From cfbc7d1a0b090c6f05e3c2ff002333b57478e1a6 Mon Sep 17 00:00:00 2001 From: Forrest Date: Tue, 14 Dec 2021 14:44:15 -0800 Subject: [PATCH 01/15] first draft of adding severity rating to vulns Former-commit-id: 50f3d2afbc069f3274dc937c5f53e701827de994 Former-commit-id: be369b278fe65cd44977639d9614a4181d06bf35 --- tools/log4shell/constants/vulnerablehashes.go | 202 ++++++++++-------- tools/log4shell/scan/scan.go | 8 +- tools/log4shell/types/findings.go | 1 + tools/log4shell/types/vulnerablehashes.go | 7 +- 4 files changed, 120 insertions(+), 98 deletions(-) diff --git a/tools/log4shell/constants/vulnerablehashes.go b/tools/log4shell/constants/vulnerablehashes.go index 6ed78cdb4..99f8fa0bb 100644 --- a/tools/log4shell/constants/vulnerablehashes.go +++ b/tools/log4shell/constants/vulnerablehashes.go @@ -12,110 +12,124 @@ // See the License for the specific language governing permissions and // limitations under the License. // +// Copyright 2021 by LunaSec (owned by Refinery Labs, Inc) +// +// Licensed under the Apache License, Name 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// package constants import "github.com/lunasec-io/lunasec/tools/log4shell/types" // from: https://github.com/hillu/local-log4j-vuln-scanner/blob/master/log4j-vuln-finder.go#L16 var KnownVulnerableClassFileHashes = types.VulnerableHashLookup{ - "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8": "log4j 2.0-rc1", // JndiLookup.class - "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2": "log4j 2.0-rc2", // JndiLookup.class - "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e": "log4j 2.0.1", // JndiLookup.class - "9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c": "log4j 2.0.2", // JndiLookup.class - "fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29": "log4j 2.0", // JndiLookup.class - "03c77cca9aeff412f46eaf1c7425669e37008536dd52f1d6f088e80199e4aae7": "log4j 2.4-2.11.2", // JndiManager$1.class - "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32": "log4j 2.7-2.8.1", // JndiManager.class - "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de": "log4j 2.12.0-2.12.1", // JndiManager.class - "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6": "log4j 2.9.0-2.11.2", // JndiManager.class - "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7": "log4j 2.4-2.5", // JndiManager.class - "547883afa0aa245321e6b1aaced24bc10d73d5af4974d951e2bd53b017e2d4ab": "log4j 2.14.0-2.14.1", // JndiManager$JndiManagerFactory.class - "620a713d908ece7fb09b7d34c2b0461e1c366704da89ea20eb78b73116c77f23": "log4j 2.1-2.3", // JndiManager$1.class - "632a69aef3bc5012f61093c3d9b92d6170fdc795711e9fed7f5388c36e3de03d": "log4j 2.8.2", // JndiManager$JndiManagerFactory.class - "635ccd3aaa429f3fea31d84569a892b96a02c024c050460d360cc869bcf45840": "log4j 2.9.1-2.10.0", // JndiManager$JndiManagerFactory.class - "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246": "log4j 2.6-2.6.2", // JndiManager.class - "764b06686dbe06e3d5f6d15891250ab04073a0d1c357d114b7365c70fa8a7407": "log4j 2.8.2", // JndiManager.class - "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6": "log4j 2.14.0-2.14.1", // JndiManager.class - "8abaebc4d09926cd12b5269c781b64a7f5a57793c54dc1225976f02ba58343bf": "log4j 2.13.0-2.13.3", // JndiManager$JndiManagerFactory.class - "91e58af100aface711700562b5002c5d397fb35d2a95d5704db41461ac1ad8fd": "log4j 2.1-2.3", // JndiManager$JndiManagerFactory.class - "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c": "log4j 2.1-2.3", // JndiManager.class - "aec7ea2daee4d6468db2df25597594957a06b945bcb778bbcd5acc46f17de665": "log4j 2.4-2.6.2", // JndiManager$JndiManagerFactory.class - "b8af4230b9fb6c79c5bf2e66a5de834bc0ebec4c462d6797258f5d87e356d64b": "log4j 2.7-2.8.1", // JndiManager$JndiManagerFactory.class - "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078": "log4j 2.13.0-2.13.3", // JndiManager.class - "e4906e06c4e7688b468524990d9bb6460d6ef31fe938e01561f3f93ab5ca25a6": "log4j 2.8.2-2.12.0", // JndiManager$1.class - "fe15a68ef8a75a3f9d3f5843f4b4a6db62d1145ef72937ed7d6d1bbcf8ec218f": "log4j 2.12.0-2.12.1", // JndiManager$JndiManagerFactory.class - "0ebc263ba66a7452d3dfc15760c560f930d835164914a1340d741838e3165dbb": "log4j 2.4-2.5", // MessagePatternConverter.class - "52b5574bad677030c56c1a386362840064d347523e61e59ca1c55faf7e998986": "log4j 2.12", // MessagePatternConverter.class - "5c328eedefcb28512ff5d9a7556741dd159f0b13e1c0c52edc958d9821b8d2c5": "log4j 2.6", // MessagePatternConverter.class - "791a12347e62d9884c4d6f8e285098fedaf3bcdf591af3e4449923191588d43c": "log4j 2.8-2.9", // MessagePatternConverter.class - "8d5e886175b66ec2de5b61113fdaf06c50e1070cad1fb9150258e01d84d13c4b": "log4j 2.13", // MessagePatternConverter.class - "95b385ebc65843315aeae33551e7bbdad886e9e9465ea8d3179cd74344b37984": "log4j 2.10-2.11", // MessagePatternConverter.class - "a36c2e78cef7c2ddcc4ebbb11c085e85989eb93f9d19bd6254913b13dfe7c58e": "log4j 2.0-2.3", // MessagePatternConverter.class - "a3a65f2c5bc0dd62df115a0d9ac7140793c61b65bbbac313a526a3b50724a8c7": "log4j 2.8.2", // MessagePatternConverter.class - "ee41ae7ae80f5c533548a89c6d6e112df609c838b901daea99ac88ccda2a5da1": "log4j 2.7", // MessagePatternConverter.class - "f0a869f7da9b17d0a23d0cb0e13c65afa5e42e9567b47603a8fc0debc7ef193c": "log4j 2.14", // MessagePatternConverter.class - "f8baca973f1874b76cfaed0f4c17048b1ac0dee364abfdfeeec62de3427def50": "log4j 2.0-rc1", // MessagePatternConverter.class + "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8": { Name:"log4j 2.0-rc1", Severity: "10.0" }, // JndiLookup.class + "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2": { Name:"log4j 2.0-rc2", Severity: "10.0" }, // JndiLookup.class + "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e": { Name:"log4j 2.0.1", Severity: "10.0" }, // JndiLookup.class + "9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c": { Name:"log4j 2.0.2", Severity: "10.0" }, // JndiLookup.class + "fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29": { Name:"log4j 2.0", Severity: "10.0" }, // JndiLookup.class + "03c77cca9aeff412f46eaf1c7425669e37008536dd52f1d6f088e80199e4aae7": { Name:"log4j 2.4-2.11.2", Severity: "10.0" }, // JndiManager$1.class + "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32": { Name:"log4j 2.7-2.8.1", Severity: "10.0" }, // JndiManager.class + "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de": { Name:"log4j 2.12.0-2.12.1", Severity: "10.0" }, // JndiManager.class + "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6": { Name:"log4j 2.9.0-2.11.2", Severity: "10.0" }, // JndiManager.class + "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7": { Name:"log4j 2.4-2.5", Severity: "10.0" }, // JndiManager.class + "547883afa0aa245321e6b1aaced24bc10d73d5af4974d951e2bd53b017e2d4ab": { Name:"log4j 2.14.0-2.14.1", Severity: "10.0" }, // JndiManager$JndiManagerFactory.class + "620a713d908ece7fb09b7d34c2b0461e1c366704da89ea20eb78b73116c77f23": { Name:"log4j 2.1-2.3", Severity: "10.0" }, // JndiManager$1.class + "632a69aef3bc5012f61093c3d9b92d6170fdc795711e9fed7f5388c36e3de03d": { Name:"log4j 2.8.2", Severity: "10.0" }, // JndiManager$JndiManagerFactory.class + "635ccd3aaa429f3fea31d84569a892b96a02c024c050460d360cc869bcf45840": { Name:"log4j 2.9.1-2.10.0", Severity: "10.0" }, // JndiManager$JndiManagerFactory.class + "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246": { Name:"log4j 2.6-2.6.2", Severity: "10.0" }, // JndiManager.class + "764b06686dbe06e3d5f6d15891250ab04073a0d1c357d114b7365c70fa8a7407": { Name:"log4j 2.8.2", Severity: "10.0" }, // JndiManager.class + "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6": { Name:"log4j 2.14.0-2.14.1", Severity: "10.0" }, // JndiManager.class + "8abaebc4d09926cd12b5269c781b64a7f5a57793c54dc1225976f02ba58343bf": { Name:"log4j 2.13.0-2.13.3", Severity: "10.0" }, // JndiManager$JndiManagerFactory.class + "91e58af100aface711700562b5002c5d397fb35d2a95d5704db41461ac1ad8fd": { Name:"log4j 2.1-2.3", Severity: "10.0" }, // JndiManager$JndiManagerFactory.class + "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c": { Name:"log4j 2.1-2.3", Severity: "10.0" }, // JndiManager.class + "aec7ea2daee4d6468db2df25597594957a06b945bcb778bbcd5acc46f17de665": { Name:"log4j 2.4-2.6.2", Severity: "10.0" }, // JndiManager$JndiManagerFactory.class + "b8af4230b9fb6c79c5bf2e66a5de834bc0ebec4c462d6797258f5d87e356d64b": { Name:"log4j 2.7-2.8.1", Severity: "10.0" }, // JndiManager$JndiManagerFactory.class + "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078": { Name:"log4j 2.13.0-2.13.3", Severity: "10.0" }, // JndiManager.class + "e4906e06c4e7688b468524990d9bb6460d6ef31fe938e01561f3f93ab5ca25a6": { Name:"log4j 2.8.2-2.12.0", Severity: "10.0" }, // JndiManager$1.class + "fe15a68ef8a75a3f9d3f5843f4b4a6db62d1145ef72937ed7d6d1bbcf8ec218f": { Name:"log4j 2.12.0-2.12.1", Severity: "10.0" }, // JndiManager$JndiManagerFactory.class + "0ebc263ba66a7452d3dfc15760c560f930d835164914a1340d741838e3165dbb": { Name:"log4j 2.4-2.5", Severity: "10.0" }, // MessagePatternConverter.class + "52b5574bad677030c56c1a386362840064d347523e61e59ca1c55faf7e998986": { Name:"log4j 2.12", Severity: "10.0" }, // MessagePatternConverter.class + "5c328eedefcb28512ff5d9a7556741dd159f0b13e1c0c52edc958d9821b8d2c5": { Name:"log4j 2.6", Severity: "10.0" }, // MessagePatternConverter.class + "791a12347e62d9884c4d6f8e285098fedaf3bcdf591af3e4449923191588d43c": { Name:"log4j 2.8-2.9", Severity: "10.0" }, // MessagePatternConverter.class + "8d5e886175b66ec2de5b61113fdaf06c50e1070cad1fb9150258e01d84d13c4b": { Name:"log4j 2.13", Severity: "10.0" }, // MessagePatternConverter.class + "95b385ebc65843315aeae33551e7bbdad886e9e9465ea8d3179cd74344b37984": { Name:"log4j 2.10-2.11", Severity: "10.0" }, // MessagePatternConverter.class + "a36c2e78cef7c2ddcc4ebbb11c085e85989eb93f9d19bd6254913b13dfe7c58e": { Name:"log4j 2.0-2.3", Severity: "10.0" }, // MessagePatternConverter.class + "a3a65f2c5bc0dd62df115a0d9ac7140793c61b65bbbac313a526a3b50724a8c7": { Name:"log4j 2.8.2", Severity: "10.0" }, // MessagePatternConverter.class + "ee41ae7ae80f5c533548a89c6d6e112df609c838b901daea99ac88ccda2a5da1": { Name:"log4j 2.7", Severity: "10.0" }, // MessagePatternConverter.class + "f0a869f7da9b17d0a23d0cb0e13c65afa5e42e9567b47603a8fc0debc7ef193c": { Name:"log4j 2.14", Severity: "10.0" }, // MessagePatternConverter.class + "f8baca973f1874b76cfaed0f4c17048b1ac0dee364abfdfeeec62de3427def50": { Name:"log4j 2.0-rc1", Severity: "10.0" }, // MessagePatternConverter.class - "ce69c1ea49c60f3be90cb9c86d7220af86e5d2fbc08fd7232da7278926e4f881": "log4j 2.0-alpha1/alpha2/beta1", // MessagePatternConverter.class - "963ee03ebe020703fea27f657496d35edeac264beebeb14bfcd9d3350343c0bf": "log4j 2.0-beta2/beta3", // MessagePatternConverter.class - "be8f32ed92f161df72248dcbaaf761c812ddbb59434abfd5c87482e9e0bd983c": "log4j 2.0-beta4", // MessagePatternConverter.class - "9a54a585ed491573e80e0b32e964e5eb4d6c4068d2abffff628e3c69ef9102cf": "log4j 2.0-beta5", // MessagePatternConverter.class - "357120b06f61475033d152505c3d43a57c9a9bdc05b835d0939f1662b48fc6c3": "log4j 2.0-beta6/beta7/beta8", // MessagePatternConverter.class + "ce69c1ea49c60f3be90cb9c86d7220af86e5d2fbc08fd7232da7278926e4f881": { Name:"log4j 2.0-alpha1/alpha2/beta1", Severity: "10.0" }, // MessagePatternConverter.class + "963ee03ebe020703fea27f657496d35edeac264beebeb14bfcd9d3350343c0bf": { Name:"log4j 2.0-beta2/beta3", Severity: "10.0" }, // MessagePatternConverter.class + "be8f32ed92f161df72248dcbaaf761c812ddbb59434abfd5c87482e9e0bd983c": { Name:"log4j 2.0-beta4", Severity: "10.0" }, // MessagePatternConverter.class + "9a54a585ed491573e80e0b32e964e5eb4d6c4068d2abffff628e3c69ef9102cf": { Name:"log4j 2.0-beta5", Severity: "10.0" }, // MessagePatternConverter.class + "357120b06f61475033d152505c3d43a57c9a9bdc05b835d0939f1662b48fc6c3": { Name:"log4j 2.0-beta6/beta7/beta8", Severity: "10.0" }, // MessagePatternConverter.class - "6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d": "log4j 1.2.4", // SocketNode.class - "3ef93e9cb937295175b75182e42ba9a0aa94f9f8e295236c9eef914348efeef0": "log4j 1.2.6-1.2.9", // SocketNode.class - "bee4a5a70843a981e47207b476f1e705c21fc90cb70e95c3b40d04a2191f33e9": "log4j 1.2.8", // SocketNode.class - "7b996623c05f1a25a57fb5b43c519c2ec02ec2e647c2b97b3407965af928c9a4": "log4j 1.2.15", // SocketNode.class - "688a3dadfb1c0a08fb2a2885a356200eb74e7f0f26a197d358d74f2faf6e8f46": "log4j 1.2.16", // SocketNode.class - "8ef0ebdfbf28ec14b2267e6004a8eea947b4411d3c30d228a7b48fae36431d74": "log4j 1.2.17", // SocketNode.class - "d778227b779f8f3a2850987e3cfe6020ca26c299037fdfa7e0ac8f81385963e6": "log4j 1.2.11", // SocketNode.class - "ed5d53deb29f737808521dd6284c2d7a873a59140e702295a80bd0f26988f53a": "log4j 1.2.5", // SocketNode.class - "f3b815a2b3c74851ff1b94e414c36f576fbcdf52b82b805b2e18322b3f5fc27c": "log4j 1.2.12", // SocketNode.class - "fbda3cfc5853ab4744b853398f2b3580505f5a7d67bfb200716ef6ae5be3c8b7": "log4j 1.2.13-1.2.14", // SocketNode.class + "6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d": { Name:"log4j 1.2.4", Severity: "10.0" }, // SocketNode.class + "3ef93e9cb937295175b75182e42ba9a0aa94f9f8e295236c9eef914348efeef0": { Name:"log4j 1.2.6-1.2.9", Severity: "10.0" }, // SocketNode.class + "bee4a5a70843a981e47207b476f1e705c21fc90cb70e95c3b40d04a2191f33e9": { Name:"log4j 1.2.8", Severity: "10.0" }, // SocketNode.class + "7b996623c05f1a25a57fb5b43c519c2ec02ec2e647c2b97b3407965af928c9a4": { Name:"log4j 1.2.15", Severity: "10.0" }, // SocketNode.class + "688a3dadfb1c0a08fb2a2885a356200eb74e7f0f26a197d358d74f2faf6e8f46": { Name:"log4j 1.2.16", Severity: "10.0" }, // SocketNode.class + "8ef0ebdfbf28ec14b2267e6004a8eea947b4411d3c30d228a7b48fae36431d74": { Name:"log4j 1.2.17", Severity: "10.0" }, // SocketNode.class + "d778227b779f8f3a2850987e3cfe6020ca26c299037fdfa7e0ac8f81385963e6": { Name:"log4j 1.2.11", Severity: "10.0" }, // SocketNode.class + "ed5d53deb29f737808521dd6284c2d7a873a59140e702295a80bd0f26988f53a": { Name:"log4j 1.2.5", Severity: "10.0" }, // SocketNode.class + "f3b815a2b3c74851ff1b94e414c36f576fbcdf52b82b805b2e18322b3f5fc27c": { Name:"log4j 1.2.12", Severity: "10.0" }, // SocketNode.class + "fbda3cfc5853ab4744b853398f2b3580505f5a7d67bfb200716ef6ae5be3c8b7": { Name:"log4j 1.2.13-1.2.14", Severity: "10.0" }, // SocketNode.class } // from: https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes/blob/main/sha256sums.txt var KnownVulnerableArchiveFileHashes = types.VulnerableHashLookup{ - "bf4f41403280c1b115650d470f9b260a5c9042c04d9bcc2a6ca504a66379b2d6": "./apache-log4j-2.0-alpha2-bin/log4j-core-2.0-alpha2.jar", - "58e9f72081efff9bdaabd82e3b3efe5b1b9f1666cefe28f429ad7176a6d770ae": "./apache-log4j-2.0-beta1-bin/log4j-core-2.0-beta1.jar", - "ed285ad5ac6a8cf13461d6c2874fdcd3bf67002844831f66e21c2d0adda43fa4": "./apache-log4j-2.0-beta2-bin/log4j-core-2.0-beta2.jar", - "dbf88c623cc2ad99d82fa4c575fb105e2083465a47b84d64e2e1a63e183c274e": "./apache-log4j-2.0-beta3-bin/log4j-core-2.0-beta3.jar", - "a38ddff1e797adb39a08876932bc2538d771ff7db23885fb883fec526aff4fc8": "./apache-log4j-2.0-beta4-bin/log4j-core-2.0-beta4.jar", - "7d86841489afd1097576a649094ae1efb79b3147cd162ba019861dfad4e9573b": "./apache-log4j-2.0-beta5-bin/log4j-core-2.0-beta5.jar", - "4bfb0d5022dc499908da4597f3e19f9f64d3cc98ce756a2249c72179d3d75c47": "./apache-log4j-2.0-beta6-bin/log4j-core-2.0-beta6.jar", - "473f15c04122dad810c919b2f3484d46560fd2dd4573f6695d387195816b02a6": "./apache-log4j-2.0-beta7-bin/log4j-core-2.0-beta7.jar", - "b3fae4f84d4303cdbad4696554b4e8d2381ad3faf6e0c3c8d2ce60a4388caa02": "./apache-log4j-2.0-beta8-bin/log4j-core-2.0-beta8.jar", - "dcde6033b205433d6e9855c93740f798951fa3a3f252035a768d9f356fde806d": "./apache-log4j-2.0-beta9-bin/log4j-core-2.0-beta9.jar", - "85338f694c844c8b66d8a1b981bcf38627f95579209b2662182a009d849e1a4c": "./apache-log4j-2.0-bin/log4j-core-2.0.jar", - "db3906edad6009d1886ec1e2a198249b6d99820a3575f8ec80c6ce57f08d521a": "./apache-log4j-2.0-rc1-bin/log4j-core-2.0-rc1.jar", - "ec411a34fee49692f196e4dc0a905b25d0667825904862fdba153df5e53183e0": "./apache-log4j-2.0-rc2-bin/log4j-core-2.0-rc2.jar", - "a00a54e3fb8cb83fab38f8714f240ecc13ab9c492584aa571aec5fc71b48732d": "./apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar", - "c584d1000591efa391386264e0d43ec35f4dbb146cad9390f73358d9c84ee78d": "./apache-log4j-2.0.2-bin/log4j-core-2.0.2.jar", - "8bdb662843c1f4b120fb4c25a5636008085900cdf9947b1dadb9b672ea6134dc": "./apache-log4j-2.1-bin/log4j-core-2.1.jar", - "c830cde8f929c35dad42cbdb6b28447df69ceffe99937bf420d32424df4d076a": "./apache-log4j-2.2-bin/log4j-core-2.2.jar", - "6ae3b0cb657e051f97835a6432c2b0f50a651b36b6d4af395bbe9060bb4ef4b2": "./apache-log4j-2.3-bin/log4j-core-2.3.jar", - "535e19bf14d8c76ec00a7e8490287ca2e2597cae2de5b8f1f65eb81ef1c2a4c6": "./apache-log4j-2.4-bin/log4j-core-2.4.jar", - "42de36e61d454afff5e50e6930961c85b55d681e23931efd248fd9b9b9297239": "./apache-log4j-2.4.1-bin/log4j-core-2.4.1.jar", - "4f53e4d52efcccdc446017426c15001bb0fe444c7a6cdc9966f8741cf210d997": "./apache-log4j-2.5-bin/log4j-core-2.5.jar", - "df00277045338ceaa6f70a7b8eee178710b3ba51eac28c1142ec802157492de6": "./apache-log4j-2.6-bin/log4j-core-2.6.jar", - "28433734bd9e3121e0a0b78238d5131837b9dbe26f1a930bc872bad44e68e44e": "./apache-log4j-2.6.1-bin/log4j-core-2.6.1.jar", - "cf65f0d33640f2cd0a0b06dd86a5c6353938ccb25f4ffd14116b4884181e0392": "./apache-log4j-2.6.2-bin/log4j-core-2.6.2.jar", - "5bb84e110d5f18cee47021a024d358227612dd6dac7b97fa781f85c6ad3ccee4": "./apache-log4j-2.7-bin/log4j-core-2.7.jar", - "ccf02bb919e1a44b13b366ea1b203f98772650475f2a06e9fac4b3c957a7c3fa": "./apache-log4j-2.8-bin/log4j-core-2.8.jar", - "815a73e20e90a413662eefe8594414684df3d5723edcd76070e1a5aee864616e": "./apache-log4j-2.8.1-bin/log4j-core-2.8.1.jar", - "10ef331115cbbd18b5be3f3761e046523f9c95c103484082b18e67a7c36e570c": "./apache-log4j-2.8.2-bin/log4j-core-2.8.2.jar", - "dc815be299f81c180aa8d2924f1b015f2c46686e866bc410e72de75f7cd41aae": "./apache-log4j-2.9.0-bin/log4j-core-2.9.0.jar", - "9275f5d57709e2204900d3dae2727f5932f85d3813ad31c9d351def03dd3d03d": "./apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar", - "f35ccc9978797a895e5bee58fa8c3b7ad6d5ee55386e9e532f141ee8ed2e937d": "./apache-log4j-2.10.0-bin/log4j-core-2.10.0.jar", - "5256517e6237b888c65c8691f29219b6658d800c23e81d5167c4a8bbd2a0daa3": "./apache-log4j-2.11.0-bin/log4j-core-2.11.0.jar", - "d4485176aea67cc85f5ccc45bb66166f8bfc715ae4a695f0d870a1f8d848cc3d": "./apache-log4j-2.11.1-bin/log4j-core-2.11.1.jar", - "3fcc4c1f2f806acfc395144c98b8ba2a80fe1bf5e3ad3397588bbd2610a37100": "./apache-log4j-2.11.2-bin/log4j-core-2.11.2.jar", - "057a48fe378586b6913d29b4b10162b4b5045277f1be66b7a01fb7e30bd05ef3": "./apache-log4j-2.12.0-bin/log4j-core-2.12.0.jar", - "5dbd6bb2381bf54563ea15bc9fbb6d7094eaf7184e6975c50f8996f77bfc3f2c": "./apache-log4j-2.12.1-bin/log4j-core-2.12.1.jar", - "c39b0ea14e7766440c59e5ae5f48adee038d9b1c7a1375b376e966ca12c22cd3": "./apache-log4j-2.13.0-bin/log4j-core-2.13.0.jar", - "6f38a25482d82cd118c4255f25b9d78d96821d22bab498cdce9cda7a563ca992": "./apache-log4j-2.13.1-bin/log4j-core-2.13.1.jar", - "54962835992e303928aa909730ce3a50e311068c0960c708e82ab76701db5e6b": "./apache-log4j-2.13.2-bin/log4j-core-2.13.2.jar", - "e5e9b0f8d72f4e7b9022b7a83c673334d7967981191d2d98f9c57dc97b4caae1": "./apache-log4j-2.13.3-bin/log4j-core-2.13.3.jar", - "68d793940c28ddff6670be703690dfdf9e77315970c42c4af40ca7261a8570fa": "./apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar", - "9da0f5ca7c8eab693d090ae759275b9db4ca5acdbcfe4a63d3871e0b17367463": "./apache-log4j-2.14.1-bin/log4j-core-2.14.1.jar", - "006fc6623fbb961084243cfc327c885f3c57f2eba8ee05fbc4e93e5358778c85": "./log4j-2.0-alpha1/log4j-core-2.0-alpha1.jar", + "bf4f41403280c1b115650d470f9b260a5c9042c04d9bcc2a6ca504a66379b2d6": { Name:"./apache-log4j-2.0-alpha2-bin/log4j-core-2.0-alpha2.jar", Severity: "10.0" }, + "58e9f72081efff9bdaabd82e3b3efe5b1b9f1666cefe28f429ad7176a6d770ae": { Name:"./apache-log4j-2.0-beta1-bin/log4j-core-2.0-beta1.jar", Severity: "10.0" }, + "ed285ad5ac6a8cf13461d6c2874fdcd3bf67002844831f66e21c2d0adda43fa4": { Name:"./apache-log4j-2.0-beta2-bin/log4j-core-2.0-beta2.jar", Severity: "10.0" }, + "dbf88c623cc2ad99d82fa4c575fb105e2083465a47b84d64e2e1a63e183c274e": { Name:"./apache-log4j-2.0-beta3-bin/log4j-core-2.0-beta3.jar", Severity: "10.0" }, + "a38ddff1e797adb39a08876932bc2538d771ff7db23885fb883fec526aff4fc8": { Name:"./apache-log4j-2.0-beta4-bin/log4j-core-2.0-beta4.jar", Severity: "10.0" }, + "7d86841489afd1097576a649094ae1efb79b3147cd162ba019861dfad4e9573b": { Name:"./apache-log4j-2.0-beta5-bin/log4j-core-2.0-beta5.jar", Severity: "10.0" }, + "4bfb0d5022dc499908da4597f3e19f9f64d3cc98ce756a2249c72179d3d75c47": { Name:"./apache-log4j-2.0-beta6-bin/log4j-core-2.0-beta6.jar", Severity: "10.0" }, + "473f15c04122dad810c919b2f3484d46560fd2dd4573f6695d387195816b02a6": { Name:"./apache-log4j-2.0-beta7-bin/log4j-core-2.0-beta7.jar", Severity: "10.0" }, + "b3fae4f84d4303cdbad4696554b4e8d2381ad3faf6e0c3c8d2ce60a4388caa02": { Name:"./apache-log4j-2.0-beta8-bin/log4j-core-2.0-beta8.jar", Severity: "10.0" }, + "dcde6033b205433d6e9855c93740f798951fa3a3f252035a768d9f356fde806d": { Name:"./apache-log4j-2.0-beta9-bin/log4j-core-2.0-beta9.jar", Severity: "10.0" }, + "85338f694c844c8b66d8a1b981bcf38627f95579209b2662182a009d849e1a4c": { Name:"./apache-log4j-2.0-bin/log4j-core-2.0.jar", Severity: "10.0" }, + "db3906edad6009d1886ec1e2a198249b6d99820a3575f8ec80c6ce57f08d521a": { Name:"./apache-log4j-2.0-rc1-bin/log4j-core-2.0-rc1.jar", Severity: "10.0" }, + "ec411a34fee49692f196e4dc0a905b25d0667825904862fdba153df5e53183e0": { Name:"./apache-log4j-2.0-rc2-bin/log4j-core-2.0-rc2.jar", Severity: "10.0" }, + "a00a54e3fb8cb83fab38f8714f240ecc13ab9c492584aa571aec5fc71b48732d": { Name:"./apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar", Severity: "10.0" }, + "c584d1000591efa391386264e0d43ec35f4dbb146cad9390f73358d9c84ee78d": { Name:"./apache-log4j-2.0.2-bin/log4j-core-2.0.2.jar", Severity: "10.0" }, + "8bdb662843c1f4b120fb4c25a5636008085900cdf9947b1dadb9b672ea6134dc": { Name:"./apache-log4j-2.1-bin/log4j-core-2.1.jar", Severity: "10.0" }, + "c830cde8f929c35dad42cbdb6b28447df69ceffe99937bf420d32424df4d076a": { Name:"./apache-log4j-2.2-bin/log4j-core-2.2.jar", Severity: "10.0" }, + "6ae3b0cb657e051f97835a6432c2b0f50a651b36b6d4af395bbe9060bb4ef4b2": { Name:"./apache-log4j-2.3-bin/log4j-core-2.3.jar", Severity: "10.0" }, + "535e19bf14d8c76ec00a7e8490287ca2e2597cae2de5b8f1f65eb81ef1c2a4c6": { Name:"./apache-log4j-2.4-bin/log4j-core-2.4.jar", Severity: "10.0" }, + "42de36e61d454afff5e50e6930961c85b55d681e23931efd248fd9b9b9297239": { Name:"./apache-log4j-2.4.1-bin/log4j-core-2.4.1.jar", Severity: "10.0" }, + "4f53e4d52efcccdc446017426c15001bb0fe444c7a6cdc9966f8741cf210d997": { Name:"./apache-log4j-2.5-bin/log4j-core-2.5.jar", Severity: "10.0" }, + "df00277045338ceaa6f70a7b8eee178710b3ba51eac28c1142ec802157492de6": { Name:"./apache-log4j-2.6-bin/log4j-core-2.6.jar", Severity: "10.0" }, + "28433734bd9e3121e0a0b78238d5131837b9dbe26f1a930bc872bad44e68e44e": { Name:"./apache-log4j-2.6.1-bin/log4j-core-2.6.1.jar", Severity: "10.0" }, + "cf65f0d33640f2cd0a0b06dd86a5c6353938ccb25f4ffd14116b4884181e0392": { Name:"./apache-log4j-2.6.2-bin/log4j-core-2.6.2.jar", Severity: "10.0" }, + "5bb84e110d5f18cee47021a024d358227612dd6dac7b97fa781f85c6ad3ccee4": { Name:"./apache-log4j-2.7-bin/log4j-core-2.7.jar", Severity: "10.0" }, + "ccf02bb919e1a44b13b366ea1b203f98772650475f2a06e9fac4b3c957a7c3fa": { Name:"./apache-log4j-2.8-bin/log4j-core-2.8.jar", Severity: "10.0" }, + "815a73e20e90a413662eefe8594414684df3d5723edcd76070e1a5aee864616e": { Name:"./apache-log4j-2.8.1-bin/log4j-core-2.8.1.jar", Severity: "10.0" }, + "10ef331115cbbd18b5be3f3761e046523f9c95c103484082b18e67a7c36e570c": { Name:"./apache-log4j-2.8.2-bin/log4j-core-2.8.2.jar", Severity: "10.0" }, + "dc815be299f81c180aa8d2924f1b015f2c46686e866bc410e72de75f7cd41aae": { Name:"./apache-log4j-2.9.0-bin/log4j-core-2.9.0.jar", Severity: "10.0" }, + "9275f5d57709e2204900d3dae2727f5932f85d3813ad31c9d351def03dd3d03d": { Name:"./apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar", Severity: "10.0" }, + "f35ccc9978797a895e5bee58fa8c3b7ad6d5ee55386e9e532f141ee8ed2e937d": { Name:"./apache-log4j-2.10.0-bin/log4j-core-2.10.0.jar", Severity: "10.0" }, + "5256517e6237b888c65c8691f29219b6658d800c23e81d5167c4a8bbd2a0daa3": { Name:"./apache-log4j-2.11.0-bin/log4j-core-2.11.0.jar", Severity: "10.0" }, + "d4485176aea67cc85f5ccc45bb66166f8bfc715ae4a695f0d870a1f8d848cc3d": { Name:"./apache-log4j-2.11.1-bin/log4j-core-2.11.1.jar", Severity: "10.0" }, + "3fcc4c1f2f806acfc395144c98b8ba2a80fe1bf5e3ad3397588bbd2610a37100": { Name:"./apache-log4j-2.11.2-bin/log4j-core-2.11.2.jar", Severity: "10.0" }, + "057a48fe378586b6913d29b4b10162b4b5045277f1be66b7a01fb7e30bd05ef3": { Name:"./apache-log4j-2.12.0-bin/log4j-core-2.12.0.jar", Severity: "10.0" }, + "5dbd6bb2381bf54563ea15bc9fbb6d7094eaf7184e6975c50f8996f77bfc3f2c": { Name:"./apache-log4j-2.12.1-bin/log4j-core-2.12.1.jar", Severity: "10.0" }, + "c39b0ea14e7766440c59e5ae5f48adee038d9b1c7a1375b376e966ca12c22cd3": { Name:"./apache-log4j-2.13.0-bin/log4j-core-2.13.0.jar", Severity: "10.0" }, + "6f38a25482d82cd118c4255f25b9d78d96821d22bab498cdce9cda7a563ca992": { Name:"./apache-log4j-2.13.1-bin/log4j-core-2.13.1.jar", Severity: "10.0" }, + "54962835992e303928aa909730ce3a50e311068c0960c708e82ab76701db5e6b": { Name:"./apache-log4j-2.13.2-bin/log4j-core-2.13.2.jar", Severity: "10.0" }, + "e5e9b0f8d72f4e7b9022b7a83c673334d7967981191d2d98f9c57dc97b4caae1": { Name:"./apache-log4j-2.13.3-bin/log4j-core-2.13.3.jar", Severity: "10.0" }, + "68d793940c28ddff6670be703690dfdf9e77315970c42c4af40ca7261a8570fa": { Name:"./apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar", Severity: "10.0" }, + "9da0f5ca7c8eab693d090ae759275b9db4ca5acdbcfe4a63d3871e0b17367463": { Name:"./apache-log4j-2.14.1-bin/log4j-core-2.14.1.jar", Severity: "10.0" }, + "006fc6623fbb961084243cfc327c885f3c57f2eba8ee05fbc4e93e5358778c85": { Name:"./log4j-2.0-alpha1/log4j-core-2.0-alpha1.jar", Severity: "10.0" }, } diff --git a/tools/log4shell/scan/scan.go b/tools/log4shell/scan/scan.go index 087a6257a..85c887ae2 100644 --- a/tools/log4shell/scan/scan.go +++ b/tools/log4shell/scan/scan.go @@ -37,18 +37,20 @@ func identifyPotentiallyVulnerableFile(reader io.Reader, path, fileName string, return } - if versionInfo, ok := hashLookup[fileHash]; ok { + if vulnerableHash, ok := hashLookup[fileHash]; ok { log.Info(). Str("fileName", fileName). Str("path", path). - Str("versionInfo", versionInfo). + Str("versionInfo", vulnerableHash.Name). + Str("severity", vulnerableHash.Severity). Msg("identified vulnerable path") finding = &types.Finding{ Path: path, FileName: fileName, Hash: fileHash, - VersionInfo: versionInfo, + VersionInfo: vulnerableHash.Name, + Severity: vulnerableHash.Severity, } return } diff --git a/tools/log4shell/types/findings.go b/tools/log4shell/types/findings.go index 0644dec27..329b8f1c7 100644 --- a/tools/log4shell/types/findings.go +++ b/tools/log4shell/types/findings.go @@ -19,6 +19,7 @@ type Finding struct { FileName string `json:"file_name"` Hash string `json:"hash"` VersionInfo string `json:"version_info"` + Severity string `json:"severity"` } type FindingsOutput struct { diff --git a/tools/log4shell/types/vulnerablehashes.go b/tools/log4shell/types/vulnerablehashes.go index 3ca07fb52..f679b388c 100644 --- a/tools/log4shell/types/vulnerablehashes.go +++ b/tools/log4shell/types/vulnerablehashes.go @@ -14,4 +14,9 @@ // package types -type VulnerableHashLookup map[string]string +type VulnerableHash struct { + Name string `json:"name"` + Severity string `json:"severity"` +} + +type VulnerableHashLookup map[string]VulnerableHash From 0d0f65b86dc2485884d831ae19a59ee8719576e8 Mon Sep 17 00:00:00 2001 From: Forrest Date: Tue, 14 Dec 2021 15:23:24 -0800 Subject: [PATCH 02/15] duplicate flags onto scan command because its more natural UX Former-commit-id: 4fd334e659962d7ed5b5b86c37b1b53c56f5e7eb