jdk7) as vulnerable version. See #213
  • CVE-2021-44228 is fixed in Log4j 2.12.2, but Log4j 2.12.2 has CVE-2021-45105. See https://nvd.nist.gov/vuln/detail/CVE-2021-44228
  • CVE-2021-45105 is fixed in Log4j 2.12.3 for jdk7. See https://nvd.nist.gov/vuln/detail/CVE-2021-45105
  • CVE-2021-45105 is fixed in Log4j 2.3.1 for jdk6. See https://logging.apache.org/log4j/2.x/security.html

2.6.2 Release

• Fixed read-only file may be left in writable state. See #211
• Restrict use of both --report-csv and --report-json only if --report-path option is specified. See #210
• Print mitigated tag for version undetected binaries. See #197

2.6.1 Release

• Support --report-dir with --report-json option. See #203
• Suppress error report for broken symlink except explicitly specified input path. See #202

2.6.0 Release

• Robust JAR or ZIP decompression. See #198
  • Desperately, I found out that there is no sound and complete ZIP implementation in Java world.
  • Even commons-compress cannot decompress all known ZIP samples properly.
  • Implemented robustness by repetitive trial.
• Follow symbolic link if input file path is explicitly specified. See #193
• Added afs and autofs to ignore filesystem list. #194
• Use dynamic library link due to GraalVM native-image bug. #192
  • See oracle/graal#3099
  • If you know how to workaround, please let me know.

2.5.3 Release

• Fixed status reporting bug for log4j1 and logback. See #191

2.5.2 Release

• Added --syslog-level option. See #186
  • Default mode info sends also MITIGATED report. This is right option for BI reporting
  • Use alert level for SIEM integration.
  • Use debug level for error reporting
• Added --backup-ext option. See #141 , #181
  • Default extension is zip.
• Added --backup-path option.
  • You can fully customize backup file path.

2.5.1 Release

• Revised CSV formatting. See #185
• Signed and notarized Mach-O binary for automation. See #175
  • Developer ID Application is log4j2-scan

2.5.0 Release

• Added --restore [backup_file_path] option. See #150
  • Scanner archive all .bak files into the single log4j2_scan_backup_yyyyMMdd_HHmmss.zip file, then delete all .bak files automatically since v2.5.0.
  • If you ensure that application works well after mitigation patch, you can delete .zip backup file.
  • If you want to restore original vulnerable files, you can easily restore files using --restore option.
• Added --syslog-udp [remote_ip:port] option.
  • Integrate this scanner into your SIEM. e.g. Logpresso, Splunk, or Elastic. See #183
  • Example: {"time": "2021-12-21 00:00:36+0900", "hostname": "XERAPH", "path": "/path/to/log4j-core-2.16.0.jar", "entry": "", "product": "Log4j 2", "version": "2.16.0", "cve": "CVE-2021-45105", "status": "VULNERABLE", "fixed": false}