Former-commit-id: 52eaf11030d7516892506dff03b1d5ee808f9a12 --- tools/log4shell/README.md | 1 + tools/log4shell/constants/version.go | 2 +- tools/log4shell/main.go | 12 ++++++++++++ tools/log4shell/scan/scan.go | 2 +- 4 files changed, 15 insertions(+), 2 deletions(-) diff --git a/tools/log4shell/README.md b/tools/log4shell/README.md index 0a9fd2f74..b35da9471 100644 --- a/tools/log4shell/README.md +++ b/tools/log4shell/README.md @@ -24,6 +24,7 @@ docker run --network=host log4shell or +Make sure you have Maven installed, then: ``` ./build-payload.sh && go build . && ./log4shell ``` diff --git a/tools/log4shell/constants/version.go b/tools/log4shell/constants/version.go index ab90ab3c1..db95d01d2 100644 --- a/tools/log4shell/constants/version.go +++ b/tools/log4shell/constants/version.go @@ -14,4 +14,4 @@ // package constants -const Version = "1.0.0" +const Version = "1.1.0" diff --git a/tools/log4shell/main.go b/tools/log4shell/main.go index 3dad2eb17..c4cfcfcb5 100644 --- a/tools/log4shell/main.go +++ b/tools/log4shell/main.go @@ -148,6 +148,18 @@ func main() { Name: "output", Usage: "File path for where to output findings in JSON format.", }, + &cli.BoolFlag{ + Name: "verbose", + Usage: "Display verbose information when running commands.", + }, + &cli.BoolFlag{ + Name: "json", + Usage: "Display findings in json format.", + }, + &cli.BoolFlag{ + Name: "debug", + Usage: "Display helpful information while debugging the CLI.", + }, }, Action: scanCommand, }, diff --git a/tools/log4shell/scan/scan.go b/tools/log4shell/scan/scan.go index 85c887ae2..7772ebf83 100644 --- a/tools/log4shell/scan/scan.go +++ b/tools/log4shell/scan/scan.go @@ -39,8 +39,8 @@ func identifyPotentiallyVulnerableFile(reader io.Reader, path, fileName string, if vulnerableHash, ok := hashLookup[fileHash]; ok { log.Info(). - Str("fileName", fileName). Str("path", path). + Str("fileName", fileName). Str("versionInfo", vulnerableHash.Name). Str("severity", vulnerableHash.Severity). Msg("identified vulnerable path") From 33efd845d74fbc1de4b6c3b867c0ef1753cccc13 Mon Sep 17 00:00:00 2001 From: Forrest Date: Tue, 14 Dec 2021 15:58:36 -0800 Subject: [PATCH 03/15] added 2.15 hashes and confirmed they work Former-commit-id: 24b9eaf67480f35a6bf06d4ef16d1ae09944138f Former-commit-id: 697de560e41fea41428db8b3be7c127c8c4462aa --- tools/log4shell/constants/vulnerablehashes.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/tools/log4shell/constants/vulnerablehashes.go b/tools/log4shell/constants/vulnerablehashes.go index 99f8fa0bb..6b99e547c 100644 --- a/tools/log4shell/constants/vulnerablehashes.go +++ b/tools/log4shell/constants/vulnerablehashes.go @@ -85,6 +85,11 @@ var KnownVulnerableClassFileHashes = types.VulnerableHashLookup{ "ed5d53deb29f737808521dd6284c2d7a873a59140e702295a80bd0f26988f53a": { Name:"log4j 1.2.5", Severity: "10.0" }, // SocketNode.class "f3b815a2b3c74851ff1b94e414c36f576fbcdf52b82b805b2e18322b3f5fc27c": { Name:"log4j 1.2.12", Severity: "10.0" }, // SocketNode.class "fbda3cfc5853ab4744b853398f2b3580505f5a7d67bfb200716ef6ae5be3c8b7": { Name:"log4j 1.2.13-1.2.14", Severity: "10.0" }, // SocketNode.class + // The following shas for version 2.15 detect a valid but lower level of severity vulnerability, CVE CVE-2021-45046 + "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f" :{ Name:"log4j 2.15.0", Severity: "3.7" }, // JNDILookup.class + "db07ef1ea174e000b379732681bd835cfede648a7971bf4e9a0d31981582d69e" :{ Name:"log4j 2.15.0", Severity: "3.7" }, // JNDIManager.class + "5bfbecc21f5de442035c0361c994c379a4f6b5adb280c66e43256c6f09346bd1" :{ Name:"log4j 2.15.0", Severity: "3.7" }, // MessagePatternConverter.class + } // from: https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes/blob/main/sha256sums.txt @@ -132,4 +137,6 @@ var KnownVulnerableArchiveFileHashes = types.VulnerableHashLookup{ "68d793940c28ddff6670be703690dfdf9e77315970c42c4af40ca7261a8570fa": { Name:"./apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar", Severity: "10.0" }, "9da0f5ca7c8eab693d090ae759275b9db4ca5acdbcfe4a63d3871e0b17367463": { Name:"./apache-log4j-2.14.1-bin/log4j-core-2.14.1.jar", Severity: "10.0" }, "006fc6623fbb961084243cfc327c885f3c57f2eba8ee05fbc4e93e5358778c85": { Name:"./log4j-2.0-alpha1/log4j-core-2.0-alpha1.jar", Severity: "10.0" }, -} + // The following shas for version 2.15 detect a valid but lower level of severity vulnerability, CVE CVE-2021-45046 + "e7048ad52e3b6f1267b7ceb2c07200a5ce61271bcf59f98fd238bf60e4137932": { Name:"apache-log4j-2.15.0-bin/log4j-core.2.15.0.jar", Severity: "3.7"}, + } From cef7db619f4e14dd8a083a02a1a219ae7bf3ceb5 Mon Sep 17 00:00:00 2001 From: Johnathan Free Wortley Date: Wed, 15 Dec 2021 00:04:57 +0000 Subject: [PATCH 04/15] Update vulnerablehashes.go Former-commit-id: 99aee5c561c8302f5756af5851a980a7910c654f Former-commit-id: 8eec49fd5855e29ed8a04133575931eb539663ab --- tools/log4shell/constants/vulnerablehashes.go | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/tools/log4shell/constants/vulnerablehashes.go b/tools/log4shell/constants/vulnerablehashes.go index 6b99e547c..00fe83ab9 100644 --- a/tools/log4shell/constants/vulnerablehashes.go +++ b/tools/log4shell/constants/vulnerablehashes.go @@ -1,19 +1,5 @@ // Copyright 2021 by LunaSec (owned by Refinery Labs, Inc) // -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -// Copyright 2021 by LunaSec (owned by Refinery Labs, Inc) -// // Licensed under the Apache License, Name 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at From 0b328bf0db9be86d62653a443bc02e4af14333ff Mon Sep 17 00:00:00 2001 From: Johnathan Free Wortley Date: Wed, 15 Dec 2021 00:05:41 +0000 Subject: [PATCH 05/15] Update vulnerablehashes.go Former-commit-id: dd697d30b64113612545dcf10151d58615f04eae Former-commit-id: 4690a364825ae441749c6178107b76aee2948908 --- tools/log4shell/constants/vulnerablehashes.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/log4shell/constants/vulnerablehashes.go b/tools/log4shell/constants/vulnerablehashes.go index 00fe83ab9..f401240ea 100644 --- a/tools/log4shell/constants/vulnerablehashes.go +++ b/tools/log4shell/constants/vulnerablehashes.go @@ -1,6 +1,6 @@ // Copyright 2021 by LunaSec (owned by Refinery Labs, Inc) // -// Licensed under the Apache License, Name 2.0 (the "License"); +// Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // From 690d0527b61928df5a178d0c2f5db56b66246343 Mon Sep 17 00:00:00 2001 From: Johnathan Free Wortley Date: Wed, 15 Dec 2021 00:08:32 +0000 Subject: [PATCH 06/15] Severity 9.8 for log4j v1 vulns Former-commit-id: 74bb3cdd9a49d062629c53a0e71852778b7fc368 Former-commit-id: 14bb5655db135dae5ddd861b70cff37109ba3302 --- tools/log4shell/constants/vulnerablehashes.go | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/tools/log4shell/constants/vulnerablehashes.go b/tools/log4shell/constants/vulnerablehashes.go index f401240ea..b2533e10a 100644 --- a/tools/log4shell/constants/vulnerablehashes.go +++ b/tools/log4shell/constants/vulnerablehashes.go @@ -61,20 +61,20 @@ var KnownVulnerableClassFileHashes = types.VulnerableHashLookup{ "9a54a585ed491573e80e0b32e964e5eb4d6c4068d2abffff628e3c69ef9102cf": { Name:"log4j 2.0-beta5", Severity: "10.0" }, // MessagePatternConverter.class "357120b06f61475033d152505c3d43a57c9a9bdc05b835d0939f1662b48fc6c3": { Name:"log4j 2.0-beta6/beta7/beta8", Severity: "10.0" }, // MessagePatternConverter.class - "6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d": { Name:"log4j 1.2.4", Severity: "10.0" }, // SocketNode.class - "3ef93e9cb937295175b75182e42ba9a0aa94f9f8e295236c9eef914348efeef0": { Name:"log4j 1.2.6-1.2.9", Severity: "10.0" }, // SocketNode.class - "bee4a5a70843a981e47207b476f1e705c21fc90cb70e95c3b40d04a2191f33e9": { Name:"log4j 1.2.8", Severity: "10.0" }, // SocketNode.class - "7b996623c05f1a25a57fb5b43c519c2ec02ec2e647c2b97b3407965af928c9a4": { Name:"log4j 1.2.15", Severity: "10.0" }, // SocketNode.class - "688a3dadfb1c0a08fb2a2885a356200eb74e7f0f26a197d358d74f2faf6e8f46": { Name:"log4j 1.2.16", Severity: "10.0" }, // SocketNode.class - "8ef0ebdfbf28ec14b2267e6004a8eea947b4411d3c30d228a7b48fae36431d74": { Name:"log4j 1.2.17", Severity: "10.0" }, // SocketNode.class - "d778227b779f8f3a2850987e3cfe6020ca26c299037fdfa7e0ac8f81385963e6": { Name:"log4j 1.2.11", Severity: "10.0" }, // SocketNode.class - "ed5d53deb29f737808521dd6284c2d7a873a59140e702295a80bd0f26988f53a": { Name:"log4j 1.2.5", Severity: "10.0" }, // SocketNode.class - "f3b815a2b3c74851ff1b94e414c36f576fbcdf52b82b805b2e18322b3f5fc27c": { Name:"log4j 1.2.12", Severity: "10.0" }, // SocketNode.class - "fbda3cfc5853ab4744b853398f2b3580505f5a7d67bfb200716ef6ae5be3c8b7": { Name:"log4j 1.2.13-1.2.14", Severity: "10.0" }, // SocketNode.class + "6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d": { Name:"log4j 1.2.4", Severity: "9.8" }, // SocketNode.class + "3ef93e9cb937295175b75182e42ba9a0aa94f9f8e295236c9eef914348efeef0": { Name:"log4j 1.2.6-1.2.9", Severity: "9.8" }, // SocketNode.class + "bee4a5a70843a981e47207b476f1e705c21fc90cb70e95c3b40d04a2191f33e9": { Name:"log4j 1.2.8", Severity: "9.8" }, // SocketNode.class + "7b996623c05f1a25a57fb5b43c519c2ec02ec2e647c2b97b3407965af928c9a4": { Name:"log4j 1.2.15", Severity: "9.8" }, // SocketNode.class + "688a3dadfb1c0a08fb2a2885a356200eb74e7f0f26a197d358d74f2faf6e8f46": { Name:"log4j 1.2.16", Severity: "9.8" }, // SocketNode.class + "8ef0ebdfbf28ec14b2267e6004a8eea947b4411d3c30d228a7b48fae36431d74": { Name:"log4j 1.2.17", Severity: "9.8" }, // SocketNode.class + "d778227b779f8f3a2850987e3cfe6020ca26c299037fdfa7e0ac8f81385963e6": { Name:"log4j 1.2.11", Severity: "9.8" }, // SocketNode.class + "ed5d53deb29f737808521dd6284c2d7a873a59140e702295a80bd0f26988f53a": { Name:"log4j 1.2.5", Severity: "9.8" }, // SocketNode.class + "f3b815a2b3c74851ff1b94e414c36f576fbcdf52b82b805b2e18322b3f5fc27c": { Name:"log4j 1.2.12", Severity: "9.8" }, // SocketNode.class + "fbda3cfc5853ab4744b853398f2b3580505f5a7d67bfb200716ef6ae5be3c8b7": { Name:"log4j 1.2.13-1.2.14", Severity: "9.8" }, // SocketNode.class // The following shas for version 2.15 detect a valid but lower level of severity vulnerability, CVE CVE-2021-45046 - "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f" :{ Name:"log4j 2.15.0", Severity: "3.7" }, // JNDILookup.class - "db07ef1ea174e000b379732681bd835cfede648a7971bf4e9a0d31981582d69e" :{ Name:"log4j 2.15.0", Severity: "3.7" }, // JNDIManager.class - "5bfbecc21f5de442035c0361c994c379a4f6b5adb280c66e43256c6f09346bd1" :{ Name:"log4j 2.15.0", Severity: "3.7" }, // MessagePatternConverter.class + "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f" :{ Name:"log4j 2.15.0", Severity: "3.7" }, // JNDILookup.class + "db07ef1ea174e000b379732681bd835cfede648a7971bf4e9a0d31981582d69e" :{ Name:"log4j 2.15.0", Severity: "3.7" }, // JNDIManager.class + "5bfbecc21f5de442035c0361c994c379a4f6b5adb280c66e43256c6f09346bd1" :{ Name:"log4j 2.15.0", Severity: "3.7" }, // MessagePatternConverter.class } From 4b1c0eafdd249b8a3c6f2cbbb57ae81dd84f2bcc Mon Sep 17 00:00:00 2001 From: Free Wortley Date: Tue, 14 Dec 2021 18:19:55 -0600 Subject: [PATCH 07/15] Swap from Severity to CVE Former-commit-id: bec65fd830c9b249c75da210996bd24f969ad4d7 Former-commit-id: 33b7979282430060a861a60e1456e5b805dfdd64 --- tools/log4shell/constants/vulnerablehashes.go | 200 +++++++++--------- tools/log4shell/scan/scan.go | 4 +- tools/log4shell/types/findings.go | 2 +- tools/log4shell/types/vulnerablehashes.go | 4 +- 4 files changed, 107 insertions(+), 103 deletions(-) diff --git a/tools/log4shell/constants/vulnerablehashes.go b/tools/log4shell/constants/vulnerablehashes.go index b2533e10a..9609e5a11 100644 --- a/tools/log4shell/constants/vulnerablehashes.go +++ b/tools/log4shell/constants/vulnerablehashes.go @@ -16,113 +16,117 @@ package constants import "github.com/lunasec-io/lunasec/tools/log4shell/types" +var log4shellCve = "CVE-2021-44228" +var apiVersionCve = "CVE-2021-45046" +var log4j1RceCve = "CVE-2019-17571" + // from: https://github.com/hillu/local-log4j-vuln-scanner/blob/master/log4j-vuln-finder.go#L16 var KnownVulnerableClassFileHashes = types.VulnerableHashLookup{ - "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8": { Name:"log4j 2.0-rc1", Severity: "10.0" }, // JndiLookup.class - "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2": { Name:"log4j 2.0-rc2", Severity: "10.0" }, // JndiLookup.class - "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e": { Name:"log4j 2.0.1", Severity: "10.0" }, // JndiLookup.class - "9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c": { Name:"log4j 2.0.2", Severity: "10.0" }, // JndiLookup.class - "fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29": { Name:"log4j 2.0", Severity: "10.0" }, // JndiLookup.class - "03c77cca9aeff412f46eaf1c7425669e37008536dd52f1d6f088e80199e4aae7": { Name:"log4j 2.4-2.11.2", Severity: "10.0" }, // JndiManager$1.class - "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32": { Name:"log4j 2.7-2.8.1", Severity: "10.0" }, // JndiManager.class - "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de": { Name:"log4j 2.12.0-2.12.1", Severity: "10.0" }, // JndiManager.class - "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6": { Name:"log4j 2.9.0-2.11.2", Severity: "10.0" }, // JndiManager.class - "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7": { Name:"log4j 2.4-2.5", Severity: "10.0" }, // JndiManager.class - "547883afa0aa245321e6b1aaced24bc10d73d5af4974d951e2bd53b017e2d4ab": { Name:"log4j 2.14.0-2.14.1", Severity: "10.0" }, // JndiManager$JndiManagerFactory.class - "620a713d908ece7fb09b7d34c2b0461e1c366704da89ea20eb78b73116c77f23": { Name:"log4j 2.1-2.3", Severity: "10.0" }, // JndiManager$1.class - "632a69aef3bc5012f61093c3d9b92d6170fdc795711e9fed7f5388c36e3de03d": { Name:"log4j 2.8.2", Severity: "10.0" }, // JndiManager$JndiManagerFactory.class - "635ccd3aaa429f3fea31d84569a892b96a02c024c050460d360cc869bcf45840": { Name:"log4j 2.9.1-2.10.0", Severity: "10.0" }, // JndiManager$JndiManagerFactory.class - "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246": { Name:"log4j 2.6-2.6.2", Severity: "10.0" }, // JndiManager.class - "764b06686dbe06e3d5f6d15891250ab04073a0d1c357d114b7365c70fa8a7407": { Name:"log4j 2.8.2", Severity: "10.0" }, // JndiManager.class - "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6": { Name:"log4j 2.14.0-2.14.1", Severity: "10.0" }, // JndiManager.class - "8abaebc4d09926cd12b5269c781b64a7f5a57793c54dc1225976f02ba58343bf": { Name:"log4j 2.13.0-2.13.3", Severity: "10.0" }, // JndiManager$JndiManagerFactory.class - "91e58af100aface711700562b5002c5d397fb35d2a95d5704db41461ac1ad8fd": { Name:"log4j 2.1-2.3", Severity: "10.0" }, // JndiManager$JndiManagerFactory.class - "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c": { Name:"log4j 2.1-2.3", Severity: "10.0" }, // JndiManager.class - "aec7ea2daee4d6468db2df25597594957a06b945bcb778bbcd5acc46f17de665": { Name:"log4j 2.4-2.6.2", Severity: "10.0" }, // JndiManager$JndiManagerFactory.class - "b8af4230b9fb6c79c5bf2e66a5de834bc0ebec4c462d6797258f5d87e356d64b": { Name:"log4j 2.7-2.8.1", Severity: "10.0" }, // JndiManager$JndiManagerFactory.class - "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078": { Name:"log4j 2.13.0-2.13.3", Severity: "10.0" }, // JndiManager.class - "e4906e06c4e7688b468524990d9bb6460d6ef31fe938e01561f3f93ab5ca25a6": { Name:"log4j 2.8.2-2.12.0", Severity: "10.0" }, // JndiManager$1.class - "fe15a68ef8a75a3f9d3f5843f4b4a6db62d1145ef72937ed7d6d1bbcf8ec218f": { Name:"log4j 2.12.0-2.12.1", Severity: "10.0" }, // JndiManager$JndiManagerFactory.class - "0ebc263ba66a7452d3dfc15760c560f930d835164914a1340d741838e3165dbb": { Name:"log4j 2.4-2.5", Severity: "10.0" }, // MessagePatternConverter.class - "52b5574bad677030c56c1a386362840064d347523e61e59ca1c55faf7e998986": { Name:"log4j 2.12", Severity: "10.0" }, // MessagePatternConverter.class - "5c328eedefcb28512ff5d9a7556741dd159f0b13e1c0c52edc958d9821b8d2c5": { Name:"log4j 2.6", Severity: "10.0" }, // MessagePatternConverter.class - "791a12347e62d9884c4d6f8e285098fedaf3bcdf591af3e4449923191588d43c": { Name:"log4j 2.8-2.9", Severity: "10.0" }, // MessagePatternConverter.class - "8d5e886175b66ec2de5b61113fdaf06c50e1070cad1fb9150258e01d84d13c4b": { Name:"log4j 2.13", Severity: "10.0" }, // MessagePatternConverter.class - "95b385ebc65843315aeae33551e7bbdad886e9e9465ea8d3179cd74344b37984": { Name:"log4j 2.10-2.11", Severity: "10.0" }, // MessagePatternConverter.class - "a36c2e78cef7c2ddcc4ebbb11c085e85989eb93f9d19bd6254913b13dfe7c58e": { Name:"log4j 2.0-2.3", Severity: "10.0" }, // MessagePatternConverter.class - "a3a65f2c5bc0dd62df115a0d9ac7140793c61b65bbbac313a526a3b50724a8c7": { Name:"log4j 2.8.2", Severity: "10.0" }, // MessagePatternConverter.class - "ee41ae7ae80f5c533548a89c6d6e112df609c838b901daea99ac88ccda2a5da1": { Name:"log4j 2.7", Severity: "10.0" }, // MessagePatternConverter.class - "f0a869f7da9b17d0a23d0cb0e13c65afa5e42e9567b47603a8fc0debc7ef193c": { Name:"log4j 2.14", Severity: "10.0" }, // MessagePatternConverter.class - "f8baca973f1874b76cfaed0f4c17048b1ac0dee364abfdfeeec62de3427def50": { Name:"log4j 2.0-rc1", Severity: "10.0" }, // MessagePatternConverter.class + "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8": { Name:"log4j 2.0-rc1", CVE: log4shellCve }, // JndiLookup.class + "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2": { Name:"log4j 2.0-rc2", CVE: log4shellCve }, // JndiLookup.class + "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e": { Name:"log4j 2.0.1", CVE: log4shellCve }, // JndiLookup.class + "9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c": { Name:"log4j 2.0.2", CVE: log4shellCve }, // JndiLookup.class + "fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29": { Name:"log4j 2.0", CVE: log4shellCve }, // JndiLookup.class + "03c77cca9aeff412f46eaf1c7425669e37008536dd52f1d6f088e80199e4aae7": { Name:"log4j 2.4-2.11.2", CVE: log4shellCve }, // JndiManager$1.class + "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32": { Name:"log4j 2.7-2.8.1", CVE: log4shellCve }, // JndiManager.class + "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de": { Name:"log4j 2.12.0-2.12.1", CVE: log4shellCve }, // JndiManager.class + "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6": { Name:"log4j 2.9.0-2.11.2", CVE: log4shellCve }, // JndiManager.class + "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7": { Name:"log4j 2.4-2.5", CVE: log4shellCve }, // JndiManager.class + "547883afa0aa245321e6b1aaced24bc10d73d5af4974d951e2bd53b017e2d4ab": { Name:"log4j 2.14.0-2.14.1", CVE: log4shellCve }, // JndiManager$JndiManagerFactory.class + "620a713d908ece7fb09b7d34c2b0461e1c366704da89ea20eb78b73116c77f23": { Name:"log4j 2.1-2.3", CVE: log4shellCve }, // JndiManager$1.class + "632a69aef3bc5012f61093c3d9b92d6170fdc795711e9fed7f5388c36e3de03d": { Name:"log4j 2.8.2", CVE: log4shellCve }, // JndiManager$JndiManagerFactory.class + "635ccd3aaa429f3fea31d84569a892b96a02c024c050460d360cc869bcf45840": { Name:"log4j 2.9.1-2.10.0", CVE: log4shellCve }, // JndiManager$JndiManagerFactory.class + "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246": { Name:"log4j 2.6-2.6.2", CVE: log4shellCve }, // JndiManager.class + "764b06686dbe06e3d5f6d15891250ab04073a0d1c357d114b7365c70fa8a7407": { Name:"log4j 2.8.2", CVE: log4shellCve }, // JndiManager.class + "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6": { Name:"log4j 2.14.0-2.14.1", CVE: log4shellCve }, // JndiManager.class + "8abaebc4d09926cd12b5269c781b64a7f5a57793c54dc1225976f02ba58343bf": { Name:"log4j 2.13.0-2.13.3", CVE: log4shellCve }, // JndiManager$JndiManagerFactory.class + "91e58af100aface711700562b5002c5d397fb35d2a95d5704db41461ac1ad8fd": { Name:"log4j 2.1-2.3", CVE: log4shellCve }, // JndiManager$JndiManagerFactory.class + "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c": { Name:"log4j 2.1-2.3", CVE: log4shellCve }, // JndiManager.class + "aec7ea2daee4d6468db2df25597594957a06b945bcb778bbcd5acc46f17de665": { Name:"log4j 2.4-2.6.2", CVE: log4shellCve }, // JndiManager$JndiManagerFactory.class + "b8af4230b9fb6c79c5bf2e66a5de834bc0ebec4c462d6797258f5d87e356d64b": { Name:"log4j 2.7-2.8.1", CVE: log4shellCve }, // JndiManager$JndiManagerFactory.class + "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078": { Name:"log4j 2.13.0-2.13.3", CVE: log4shellCve }, // JndiManager.class + "e4906e06c4e7688b468524990d9bb6460d6ef31fe938e01561f3f93ab5ca25a6": { Name:"log4j 2.8.2-2.12.0", CVE: log4shellCve }, // JndiManager$1.class + "fe15a68ef8a75a3f9d3f5843f4b4a6db62d1145ef72937ed7d6d1bbcf8ec218f": { Name:"log4j 2.12.0-2.12.1", CVE: log4shellCve }, // JndiManager$JndiManagerFactory.class + "0ebc263ba66a7452d3dfc15760c560f930d835164914a1340d741838e3165dbb": { Name:"log4j 2.4-2.5", CVE: log4shellCve }, // MessagePatternConverter.class + "52b5574bad677030c56c1a386362840064d347523e61e59ca1c55faf7e998986": { Name:"log4j 2.12", CVE: log4shellCve }, // MessagePatternConverter.class + "5c328eedefcb28512ff5d9a7556741dd159f0b13e1c0c52edc958d9821b8d2c5": { Name:"log4j 2.6", CVE: log4shellCve }, // MessagePatternConverter.class + "791a12347e62d9884c4d6f8e285098fedaf3bcdf591af3e4449923191588d43c": { Name:"log4j 2.8-2.9", CVE: log4shellCve }, // MessagePatternConverter.class + "8d5e886175b66ec2de5b61113fdaf06c50e1070cad1fb9150258e01d84d13c4b": { Name:"log4j 2.13", CVE: log4shellCve }, // MessagePatternConverter.class + "95b385ebc65843315aeae33551e7bbdad886e9e9465ea8d3179cd74344b37984": { Name:"log4j 2.10-2.11", CVE: log4shellCve }, // MessagePatternConverter.class + "a36c2e78cef7c2ddcc4ebbb11c085e85989eb93f9d19bd6254913b13dfe7c58e": { Name:"log4j 2.0-2.3", CVE: log4shellCve }, // MessagePatternConverter.class + "a3a65f2c5bc0dd62df115a0d9ac7140793c61b65bbbac313a526a3b50724a8c7": { Name:"log4j 2.8.2", CVE: log4shellCve }, // MessagePatternConverter.class + "ee41ae7ae80f5c533548a89c6d6e112df609c838b901daea99ac88ccda2a5da1": { Name:"log4j 2.7", CVE: log4shellCve }, // MessagePatternConverter.class + "f0a869f7da9b17d0a23d0cb0e13c65afa5e42e9567b47603a8fc0debc7ef193c": { Name:"log4j 2.14", CVE: log4shellCve }, // MessagePatternConverter.class + "f8baca973f1874b76cfaed0f4c17048b1ac0dee364abfdfeeec62de3427def50": { Name:"log4j 2.0-rc1", CVE: log4shellCve }, // MessagePatternConverter.class - "ce69c1ea49c60f3be90cb9c86d7220af86e5d2fbc08fd7232da7278926e4f881": { Name:"log4j 2.0-alpha1/alpha2/beta1", Severity: "10.0" }, // MessagePatternConverter.class - "963ee03ebe020703fea27f657496d35edeac264beebeb14bfcd9d3350343c0bf": { Name:"log4j 2.0-beta2/beta3", Severity: "10.0" }, // MessagePatternConverter.class - "be8f32ed92f161df72248dcbaaf761c812ddbb59434abfd5c87482e9e0bd983c": { Name:"log4j 2.0-beta4", Severity: "10.0" }, // MessagePatternConverter.class - "9a54a585ed491573e80e0b32e964e5eb4d6c4068d2abffff628e3c69ef9102cf": { Name:"log4j 2.0-beta5", Severity: "10.0" }, // MessagePatternConverter.class - "357120b06f61475033d152505c3d43a57c9a9bdc05b835d0939f1662b48fc6c3": { Name:"log4j 2.0-beta6/beta7/beta8", Severity: "10.0" }, // MessagePatternConverter.class + "ce69c1ea49c60f3be90cb9c86d7220af86e5d2fbc08fd7232da7278926e4f881": { Name:"log4j 2.0-alpha1/alpha2/beta1", CVE: log4shellCve }, // MessagePatternConverter.class + "963ee03ebe020703fea27f657496d35edeac264beebeb14bfcd9d3350343c0bf": { Name:"log4j 2.0-beta2/beta3", CVE: log4shellCve }, // MessagePatternConverter.class + "be8f32ed92f161df72248dcbaaf761c812ddbb59434abfd5c87482e9e0bd983c": { Name:"log4j 2.0-beta4", CVE: log4shellCve }, // MessagePatternConverter.class + "9a54a585ed491573e80e0b32e964e5eb4d6c4068d2abffff628e3c69ef9102cf": { Name:"log4j 2.0-beta5", CVE: log4shellCve }, // MessagePatternConverter.class + "357120b06f61475033d152505c3d43a57c9a9bdc05b835d0939f1662b48fc6c3": { Name:"log4j 2.0-beta6/beta7/beta8", CVE: log4shellCve }, // MessagePatternConverter.class - "6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d": { Name:"log4j 1.2.4", Severity: "9.8" }, // SocketNode.class - "3ef93e9cb937295175b75182e42ba9a0aa94f9f8e295236c9eef914348efeef0": { Name:"log4j 1.2.6-1.2.9", Severity: "9.8" }, // SocketNode.class - "bee4a5a70843a981e47207b476f1e705c21fc90cb70e95c3b40d04a2191f33e9": { Name:"log4j 1.2.8", Severity: "9.8" }, // SocketNode.class - "7b996623c05f1a25a57fb5b43c519c2ec02ec2e647c2b97b3407965af928c9a4": { Name:"log4j 1.2.15", Severity: "9.8" }, // SocketNode.class - "688a3dadfb1c0a08fb2a2885a356200eb74e7f0f26a197d358d74f2faf6e8f46": { Name:"log4j 1.2.16", Severity: "9.8" }, // SocketNode.class - "8ef0ebdfbf28ec14b2267e6004a8eea947b4411d3c30d228a7b48fae36431d74": { Name:"log4j 1.2.17", Severity: "9.8" }, // SocketNode.class - "d778227b779f8f3a2850987e3cfe6020ca26c299037fdfa7e0ac8f81385963e6": { Name:"log4j 1.2.11", Severity: "9.8" }, // SocketNode.class - "ed5d53deb29f737808521dd6284c2d7a873a59140e702295a80bd0f26988f53a": { Name:"log4j 1.2.5", Severity: "9.8" }, // SocketNode.class - "f3b815a2b3c74851ff1b94e414c36f576fbcdf52b82b805b2e18322b3f5fc27c": { Name:"log4j 1.2.12", Severity: "9.8" }, // SocketNode.class - "fbda3cfc5853ab4744b853398f2b3580505f5a7d67bfb200716ef6ae5be3c8b7": { Name:"log4j 1.2.13-1.2.14", Severity: "9.8" }, // SocketNode.class + "6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d": { Name:"log4j 1.2.4", CVE: log4j1RceCve }, // SocketNode.class + "3ef93e9cb937295175b75182e42ba9a0aa94f9f8e295236c9eef914348efeef0": { Name:"log4j 1.2.6-1.2.9", CVE: log4j1RceCve }, // SocketNode.class + "bee4a5a70843a981e47207b476f1e705c21fc90cb70e95c3b40d04a2191f33e9": { Name:"log4j 1.2.8", CVE: log4j1RceCve }, // SocketNode.class + "7b996623c05f1a25a57fb5b43c519c2ec02ec2e647c2b97b3407965af928c9a4": { Name:"log4j 1.2.15", CVE: log4j1RceCve }, // SocketNode.class + "688a3dadfb1c0a08fb2a2885a356200eb74e7f0f26a197d358d74f2faf6e8f46": { Name:"log4j 1.2.16", CVE: log4j1RceCve }, // SocketNode.class + "8ef0ebdfbf28ec14b2267e6004a8eea947b4411d3c30d228a7b48fae36431d74": { Name:"log4j 1.2.17", CVE: log4j1RceCve }, // SocketNode.class + "d778227b779f8f3a2850987e3cfe6020ca26c299037fdfa7e0ac8f81385963e6": { Name:"log4j 1.2.11", CVE: log4j1RceCve }, // SocketNode.class + "ed5d53deb29f737808521dd6284c2d7a873a59140e702295a80bd0f26988f53a": { Name:"log4j 1.2.5", CVE: log4j1RceCve }, // SocketNode.class + "f3b815a2b3c74851ff1b94e414c36f576fbcdf52b82b805b2e18322b3f5fc27c": { Name:"log4j 1.2.12", CVE: log4j1RceCve }, // SocketNode.class + "fbda3cfc5853ab4744b853398f2b3580505f5a7d67bfb200716ef6ae5be3c8b7": { Name:"log4j 1.2.13-1.2.14", CVE: log4j1RceCve }, // SocketNode.class // The following shas for version 2.15 detect a valid but lower level of severity vulnerability, CVE CVE-2021-45046 - "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f" :{ Name:"log4j 2.15.0", Severity: "3.7" }, // JNDILookup.class - "db07ef1ea174e000b379732681bd835cfede648a7971bf4e9a0d31981582d69e" :{ Name:"log4j 2.15.0", Severity: "3.7" }, // JNDIManager.class - "5bfbecc21f5de442035c0361c994c379a4f6b5adb280c66e43256c6f09346bd1" :{ Name:"log4j 2.15.0", Severity: "3.7" }, // MessagePatternConverter.class + "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f" :{ Name:"log4j 2.15.0", CVE: apiVersionCve }, // JNDILookup.class + "db07ef1ea174e000b379732681bd835cfede648a7971bf4e9a0d31981582d69e" :{ Name:"log4j 2.15.0", CVE: apiVersionCve }, // JNDIManager.class + "5bfbecc21f5de442035c0361c994c379a4f6b5adb280c66e43256c6f09346bd1" :{ Name:"log4j 2.15.0", CVE: apiVersionCve }, // MessagePatternConverter.class } // from: https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes/blob/main/sha256sums.txt var KnownVulnerableArchiveFileHashes = types.VulnerableHashLookup{ - "bf4f41403280c1b115650d470f9b260a5c9042c04d9bcc2a6ca504a66379b2d6": { Name:"./apache-log4j-2.0-alpha2-bin/log4j-core-2.0-alpha2.jar", Severity: "10.0" }, - "58e9f72081efff9bdaabd82e3b3efe5b1b9f1666cefe28f429ad7176a6d770ae": { Name:"./apache-log4j-2.0-beta1-bin/log4j-core-2.0-beta1.jar", Severity: "10.0" }, - "ed285ad5ac6a8cf13461d6c2874fdcd3bf67002844831f66e21c2d0adda43fa4": { Name:"./apache-log4j-2.0-beta2-bin/log4j-core-2.0-beta2.jar", Severity: "10.0" }, - "dbf88c623cc2ad99d82fa4c575fb105e2083465a47b84d64e2e1a63e183c274e": { Name:"./apache-log4j-2.0-beta3-bin/log4j-core-2.0-beta3.jar", Severity: "10.0" }, - "a38ddff1e797adb39a08876932bc2538d771ff7db23885fb883fec526aff4fc8": { Name:"./apache-log4j-2.0-beta4-bin/log4j-core-2.0-beta4.jar", Severity: "10.0" }, - "7d86841489afd1097576a649094ae1efb79b3147cd162ba019861dfad4e9573b": { Name:"./apache-log4j-2.0-beta5-bin/log4j-core-2.0-beta5.jar", Severity: "10.0" }, - "4bfb0d5022dc499908da4597f3e19f9f64d3cc98ce756a2249c72179d3d75c47": { Name:"./apache-log4j-2.0-beta6-bin/log4j-core-2.0-beta6.jar", Severity: "10.0" }, - "473f15c04122dad810c919b2f3484d46560fd2dd4573f6695d387195816b02a6": { Name:"./apache-log4j-2.0-beta7-bin/log4j-core-2.0-beta7.jar", Severity: "10.0" }, - "b3fae4f84d4303cdbad4696554b4e8d2381ad3faf6e0c3c8d2ce60a4388caa02": { Name:"./apache-log4j-2.0-beta8-bin/log4j-core-2.0-beta8.jar", Severity: "10.0" }, - "dcde6033b205433d6e9855c93740f798951fa3a3f252035a768d9f356fde806d": { Name:"./apache-log4j-2.0-beta9-bin/log4j-core-2.0-beta9.jar", Severity: "10.0" }, - "85338f694c844c8b66d8a1b981bcf38627f95579209b2662182a009d849e1a4c": { Name:"./apache-log4j-2.0-bin/log4j-core-2.0.jar", Severity: "10.0" }, - "db3906edad6009d1886ec1e2a198249b6d99820a3575f8ec80c6ce57f08d521a": { Name:"./apache-log4j-2.0-rc1-bin/log4j-core-2.0-rc1.jar", Severity: "10.0" }, - "ec411a34fee49692f196e4dc0a905b25d0667825904862fdba153df5e53183e0": { Name:"./apache-log4j-2.0-rc2-bin/log4j-core-2.0-rc2.jar", Severity: "10.0" }, - "a00a54e3fb8cb83fab38f8714f240ecc13ab9c492584aa571aec5fc71b48732d": { Name:"./apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar", Severity: "10.0" }, - "c584d1000591efa391386264e0d43ec35f4dbb146cad9390f73358d9c84ee78d": { Name:"./apache-log4j-2.0.2-bin/log4j-core-2.0.2.jar", Severity: "10.0" }, - "8bdb662843c1f4b120fb4c25a5636008085900cdf9947b1dadb9b672ea6134dc": { Name:"./apache-log4j-2.1-bin/log4j-core-2.1.jar", Severity: "10.0" }, - "c830cde8f929c35dad42cbdb6b28447df69ceffe99937bf420d32424df4d076a": { Name:"./apache-log4j-2.2-bin/log4j-core-2.2.jar", Severity: "10.0" }, - "6ae3b0cb657e051f97835a6432c2b0f50a651b36b6d4af395bbe9060bb4ef4b2": { Name:"./apache-log4j-2.3-bin/log4j-core-2.3.jar", Severity: "10.0" }, - "535e19bf14d8c76ec00a7e8490287ca2e2597cae2de5b8f1f65eb81ef1c2a4c6": { Name:"./apache-log4j-2.4-bin/log4j-core-2.4.jar", Severity: "10.0" }, - "42de36e61d454afff5e50e6930961c85b55d681e23931efd248fd9b9b9297239": { Name:"./apache-log4j-2.4.1-bin/log4j-core-2.4.1.jar", Severity: "10.0" }, - "4f53e4d52efcccdc446017426c15001bb0fe444c7a6cdc9966f8741cf210d997": { Name:"./apache-log4j-2.5-bin/log4j-core-2.5.jar", Severity: "10.0" }, - "df00277045338ceaa6f70a7b8eee178710b3ba51eac28c1142ec802157492de6": { Name:"./apache-log4j-2.6-bin/log4j-core-2.6.jar", Severity: "10.0" }, - "28433734bd9e3121e0a0b78238d5131837b9dbe26f1a930bc872bad44e68e44e": { Name:"./apache-log4j-2.6.1-bin/log4j-core-2.6.1.jar", Severity: "10.0" }, - "cf65f0d33640f2cd0a0b06dd86a5c6353938ccb25f4ffd14116b4884181e0392": { Name:"./apache-log4j-2.6.2-bin/log4j-core-2.6.2.jar", Severity: "10.0" }, - "5bb84e110d5f18cee47021a024d358227612dd6dac7b97fa781f85c6ad3ccee4": { Name:"./apache-log4j-2.7-bin/log4j-core-2.7.jar", Severity: "10.0" }, - "ccf02bb919e1a44b13b366ea1b203f98772650475f2a06e9fac4b3c957a7c3fa": { Name:"./apache-log4j-2.8-bin/log4j-core-2.8.jar", Severity: "10.0" }, - "815a73e20e90a413662eefe8594414684df3d5723edcd76070e1a5aee864616e": { Name:"./apache-log4j-2.8.1-bin/log4j-core-2.8.1.jar", Severity: "10.0" }, - "10ef331115cbbd18b5be3f3761e046523f9c95c103484082b18e67a7c36e570c": { Name:"./apache-log4j-2.8.2-bin/log4j-core-2.8.2.jar", Severity: "10.0" }, - "dc815be299f81c180aa8d2924f1b015f2c46686e866bc410e72de75f7cd41aae": { Name:"./apache-log4j-2.9.0-bin/log4j-core-2.9.0.jar", Severity: "10.0" }, - "9275f5d57709e2204900d3dae2727f5932f85d3813ad31c9d351def03dd3d03d": { Name:"./apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar", Severity: "10.0" }, - "f35ccc9978797a895e5bee58fa8c3b7ad6d5ee55386e9e532f141ee8ed2e937d": { Name:"./apache-log4j-2.10.0-bin/log4j-core-2.10.0.jar", Severity: "10.0" }, - "5256517e6237b888c65c8691f29219b6658d800c23e81d5167c4a8bbd2a0daa3": { Name:"./apache-log4j-2.11.0-bin/log4j-core-2.11.0.jar", Severity: "10.0" }, - "d4485176aea67cc85f5ccc45bb66166f8bfc715ae4a695f0d870a1f8d848cc3d": { Name:"./apache-log4j-2.11.1-bin/log4j-core-2.11.1.jar", Severity: "10.0" }, - "3fcc4c1f2f806acfc395144c98b8ba2a80fe1bf5e3ad3397588bbd2610a37100": { Name:"./apache-log4j-2.11.2-bin/log4j-core-2.11.2.jar", Severity: "10.0" }, - "057a48fe378586b6913d29b4b10162b4b5045277f1be66b7a01fb7e30bd05ef3": { Name:"./apache-log4j-2.12.0-bin/log4j-core-2.12.0.jar", Severity: "10.0" }, - "5dbd6bb2381bf54563ea15bc9fbb6d7094eaf7184e6975c50f8996f77bfc3f2c": { Name:"./apache-log4j-2.12.1-bin/log4j-core-2.12.1.jar", Severity: "10.0" }, - "c39b0ea14e7766440c59e5ae5f48adee038d9b1c7a1375b376e966ca12c22cd3": { Name:"./apache-log4j-2.13.0-bin/log4j-core-2.13.0.jar", Severity: "10.0" }, - "6f38a25482d82cd118c4255f25b9d78d96821d22bab498cdce9cda7a563ca992": { Name:"./apache-log4j-2.13.1-bin/log4j-core-2.13.1.jar", Severity: "10.0" }, - "54962835992e303928aa909730ce3a50e311068c0960c708e82ab76701db5e6b": { Name:"./apache-log4j-2.13.2-bin/log4j-core-2.13.2.jar", Severity: "10.0" }, - "e5e9b0f8d72f4e7b9022b7a83c673334d7967981191d2d98f9c57dc97b4caae1": { Name:"./apache-log4j-2.13.3-bin/log4j-core-2.13.3.jar", Severity: "10.0" }, - "68d793940c28ddff6670be703690dfdf9e77315970c42c4af40ca7261a8570fa": { Name:"./apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar", Severity: "10.0" }, - "9da0f5ca7c8eab693d090ae759275b9db4ca5acdbcfe4a63d3871e0b17367463": { Name:"./apache-log4j-2.14.1-bin/log4j-core-2.14.1.jar", Severity: "10.0" }, - "006fc6623fbb961084243cfc327c885f3c57f2eba8ee05fbc4e93e5358778c85": { Name:"./log4j-2.0-alpha1/log4j-core-2.0-alpha1.jar", Severity: "10.0" }, + "bf4f41403280c1b115650d470f9b260a5c9042c04d9bcc2a6ca504a66379b2d6": { Name:"./apache-log4j-2.0-alpha2-bin/log4j-core-2.0-alpha2.jar", CVE: log4shellCve }, + "58e9f72081efff9bdaabd82e3b3efe5b1b9f1666cefe28f429ad7176a6d770ae": { Name:"./apache-log4j-2.0-beta1-bin/log4j-core-2.0-beta1.jar", CVE: log4shellCve }, + "ed285ad5ac6a8cf13461d6c2874fdcd3bf67002844831f66e21c2d0adda43fa4": { Name:"./apache-log4j-2.0-beta2-bin/log4j-core-2.0-beta2.jar", CVE: log4shellCve }, + "dbf88c623cc2ad99d82fa4c575fb105e2083465a47b84d64e2e1a63e183c274e": { Name:"./apache-log4j-2.0-beta3-bin/log4j-core-2.0-beta3.jar", CVE: log4shellCve }, + "a38ddff1e797adb39a08876932bc2538d771ff7db23885fb883fec526aff4fc8": { Name:"./apache-log4j-2.0-beta4-bin/log4j-core-2.0-beta4.jar", CVE: log4shellCve }, + "7d86841489afd1097576a649094ae1efb79b3147cd162ba019861dfad4e9573b": { Name:"./apache-log4j-2.0-beta5-bin/log4j-core-2.0-beta5.jar", CVE: log4shellCve }, + "4bfb0d5022dc499908da4597f3e19f9f64d3cc98ce756a2249c72179d3d75c47": { Name:"./apache-log4j-2.0-beta6-bin/log4j-core-2.0-beta6.jar", CVE: log4shellCve }, + "473f15c04122dad810c919b2f3484d46560fd2dd4573f6695d387195816b02a6": { Name:"./apache-log4j-2.0-beta7-bin/log4j-core-2.0-beta7.jar", CVE: log4shellCve }, + "b3fae4f84d4303cdbad4696554b4e8d2381ad3faf6e0c3c8d2ce60a4388caa02": { Name:"./apache-log4j-2.0-beta8-bin/log4j-core-2.0-beta8.jar", CVE: log4shellCve }, + "dcde6033b205433d6e9855c93740f798951fa3a3f252035a768d9f356fde806d": { Name:"./apache-log4j-2.0-beta9-bin/log4j-core-2.0-beta9.jar", CVE: log4shellCve }, + "85338f694c844c8b66d8a1b981bcf38627f95579209b2662182a009d849e1a4c": { Name:"./apache-log4j-2.0-bin/log4j-core-2.0.jar", CVE: log4shellCve }, + "db3906edad6009d1886ec1e2a198249b6d99820a3575f8ec80c6ce57f08d521a": { Name:"./apache-log4j-2.0-rc1-bin/log4j-core-2.0-rc1.jar", CVE: log4shellCve }, + "ec411a34fee49692f196e4dc0a905b25d0667825904862fdba153df5e53183e0": { Name:"./apache-log4j-2.0-rc2-bin/log4j-core-2.0-rc2.jar", CVE: log4shellCve }, + "a00a54e3fb8cb83fab38f8714f240ecc13ab9c492584aa571aec5fc71b48732d": { Name:"./apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar", CVE: log4shellCve }, + "c584d1000591efa391386264e0d43ec35f4dbb146cad9390f73358d9c84ee78d": { Name:"./apache-log4j-2.0.2-bin/log4j-core-2.0.2.jar", CVE: log4shellCve }, + "8bdb662843c1f4b120fb4c25a5636008085900cdf9947b1dadb9b672ea6134dc": { Name:"./apache-log4j-2.1-bin/log4j-core-2.1.jar", CVE: log4shellCve }, + "c830cde8f929c35dad42cbdb6b28447df69ceffe99937bf420d32424df4d076a": { Name:"./apache-log4j-2.2-bin/log4j-core-2.2.jar", CVE: log4shellCve }, + "6ae3b0cb657e051f97835a6432c2b0f50a651b36b6d4af395bbe9060bb4ef4b2": { Name:"./apache-log4j-2.3-bin/log4j-core-2.3.jar", CVE: log4shellCve }, + "535e19bf14d8c76ec00a7e8490287ca2e2597cae2de5b8f1f65eb81ef1c2a4c6": { Name:"./apache-log4j-2.4-bin/log4j-core-2.4.jar", CVE: log4shellCve }, + "42de36e61d454afff5e50e6930961c85b55d681e23931efd248fd9b9b9297239": { Name:"./apache-log4j-2.4.1-bin/log4j-core-2.4.1.jar", CVE: log4shellCve }, + "4f53e4d52efcccdc446017426c15001bb0fe444c7a6cdc9966f8741cf210d997": { Name:"./apache-log4j-2.5-bin/log4j-core-2.5.jar", CVE: log4shellCve }, + "df00277045338ceaa6f70a7b8eee178710b3ba51eac28c1142ec802157492de6": { Name:"./apache-log4j-2.6-bin/log4j-core-2.6.jar", CVE: log4shellCve }, + "28433734bd9e3121e0a0b78238d5131837b9dbe26f1a930bc872bad44e68e44e": { Name:"./apache-log4j-2.6.1-bin/log4j-core-2.6.1.jar", CVE: log4shellCve }, + "cf65f0d33640f2cd0a0b06dd86a5c6353938ccb25f4ffd14116b4884181e0392": { Name:"./apache-log4j-2.6.2-bin/log4j-core-2.6.2.jar", CVE: log4shellCve }, + "5bb84e110d5f18cee47021a024d358227612dd6dac7b97fa781f85c6ad3ccee4": { Name:"./apache-log4j-2.7-bin/log4j-core-2.7.jar", CVE: log4shellCve }, + "ccf02bb919e1a44b13b366ea1b203f98772650475f2a06e9fac4b3c957a7c3fa": { Name:"./apache-log4j-2.8-bin/log4j-core-2.8.jar", CVE: log4shellCve }, + "815a73e20e90a413662eefe8594414684df3d5723edcd76070e1a5aee864616e": { Name:"./apache-log4j-2.8.1-bin/log4j-core-2.8.1.jar", CVE: log4shellCve }, + "10ef331115cbbd18b5be3f3761e046523f9c95c103484082b18e67a7c36e570c": { Name:"./apache-log4j-2.8.2-bin/log4j-core-2.8.2.jar", CVE: log4shellCve }, + "dc815be299f81c180aa8d2924f1b015f2c46686e866bc410e72de75f7cd41aae": { Name:"./apache-log4j-2.9.0-bin/log4j-core-2.9.0.jar", CVE: log4shellCve }, + "9275f5d57709e2204900d3dae2727f5932f85d3813ad31c9d351def03dd3d03d": { Name:"./apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar", CVE: log4shellCve }, + "f35ccc9978797a895e5bee58fa8c3b7ad6d5ee55386e9e532f141ee8ed2e937d": { Name:"./apache-log4j-2.10.0-bin/log4j-core-2.10.0.jar", CVE: log4shellCve }, + "5256517e6237b888c65c8691f29219b6658d800c23e81d5167c4a8bbd2a0daa3": { Name:"./apache-log4j-2.11.0-bin/log4j-core-2.11.0.jar", CVE: log4shellCve }, + "d4485176aea67cc85f5ccc45bb66166f8bfc715ae4a695f0d870a1f8d848cc3d": { Name:"./apache-log4j-2.11.1-bin/log4j-core-2.11.1.jar", CVE: log4shellCve }, + "3fcc4c1f2f806acfc395144c98b8ba2a80fe1bf5e3ad3397588bbd2610a37100": { Name:"./apache-log4j-2.11.2-bin/log4j-core-2.11.2.jar", CVE: log4shellCve }, + "057a48fe378586b6913d29b4b10162b4b5045277f1be66b7a01fb7e30bd05ef3": { Name:"./apache-log4j-2.12.0-bin/log4j-core-2.12.0.jar", CVE: log4shellCve }, + "5dbd6bb2381bf54563ea15bc9fbb6d7094eaf7184e6975c50f8996f77bfc3f2c": { Name:"./apache-log4j-2.12.1-bin/log4j-core-2.12.1.jar", CVE: log4shellCve }, + "c39b0ea14e7766440c59e5ae5f48adee038d9b1c7a1375b376e966ca12c22cd3": { Name:"./apache-log4j-2.13.0-bin/log4j-core-2.13.0.jar", CVE: log4shellCve }, + "6f38a25482d82cd118c4255f25b9d78d96821d22bab498cdce9cda7a563ca992": { Name:"./apache-log4j-2.13.1-bin/log4j-core-2.13.1.jar", CVE: log4shellCve }, + "54962835992e303928aa909730ce3a50e311068c0960c708e82ab76701db5e6b": { Name:"./apache-log4j-2.13.2-bin/log4j-core-2.13.2.jar", CVE: log4shellCve }, + "e5e9b0f8d72f4e7b9022b7a83c673334d7967981191d2d98f9c57dc97b4caae1": { Name:"./apache-log4j-2.13.3-bin/log4j-core-2.13.3.jar", CVE: log4shellCve }, + "68d793940c28ddff6670be703690dfdf9e77315970c42c4af40ca7261a8570fa": { Name:"./apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar", CVE: log4shellCve }, + "9da0f5ca7c8eab693d090ae759275b9db4ca5acdbcfe4a63d3871e0b17367463": { Name:"./apache-log4j-2.14.1-bin/log4j-core-2.14.1.jar", CVE: log4shellCve }, + "006fc6623fbb961084243cfc327c885f3c57f2eba8ee05fbc4e93e5358778c85": { Name:"./log4j-2.0-alpha1/log4j-core-2.0-alpha1.jar", CVE: log4shellCve }, // The following shas for version 2.15 detect a valid but lower level of severity vulnerability, CVE CVE-2021-45046 - "e7048ad52e3b6f1267b7ceb2c07200a5ce61271bcf59f98fd238bf60e4137932": { Name:"apache-log4j-2.15.0-bin/log4j-core.2.15.0.jar", Severity: "3.7"}, + "e7048ad52e3b6f1267b7ceb2c07200a5ce61271bcf59f98fd238bf60e4137932": { Name:"apache-log4j-2.15.0-bin/log4j-core.2.15.0.jar", CVE: apiVersionCve}, } diff --git a/tools/log4shell/scan/scan.go b/tools/log4shell/scan/scan.go index 7772ebf83..f5e14070f 100644 --- a/tools/log4shell/scan/scan.go +++ b/tools/log4shell/scan/scan.go @@ -42,7 +42,7 @@ func identifyPotentiallyVulnerableFile(reader io.Reader, path, fileName string, Str("path", path). Str("fileName", fileName). Str("versionInfo", vulnerableHash.Name). - Str("severity", vulnerableHash.Severity). + Str("cve", vulnerableHash.CVE). Msg("identified vulnerable path") finding = &types.Finding{ @@ -50,7 +50,7 @@ func identifyPotentiallyVulnerableFile(reader io.Reader, path, fileName string, FileName: fileName, Hash: fileHash, VersionInfo: vulnerableHash.Name, - Severity: vulnerableHash.Severity, + CVE: vulnerableHash.CVE, } return } diff --git a/tools/log4shell/types/findings.go b/tools/log4shell/types/findings.go index 329b8f1c7..484cae70c 100644 --- a/tools/log4shell/types/findings.go +++ b/tools/log4shell/types/findings.go @@ -19,7 +19,7 @@ type Finding struct { FileName string `json:"file_name"` Hash string `json:"hash"` VersionInfo string `json:"version_info"` - Severity string `json:"severity"` + CVE string `json:"cve"` } type FindingsOutput struct { diff --git a/tools/log4shell/types/vulnerablehashes.go b/tools/log4shell/types/vulnerablehashes.go index f679b388c..21624dea1 100644 --- a/tools/log4shell/types/vulnerablehashes.go +++ b/tools/log4shell/types/vulnerablehashes.go @@ -15,8 +15,8 @@ package types type VulnerableHash struct { - Name string `json:"name"` - Severity string `json:"severity"` + Name string `json:"name"` + CVE string `json:"cve"` } type VulnerableHashLookup map[string]VulnerableHash From 0417e4931d307cdacebc50f71c6dae6f5da0a100 Mon Sep 17 00:00:00 2001 From: Free Wortley Date: Tue, 14 Dec 2021 18:41:22 -0600 Subject: [PATCH 08/15] Some scaffolding for a JAR patcher Former-commit-id: 02a9e7362346bc9d0084f4360e7e70f0ac59fc36 Former-commit-id: 442a6ff3aa895f02f077a369f167f1abfd3ee32a --- tools/log4shell/main.go | 52 ++++++++++++++++++++++-- tools/log4shell/patch/patch-local-jar.go | 29 +++++++++++++ tools/log4shell/scan/scan.go | 7 ++-- 3 files changed, 81 insertions(+), 7 deletions(-) create mode 100644 tools/log4shell/patch/patch-local-jar.go diff --git a/tools/log4shell/main.go b/tools/log4shell/main.go index c4cfcfcb5..cee011db0 100644 --- a/tools/log4shell/main.go +++ b/tools/log4shell/main.go @@ -78,7 +78,7 @@ func scanCommand(c *cli.Context) error { return nil } -func hotpatchCommand(c *cli.Context) error { +func hotPatchCommand(c *cli.Context) error { enableGlobalFlags(c) ip := c.String("ip") @@ -104,6 +104,38 @@ func hotpatchCommand(c *cli.Context) error { return nil } +func jarPatchCommand(c *cli.Context) error { + enableGlobalFlags(c) + + fileName := c.String("file-name") + + if fileName == "" { + log.Info().Msg("Public IP not provided. Binding to the local network interface.") + panic("must specify a valid file name to patch") + } + + file, err := os.Open(path) + if err != nil { + log.Warn(). + Str("path", path). + Err(err). + Msg("unable to open archive") + panic("unable to open specified file") + } + + fileInfo, err := file.Stat() + + if err != nil { + panic("unable to read file info") + } + + findings := scan.SearchArchiveForVulnerableFiles(fileName, file, fileInfo.Size(), false) + + // TODO: Do something with these findings to actually patch them in-place. Either that or add the patching to `SearchArchiveForVulnerableFiles` above. + + return nil +} + func main() { zerolog.TimeFieldFormat = zerolog.TimeFormatUnix @@ -164,16 +196,28 @@ func main() { Action: scanCommand, }, { - Name: "hotpatch", + Name: "in-memory-hot-patch", Aliases: []string{"s"}, - Usage: "Perform a live hotpatch of a system by exploiting the log4shell vulnerability for immediate mitigation. The payload executed patches the running process to prevent further payloads from being able to be executed.", + Usage: "Perform a live hot patch of a system by exploiting the log4shell vulnerability for immediate mitigation. The payload executed patches the running process to prevent further payloads from being able to be executed.", Flags: []cli.Flag{ &cli.StringFlag{ Name: "ip", Usage: "If testing locally, set this to a local network interface (view available interfaces with ifconfig/ipconfig). If using on a remote server, set this value to the publicly accessible IP address of the server.", }, }, - Action: hotpatchCommand, + Action: hotPatchCommand, + }, + { + Name: "patch-local-jar", + Aliases: []string{"s"}, + Usage: "Patches a specified JAR or WAR file against log4shell by injecting a fixed version of the vulnerable code into vulnerable log4j instances found within it.", + Flags: []cli.Flag{ + &cli.StringFlag{ + Name: "file-name", + Usage: "Patches the specified file (must be a valid JAR or WAR file).", + }, + }, + Action: jarPatchCommand, }, }, } diff --git a/tools/log4shell/patch/patch-local-jar.go b/tools/log4shell/patch/patch-local-jar.go new file mode 100644 index 000000000..3d34a9ff3 --- /dev/null +++ b/tools/log4shell/patch/patch-local-jar.go @@ -0,0 +1,29 @@ +// Copyright 2021 by LunaSec (owned by Refinery Labs, Inc) +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +package patch + +import ( + "fmt" + ldapmsg "github.com/lor00x/goldap/message" + "github.com/lunasec-io/lunasec/tools/log4shell/constants" + "github.com/rs/zerolog/log" + "io/ioutil" + golog "log" +) + +import ( + "github.com/vjeantet/ldapserver" +) + diff --git a/tools/log4shell/scan/scan.go b/tools/log4shell/scan/scan.go index f5e14070f..63ba147c3 100644 --- a/tools/log4shell/scan/scan.go +++ b/tools/log4shell/scan/scan.go @@ -96,7 +96,7 @@ func scanArchive(path string, file *zip.File, onlyScanArchives bool) (findings [ archiveReader := bytes.NewReader(buffer) archiveSize := int64(len(buffer)) - return scanArchiveForVulnerableFiles(newPath, archiveReader, archiveSize, onlyScanArchives) + return SearchArchiveForVulnerableFiles(newPath, archiveReader, archiveSize, onlyScanArchives) } func scanFile(path string, file *zip.File, onlyScanArchives bool) (findings []types.Finding) { @@ -125,7 +125,8 @@ func scanFile(path string, file *zip.File, onlyScanArchives bool) (findings []ty return } -func scanArchiveForVulnerableFiles(path string, reader io.ReaderAt, size int64, onlyScanArchives bool) (findings []types.Finding) { +// SearchArchiveForVulnerableFiles Takes in a given JAR or WAR file and searches it for findings. +func SearchArchiveForVulnerableFiles(path string, reader io.ReaderAt, size int64, onlyScanArchives bool) (findings []types.Finding) { zipReader, err := zip.NewReader(reader, size) if err != nil { log.Warn(). @@ -157,7 +158,7 @@ func scanLocatedArchive(path string, info os.FileInfo, onlyScanArchives bool) (f } defer file.Close() - return scanArchiveForVulnerableFiles(path, file, info.Size(), onlyScanArchives) + return SearchArchiveForVulnerableFiles(path, file, info.Size(), onlyScanArchives) } // SearchDirsForVulnerableClassFiles walks each search dir looking for .class files in archives which have a hash From f6ecfd79cd0f592e58191843053aea7bbcc2a1aa Mon Sep 17 00:00:00 2001 From: breadchris Date: Sun, 19 Dec 2021 00:56:38 -0500 Subject: [PATCH 09/15] testing the jar patcher by loading findings file and then looking at discovered files Former-commit-id: 258281ca5f6f931c02e89b432d9033d933854323 Former-commit-id: 622f5a3db5e1eb25455a50f22c0caf1bffd79ebe --- tools/log4shell/commands/patch.go | 113 ++++++++++++++++++++++++++ tools/log4shell/main.go | 44 ++-------- tools/log4shell/patch/archivepatch.go | 15 ++++ tools/log4shell/scan/scanfile.go | 12 ++- 4 files changed, 146 insertions(+), 38 deletions(-) create mode 100644 tools/log4shell/commands/patch.go create mode 100644 tools/log4shell/patch/archivepatch.go diff --git a/tools/log4shell/commands/patch.go b/tools/log4shell/commands/patch.go new file mode 100644 index 000000000..1a3721bc9 --- /dev/null +++ b/tools/log4shell/commands/patch.go @@ -0,0 +1,113 @@ +// Copyright 2021 by LunaSec (owned by Refinery Labs, Inc) +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +package commands + +import ( + "archive/zip" + "encoding/json" + "github.com/lunasec-io/lunasec/tools/log4shell/types" + "github.com/lunasec-io/lunasec/tools/log4shell/util" + "github.com/rs/zerolog/log" + "github.com/urfave/cli/v2" + "io/fs" + "io/ioutil" + "os" +) + +func JavaArchivePatchCommand(c *cli.Context, globalBoolFlags map[string]bool) error { + enableGlobalFlags(c, globalBoolFlags) + + findingsFile := c.String("findings") + + findingsContent, err := ioutil.ReadFile(findingsFile) + if err != nil { + log.Error(). + Err(err). + Str("findings", findingsFile). + Msg("Unable to open and read findings file") + return err + } + + var findings types.FindingsOutput + err = json.Unmarshal(findingsContent, &findings) + if err != nil { + log.Error(). + Err(err). + Str("findings", findingsFile). + Msg("Unable to unmarshal findings file") + return err + } + + for _, finding := range findings.VulnerableLibraries { + var file *os.File + + file, err = os.Open(finding.Path) + if err != nil { + log.Warn(). + Str("path", finding.Path). + Err(err). + Msg("unable to open findings archive") + return err + } + defer file.Close() + + info, _ := os.Stat(finding.Path) + + var zipReader *zip.Reader + + zipReader, err = zip.NewReader(file, info.Size()) + if err != nil { + log.Warn(). + Str("path", finding.Path). + Err(err). + Msg("unable to open archive for patching") + return err + } + + var zipFile fs.File + + zipFile, err = zipReader.Open(finding.FileName) + if err != nil { + log.Warn(). + Str("path", finding.Path). + Err(err). + Msg("unable to open file from zip") + return err + } + + var zipFileHash string + + zipFileHash, err = util.HexEncodedSha256FromReader(zipFile) + if err != nil { + log.Warn(). + Str("path", finding.Path). + Str("p", finding.Path). + Err(err). + Msg("unable to hash zip file") + return err + } + + if zipFileHash != finding.Hash { + log.Warn(). + Str("path", finding.Path). + Str("p", finding.Path). + Err(err). + Msg("hashes do not match, not deleting") + return nil + } + } + + return nil +} diff --git a/tools/log4shell/main.go b/tools/log4shell/main.go index e6d7d100e..c75de92af 100644 --- a/tools/log4shell/main.go +++ b/tools/log4shell/main.go @@ -43,38 +43,6 @@ func enableGlobalFlags(c *cli.Context) { } } -func jarPatchCommand(c *cli.Context) error { - enableGlobalFlags(c) - - fileName := c.String("file-name") - - if fileName == "" { - log.Info().Msg("Public IP not provided. Binding to the local network interface.") - panic("must specify a valid file name to patch") - } - - file, err := os.Open(path) - if err != nil { - log.Warn(). - Str("path", path). - Err(err). - Msg("unable to open archive") - panic("unable to open specified file") - } - - fileInfo, err := file.Stat() - - if err != nil { - panic("unable to read file info") - } - - findings := scan.SearchArchiveForVulnerableFiles(fileName, file, fileInfo.Size(), false) - - // TODO: Do something with these findings to actually patch them in-place. Either that or add the patching to `SearchArchiveForVulnerableFiles` above. - - return nil -} - func main() { zerolog.TimeFieldFormat = zerolog.TimeFormatUnix @@ -213,16 +181,18 @@ func main() { }, }, { - Name: "patch-local-jar", + Name: "patch", Aliases: []string{"s"}, - Usage: "Patches a specified JAR or WAR file against log4shell by injecting a fixed version of the vulnerable code into vulnerable log4j instances found within it.", + Usage: "Patches findings of libraries vulnerable toLog4Shell by removing the JndiLookup.class file from each.", Flags: []cli.Flag{ &cli.StringFlag{ - Name: "file-name", - Usage: "Patches the specified file (must be a valid JAR or WAR file).", + Name: "findings", + Usage: "Patches all vulnerable Java archives which have been identified.", }, }, - Action: jarPatchCommand, + Action: func(c *cli.Context) error { + return commands.JavaArchivePatchCommand(c, globalBoolFlags) + }, }, }, } diff --git a/tools/log4shell/patch/archivepatch.go b/tools/log4shell/patch/archivepatch.go new file mode 100644 index 000000000..3e85df338 --- /dev/null +++ b/tools/log4shell/patch/archivepatch.go @@ -0,0 +1,15 @@ +// Copyright 2021 by LunaSec (owned by Refinery Labs, Inc) +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +package patch diff --git a/tools/log4shell/scan/scanfile.go b/tools/log4shell/scan/scanfile.go index 0843736f9..4fe056db8 100644 --- a/tools/log4shell/scan/scanfile.go +++ b/tools/log4shell/scan/scanfile.go @@ -20,6 +20,7 @@ import ( "github.com/lunasec-io/lunasec/tools/log4shell/util" "github.com/rs/zerolog/log" "io" + "path/filepath" "strings" ) @@ -66,8 +67,17 @@ func identifyPotentiallyVulnerableFile(reader io.Reader, path, fileName string, Str("cve", vulnerableFile.CVE). Msg("Identified vulnerable path") + absolutePath, err := filepath.Abs(path) + if err != nil { + log.Warn(). + Str("fileName", fileName). + Str("path", path). + Err(err). + Msg("Unable to resolve absolute path to file") + } + finding = &types.Finding{ - Path: path, + Path: absolutePath, FileName: fileName, Hash: fileHash, Version: vulnerableFile.Version, From bb71e7593dbd64004f6ce630ec90c1a1585565c2 Mon Sep 17 00:00:00 2001 From: breadchris Date: Mon, 20 Dec 2021 21:23:16 -0500 Subject: [PATCH 10/15] include jndilookup.class file when analyzing so that it can be removed when patching Former-commit-id: 56c6375a079a165a68069c8091cbf1043c04c16a Former-commit-id: bd8db49439fe960cad0edff3eb83abf63470ceb4 --- tools/log4shell/analyze/analyze.go | 53 ++- tools/log4shell/commands/patch.go | 30 +- tools/log4shell/commands/scan.go | 24 +- tools/log4shell/log4j-library-hashes.json | 435 +++++++++++++++++----- tools/log4shell/patch/patch-local-jar.go | 29 -- tools/log4shell/scan/scan.go | 14 +- tools/log4shell/scan/scanfile.go | 12 +- tools/log4shell/types/findings.go | 9 +- 8 files changed, 457 insertions(+), 149 deletions(-) delete mode 100644 tools/log4shell/patch/patch-local-jar.go diff --git a/tools/log4shell/analyze/analyze.go b/tools/log4shell/analyze/analyze.go index cb88b53ca..4cd075f75 100644 --- a/tools/log4shell/analyze/analyze.go +++ b/tools/log4shell/analyze/analyze.go @@ -15,6 +15,7 @@ package analyze import ( + "archive/zip" "github.com/blang/semver/v4" "github.com/lunasec-io/lunasec/tools/log4shell/constants" "github.com/lunasec-io/lunasec/tools/log4shell/types" @@ -96,7 +97,33 @@ func fileNameToSemver(fileNameNoExt string) string { return semverVersion } -func ProcessArchiveFile(reader io.Reader, filePath, fileName string) (finding *types.Finding) { +func getJndiLookupHash(zipReader *zip.Reader, filePath string) (fileName, fileHash string, err error) { + fileName = "org/apache/logging/log4j/core/lookup/JndiLookup.class" + + reader, err := zipReader.Open(fileName) + if err != nil { + log.Warn(). + Str("fieName", fileName). + Str("path", filePath). + Err(err). + Msg("cannot find file in zip") + return + } + defer reader.Close() + + fileHash, err = util.HexEncodedSha256FromReader(reader) + if err != nil { + log.Warn(). + Str("fieName", fileName). + Str("path", filePath). + Err(err). + Msg("unable to hash JndiLookup.class file") + return + } + return +} + +func ProcessArchiveFile(zipReader *zip.Reader, reader io.Reader, filePath, fileName string) (finding *types.Finding) { _, file := path.Split(filePath) fileNameNoExt := strings.TrimSuffix(file, path.Ext(file)) @@ -128,24 +155,34 @@ func ProcessArchiveFile(reader io.Reader, filePath, fileName string) (finding *t return } - log.Log(). - Str("path", filePath). - Str("fileName", fileName). - Str("fileHash", fileHash). - Msg("identified library version") - if versionCve == "" { log.Debug(). Str("hash", fileHash). Str("version", semverVersion). Msg("Skipping version as it is not vulnerable to any known CVE") - return nil + return } + jndiLookupFileName, jndiLookupFileHash, err := getJndiLookupHash(zipReader, filePath) + if err != nil { + jndiLookupFileName = "" + jndiLookupFileHash = "" + } + + log.Log(). + Str("path", filePath). + Str("fileName", fileName). + Str("fileHash", fileHash). + Str("jndiLookupFileName", jndiLookupFileName). + Str("jndiLookupFileHash", jndiLookupFileHash). + Msg("identified library version") + finding = &types.Finding{ Path: filePath, FileName: fileName, Hash: fileHash, + JndiLookupFileName: jndiLookupFileName, + JndiLookupHash: jndiLookupFileHash, Version: semverVersion, CVE: versionCve, } diff --git a/tools/log4shell/commands/patch.go b/tools/log4shell/commands/patch.go index 1a3721bc9..f9f8a2133 100644 --- a/tools/log4shell/commands/patch.go +++ b/tools/log4shell/commands/patch.go @@ -58,7 +58,7 @@ func JavaArchivePatchCommand(c *cli.Context, globalBoolFlags map[string]bool) er log.Warn(). Str("path", finding.Path). Err(err). - Msg("unable to open findings archive") + Msg("Unable to open findings archive") return err } defer file.Close() @@ -72,18 +72,27 @@ func JavaArchivePatchCommand(c *cli.Context, globalBoolFlags map[string]bool) er log.Warn(). Str("path", finding.Path). Err(err). - Msg("unable to open archive for patching") + Msg("Unable to open archive for patching") return err } var zipFile fs.File - zipFile, err = zipReader.Open(finding.FileName) + if finding.JndiLookupFileName == "" { + log.Warn(). + Str("path", finding.Path). + Err(err). + Msg("Finding does not have JndiLookup.class file to patch") + continue + } + + zipFile, err = zipReader.Open(finding.JndiLookupFileName) if err != nil { log.Warn(). Str("path", finding.Path). + Str("jndiLookupFileName", finding.JndiLookupFileName). Err(err). - Msg("unable to open file from zip") + Msg("Unable to open file from zip") return err } @@ -93,20 +102,23 @@ func JavaArchivePatchCommand(c *cli.Context, globalBoolFlags map[string]bool) er if err != nil { log.Warn(). Str("path", finding.Path). - Str("p", finding.Path). Err(err). - Msg("unable to hash zip file") + Msg("Unable to hash zip file") return err } - if zipFileHash != finding.Hash { + if zipFileHash != finding.JndiLookupHash { log.Warn(). Str("path", finding.Path). - Str("p", finding.Path). + Str("hash", finding.JndiLookupHash). Err(err). - Msg("hashes do not match, not deleting") + Msg("Hashes do not match, not deleting") return nil } + log.Debug(). + Str("path", finding.Path). + Str("path", finding.Path). + Msg("Found file to remove") } return nil diff --git a/tools/log4shell/commands/scan.go b/tools/log4shell/commands/scan.go index 71ea3e881..e1359499e 100644 --- a/tools/log4shell/commands/scan.go +++ b/tools/log4shell/commands/scan.go @@ -51,10 +51,11 @@ func loadHashLookup( return } -func ScanCommand(c *cli.Context, globalBoolFlags map[string]bool, log4jLibraryHashes []byte) (err error) { - enableGlobalFlags(c, globalBoolFlags) - - searchDirs := c.Args().Slice() +func scanDirectoriesForVulnerableLibraries( + c *cli.Context, + searchDirs []string, + log4jLibraryHashes []byte, +) (scannerFindings []types.Finding, err error) { log.Debug(). Strs("directories", searchDirs). Msg("scanning directories") @@ -67,7 +68,7 @@ func ScanCommand(c *cli.Context, globalBoolFlags map[string]bool, log4jLibraryHa hashLookup, err := loadHashLookup(log4jLibraryHashes, versionHashes, onlyScanArchives) if err != nil { - return err + return } processArchiveFile := scan.IdentifyPotentiallyVulnerableFiles(scanLog4j1, hashLookup) @@ -75,7 +76,18 @@ func ScanCommand(c *cli.Context, globalBoolFlags map[string]bool, log4jLibraryHa scanner := scan.NewLog4jDirectoryScanner( excludeDirs, onlyScanArchives, noFollowSymlinks, processArchiveFile) - scannerFindings := scanner.Scan(searchDirs) + scannerFindings = scanner.Scan(searchDirs) + return +} + +func ScanCommand(c *cli.Context, globalBoolFlags map[string]bool, log4jLibraryHashes []byte) (err error) { + enableGlobalFlags(c, globalBoolFlags) + + searchDirs := c.Args().Slice() + scannerFindings, err := scanDirectoriesForVulnerableLibraries(c, searchDirs, log4jLibraryHashes) + if err != nil { + return + } output := c.String("output") if output != "" { diff --git a/tools/log4shell/log4j-library-hashes.json b/tools/log4shell/log4j-library-hashes.json index bfc6d6ec9..b4aa07123 100644 --- a/tools/log4shell/log4j-library-hashes.json +++ b/tools/log4shell/log4j-library-hashes.json @@ -4,610 +4,871 @@ "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-1.2.15/log4j-1.2.15.jar", "file_name": "org/apache/log4j/net/SocketNode.class", "hash": "7b996623c05f1a25a57fb5b43c519c2ec02ec2e647c2b97b3407965af928c9a4", + "jndi_lookup_file_name": "", + "jndi_lookup_hash": "", "version": "1.2.15", - "cve": "CVE-2019-17571" + "cve": "CVE-2019-17571", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-1.2.16/log4j-1.2.16.jar", "file_name": "org/apache/log4j/net/SocketNode.class", "hash": "688a3dadfb1c0a08fb2a2885a356200eb74e7f0f26a197d358d74f2faf6e8f46", + "jndi_lookup_file_name": "", + "jndi_lookup_hash": "", "version": "1.2.16", - "cve": "CVE-2019-17571" + "cve": "CVE-2019-17571", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-1.2.17/log4j-1.2.17.jar", "file_name": "org/apache/log4j/net/SocketNode.class", "hash": "8ef0ebdfbf28ec14b2267e6004a8eea947b4411d3c30d228a7b48fae36431d74", + "jndi_lookup_file_name": "", + "jndi_lookup_hash": "", "version": "1.2.17", - "cve": "CVE-2019-17571" + "cve": "CVE-2019-17571", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-beta9-bin/log4j-core-2.0-beta9.jar", "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", "version": "2.0.0-beta9", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-beta9-osgi-bin/log4j-core-osgi-reduced-2.0-beta9.jar", "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", "version": "2.0.0-beta9", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-bin/log4j-core-2.0.jar", "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", "hash": "fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29", "version": "2.0.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc1-bin/log4j-core-2.0-rc1.jar", "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", "version": "2.0.0-rc1", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc1-osgi-bin/log4j-core-osgi-reduced-2.0-rc1.jar", "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", "version": "2.0.0-rc1", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc2-bin/log4j-core-2.0-rc2.jar", "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", "hash": "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2", "version": "2.0.0-rc2", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar", "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", "hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", "version": "2.0.1", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0.2-bin/log4j-core-2.0.2.jar", "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", "hash": "9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c", "version": "2.0.2", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.1-bin/log4j-core-2.1.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "a768e5383990b512f9d4f97217eda94031c2fa4aea122585f5a475ab99dc7307", "version": "2.1.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.10.0-bin/log4j-core-2.10.0.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.10.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.11.0-bin/log4j-core-2.11.0.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.11.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.11.1-bin/log4j-core-2.11.1.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.11.1", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.11.2-bin/log4j-core-2.11.2.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.11.2", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.12.0-bin/log4j-core-2.12.0.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "5c104d16ff9831b456e4d7eaf66bcf531f086767782d08eece3fb37e40467279", "version": "2.12.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.12.1-bin/log4j-core-2.12.1.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "5c104d16ff9831b456e4d7eaf66bcf531f086767782d08eece3fb37e40467279", "version": "2.12.1", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.12.2-bin/log4j-core-2.12.2.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "b1960d63a3946f9e16e1920624f37c152b58b98932ed04df99ed5d9486732afb", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "febbc7867784d0f06934fec59df55ee45f6b24c55b17fff71cc4fca80bf22ebb", "version": "2.12.2", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.0-bin/log4j-core-2.13.0.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", "version": "2.13.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.1-bin/log4j-core-2.13.1.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", "version": "2.13.1", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.2-bin/log4j-core-2.13.2.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", "version": "2.13.2", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.3-bin/log4j-core-2.13.3.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", "version": "2.13.3", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f", "version": "2.14.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.14.1-bin/log4j-core-2.14.1.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f", "version": "2.14.1", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.15.0-bin/log4j-core-2.15.0.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "db07ef1ea174e000b379732681bd835cfede648a7971bf4e9a0d31981582d69e", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f", "version": "2.15.0", - "cve": "CVE-2021-45046" + "cve": "CVE-2021-45046", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.2-bin/log4j-core-2.2.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "a768e5383990b512f9d4f97217eda94031c2fa4aea122585f5a475ab99dc7307", "version": "2.2.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.3-bin/log4j-core-2.3.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "a768e5383990b512f9d4f97217eda94031c2fa4aea122585f5a475ab99dc7307", "version": "2.3.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.4-bin/log4j-core-2.4.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "a534961bbfce93966496f86c9314f46939fd082bb89986b48b7430c3bea903f7", "version": "2.4.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.4.1-bin/log4j-core-2.4.1.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "a534961bbfce93966496f86c9314f46939fd082bb89986b48b7430c3bea903f7", "version": "2.4.1", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.5-bin/log4j-core-2.5.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "a534961bbfce93966496f86c9314f46939fd082bb89986b48b7430c3bea903f7", "version": "2.5.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.6-bin/log4j-core-2.6.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "e8ffed196e04f81b015f847d4ec61f22f6731c11b5a21b1cfc45ccbc58b8ea45", "version": "2.6.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.6.1-bin/log4j-core-2.6.1.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "e8ffed196e04f81b015f847d4ec61f22f6731c11b5a21b1cfc45ccbc58b8ea45", "version": "2.6.1", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.6.2-bin/log4j-core-2.6.2.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "e8ffed196e04f81b015f847d4ec61f22f6731c11b5a21b1cfc45ccbc58b8ea45", "version": "2.6.2", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.7-bin/log4j-core-2.7.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "cee2305065bb61d434cdb45cfdaa46e7da148e5c6a7678d56f3e3dc8d7073eae", "version": "2.7.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.8-bin/log4j-core-2.8.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "66c89e2d5ae674641138858b571e65824df6873abb1677f7b2ef5c0dd4dbc442", "version": "2.8.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.8.1-bin/log4j-core-2.8.1.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "66c89e2d5ae674641138858b571e65824df6873abb1677f7b2ef5c0dd4dbc442", "version": "2.8.1", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.8.2-bin/log4j-core-2.8.2.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "764b06686dbe06e3d5f6d15891250ab04073a0d1c357d114b7365c70fa8a7407", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "d4ec57440cd6db6eaf6bcb6b197f1cbaf5a3e26253d59578d51db307357cbf15", "version": "2.8.2", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.9.0-bin/log4j-core-2.9.0.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.9.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.9.1", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.1/dist/lib/log4j-1.2.1.jar", "file_name": "org/apache/log4j/net/SocketNode.class", "hash": "6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d", + "jndi_lookup_file_name": "", + "jndi_lookup_hash": "", "version": "1.2.1", - "cve": "CVE-2019-17571" + "cve": "CVE-2019-17571", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.2/dist/lib/log4j-1.2.2.jar", "file_name": "org/apache/log4j/net/SocketNode.class", "hash": "6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d", + "jndi_lookup_file_name": "", + "jndi_lookup_hash": "", "version": "1.2.2", - "cve": "CVE-2019-17571" + "cve": "CVE-2019-17571", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.3/dist/lib/log4j-1.2.3.jar", "file_name": "org/apache/log4j/net/SocketNode.class", "hash": "6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d", + "jndi_lookup_file_name": "", + "jndi_lookup_hash": "", "version": "1.2.3", - "cve": "CVE-2019-17571" + "cve": "CVE-2019-17571", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.4/dist/lib/log4j-1.2.4.jar", "file_name": "org/apache/log4j/net/SocketNode.class", "hash": "6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d", + "jndi_lookup_file_name": "", + "jndi_lookup_hash": "", "version": "1.2.4", - "cve": "CVE-2019-17571" + "cve": "CVE-2019-17571", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.5/dist/lib/log4j-1.2.5.jar", "file_name": "org/apache/log4j/net/SocketNode.class", "hash": "ed5d53deb29f737808521dd6284c2d7a873a59140e702295a80bd0f26988f53a", + "jndi_lookup_file_name": "", + "jndi_lookup_hash": "", "version": "1.2.5", - "cve": "CVE-2019-17571" + "cve": "CVE-2019-17571", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.6/dist/lib/log4j-1.2.6.jar", "file_name": "org/apache/log4j/net/SocketNode.class", "hash": "3ef93e9cb937295175b75182e42ba9a0aa94f9f8e295236c9eef914348efeef0", + "jndi_lookup_file_name": "", + "jndi_lookup_hash": "", "version": "1.2.6", - "cve": "CVE-2019-17571" + "cve": "CVE-2019-17571", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.7/dist/lib/log4j-1.2.7.jar", "file_name": "org/apache/log4j/net/SocketNode.class", "hash": "3ef93e9cb937295175b75182e42ba9a0aa94f9f8e295236c9eef914348efeef0", + "jndi_lookup_file_name": "", + "jndi_lookup_hash": "", "version": "1.2.7", - "cve": "CVE-2019-17571" + "cve": "CVE-2019-17571", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.8/dist/lib/log4j-1.2.8.jar", "file_name": "org/apache/log4j/net/SocketNode.class", "hash": "bee4a5a70843a981e47207b476f1e705c21fc90cb70e95c3b40d04a2191f33e9", + "jndi_lookup_file_name": "", + "jndi_lookup_hash": "", "version": "1.2.8", - "cve": "CVE-2019-17571" + "cve": "CVE-2019-17571", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.11/dist/lib/log4j-1.2.11.jar", "file_name": "org/apache/log4j/net/SocketNode.class", "hash": "d778227b779f8f3a2850987e3cfe6020ca26c299037fdfa7e0ac8f81385963e6", + "jndi_lookup_file_name": "", + "jndi_lookup_hash": "", "version": "1.2.11", - "cve": "CVE-2019-17571" + "cve": "CVE-2019-17571", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.12/dist/lib/log4j-1.2.12.jar", "file_name": "org/apache/log4j/net/SocketNode.class", "hash": "f3b815a2b3c74851ff1b94e414c36f576fbcdf52b82b805b2e18322b3f5fc27c", + "jndi_lookup_file_name": "", + "jndi_lookup_hash": "", "version": "1.2.12", - "cve": "CVE-2019-17571" + "cve": "CVE-2019-17571", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.13/dist/lib/log4j-1.2.13.jar", "file_name": "org/apache/log4j/net/SocketNode.class", "hash": "fbda3cfc5853ab4744b853398f2b3580505f5a7d67bfb200716ef6ae5be3c8b7", + "jndi_lookup_file_name": "", + "jndi_lookup_hash": "", "version": "1.2.13", - "cve": "CVE-2019-17571" + "cve": "CVE-2019-17571", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.14/dist/lib/log4j-1.2.14.jar", "file_name": "org/apache/log4j/net/SocketNode.class", "hash": "fbda3cfc5853ab4744b853398f2b3580505f5a7d67bfb200716ef6ae5be3c8b7", + "jndi_lookup_file_name": "", + "jndi_lookup_hash": "", "version": "1.2.14", - "cve": "CVE-2019-17571" + "cve": "CVE-2019-17571", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.9/dist/lib/log4j-1.2.9.jar", "file_name": "org/apache/log4j/net/SocketNode.class", "hash": "3ef93e9cb937295175b75182e42ba9a0aa94f9f8e295236c9eef914348efeef0", + "jndi_lookup_file_name": "", + "jndi_lookup_hash": "", "version": "1.2.9", - "cve": "CVE-2019-17571" + "cve": "CVE-2019-17571", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0-rc1.jar", "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", "version": "2.0.0-rc1", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0-rc2.jar", "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", "hash": "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2", "version": "2.0.0-rc2", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.1.jar", "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", "hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", "version": "2.0.1", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.2.jar", "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", "hash": "9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c", "version": "2.0.2", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.jar", "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", "hash": "fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29", "version": "2.0.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.1.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "a768e5383990b512f9d4f97217eda94031c2fa4aea122585f5a475ab99dc7307", "version": "2.1.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.10.0.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.10.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.11.0.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.11.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.11.1.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.11.1", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.11.2.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.11.2", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.12.0.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "5c104d16ff9831b456e4d7eaf66bcf531f086767782d08eece3fb37e40467279", "version": "2.12.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.12.1.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "5c104d16ff9831b456e4d7eaf66bcf531f086767782d08eece3fb37e40467279", "version": "2.12.1", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.12.2.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "b1960d63a3946f9e16e1920624f37c152b58b98932ed04df99ed5d9486732afb", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "febbc7867784d0f06934fec59df55ee45f6b24c55b17fff71cc4fca80bf22ebb", "version": "2.12.2", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.0.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", "version": "2.13.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.1.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", "version": "2.13.1", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.2.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", "version": "2.13.2", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.3.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", "version": "2.13.3", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.14.0.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f", "version": "2.14.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.14.1.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f", "version": "2.14.1", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.15.0.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "db07ef1ea174e000b379732681bd835cfede648a7971bf4e9a0d31981582d69e", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f", "version": "2.15.0", - "cve": "CVE-2021-45046" + "cve": "CVE-2021-45046", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.2.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "a768e5383990b512f9d4f97217eda94031c2fa4aea122585f5a475ab99dc7307", "version": "2.2.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.3.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "a768e5383990b512f9d4f97217eda94031c2fa4aea122585f5a475ab99dc7307", "version": "2.3.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.4.1.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "a534961bbfce93966496f86c9314f46939fd082bb89986b48b7430c3bea903f7", "version": "2.4.1", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.4.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "a534961bbfce93966496f86c9314f46939fd082bb89986b48b7430c3bea903f7", "version": "2.4.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.5.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "a534961bbfce93966496f86c9314f46939fd082bb89986b48b7430c3bea903f7", "version": "2.5.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.6.1.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "e8ffed196e04f81b015f847d4ec61f22f6731c11b5a21b1cfc45ccbc58b8ea45", "version": "2.6.1", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.6.2.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "e8ffed196e04f81b015f847d4ec61f22f6731c11b5a21b1cfc45ccbc58b8ea45", "version": "2.6.2", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.6.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "e8ffed196e04f81b015f847d4ec61f22f6731c11b5a21b1cfc45ccbc58b8ea45", "version": "2.6.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.7.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "cee2305065bb61d434cdb45cfdaa46e7da148e5c6a7678d56f3e3dc8d7073eae", "version": "2.7.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.8.1.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "66c89e2d5ae674641138858b571e65824df6873abb1677f7b2ef5c0dd4dbc442", "version": "2.8.1", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.8.2.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "764b06686dbe06e3d5f6d15891250ab04073a0d1c357d114b7365c70fa8a7407", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "d4ec57440cd6db6eaf6bcb6b197f1cbaf5a3e26253d59578d51db307357cbf15", "version": "2.8.2", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.8.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "66c89e2d5ae674641138858b571e65824df6873abb1677f7b2ef5c0dd4dbc442", "version": "2.8.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.9.0.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.9.0", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.9.1.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.9.1", - "cve": "CVE-2021-44228" + "cve": "CVE-2021-44228", + "severity": "" } ] } \ No newline at end of file diff --git a/tools/log4shell/patch/patch-local-jar.go b/tools/log4shell/patch/patch-local-jar.go deleted file mode 100644 index 3d34a9ff3..000000000 --- a/tools/log4shell/patch/patch-local-jar.go +++ /dev/null @@ -1,29 +0,0 @@ -// Copyright 2021 by LunaSec (owned by Refinery Labs, Inc) -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -package patch - -import ( - "fmt" - ldapmsg "github.com/lor00x/goldap/message" - "github.com/lunasec-io/lunasec/tools/log4shell/constants" - "github.com/rs/zerolog/log" - "io/ioutil" - golog "log" -) - -import ( - "github.com/vjeantet/ldapserver" -) - diff --git a/tools/log4shell/scan/scan.go b/tools/log4shell/scan/scan.go index 1c7c149a0..4d3373597 100644 --- a/tools/log4shell/scan/scan.go +++ b/tools/log4shell/scan/scan.go @@ -126,7 +126,7 @@ func (s *Log4jDirectoryScanner) scanLocatedArchive( defer file.Close() if s.onlyScanArchives { - finding := identifyPotentiallyVulnerableFile(file, path, file.Name(), constants.KnownVulnerableArchiveFileHashes) + finding := identifyPotentiallyVulnerableFile(nil, file, path, file.Name(), constants.KnownVulnerableArchiveFileHashes) if finding != nil { return []types.Finding{*finding} } @@ -154,13 +154,14 @@ func (s *Log4jDirectoryScanner) scanArchiveForVulnerableFiles( // Str("path", path). // Str("file", zipFile.Name). // Msg("scanning nested archive") - locatedFindings := s.scanFile(path, zipFile) + locatedFindings := s.scanFile(zipReader, path, zipFile) findings = append(findings, locatedFindings...) } return } func (s *Log4jDirectoryScanner) scanFile( + zipReader *zip.Reader, path string, file *zip.File, ) (findings []types.Finding) { @@ -171,14 +172,14 @@ func (s *Log4jDirectoryScanner) scanFile( return } - finding := s.scanArchiveFile(path, file) + finding := s.scanArchiveFile(zipReader, path, file) if finding != nil { findings = []types.Finding{*finding} } return case constants.JarFileExt, constants.WarFileExt, constants.ZipFileExt, constants.EarFileExt: if s.onlyScanArchives { - finding := s.scanArchiveFile(path, file) + finding := s.scanArchiveFile(zipReader, path, file) if finding != nil { findings = []types.Finding{*finding} } @@ -191,6 +192,7 @@ func (s *Log4jDirectoryScanner) scanFile( func (s *Log4jDirectoryScanner) scanArchiveFile( + zipReader *zip.Reader, path string, file *zip.File, ) (finding *types.Finding) { @@ -203,7 +205,9 @@ func (s *Log4jDirectoryScanner) scanArchiveFile( Msg("unable to open class file") return } - return s.processArchiveFile(reader, path, file.Name) + defer reader.Close() + + return s.processArchiveFile(zipReader, reader, path, file.Name) } func (s *Log4jDirectoryScanner) scanEmbeddedArchive( diff --git a/tools/log4shell/scan/scanfile.go b/tools/log4shell/scan/scanfile.go index 4fe056db8..dc0291d81 100644 --- a/tools/log4shell/scan/scanfile.go +++ b/tools/log4shell/scan/scanfile.go @@ -15,6 +15,7 @@ package scan import ( + "archive/zip" "github.com/lunasec-io/lunasec/tools/log4shell/constants" "github.com/lunasec-io/lunasec/tools/log4shell/types" "github.com/lunasec-io/lunasec/tools/log4shell/util" @@ -27,12 +28,17 @@ import ( func IdentifyPotentiallyVulnerableFiles(scanLog4j1 bool, archiveHashLookup types.VulnerableHashLookup) types.ProcessArchiveFile { hashLookup := FilterVulnerableHashLookup(archiveHashLookup, scanLog4j1) - return func(reader io.Reader, path, fileName string) (finding *types.Finding) { - return identifyPotentiallyVulnerableFile(reader, path, fileName, hashLookup) + return func(zipReader *zip.Reader, reader io.Reader, path, fileName string) (finding *types.Finding) { + return identifyPotentiallyVulnerableFile(zipReader, reader, path, fileName, hashLookup) } } -func identifyPotentiallyVulnerableFile(reader io.Reader, path, fileName string, hashLookup types.VulnerableHashLookup) (finding *types.Finding) { +func identifyPotentiallyVulnerableFile( + zipReader *zip.Reader, + reader io.Reader, + path, fileName string, + hashLookup types.VulnerableHashLookup, +) (finding *types.Finding) { fileHash, err := util.HexEncodedSha256FromReader(reader) if err != nil { log.Warn(). diff --git a/tools/log4shell/types/findings.go b/tools/log4shell/types/findings.go index 82e9ccbe3..1df78a321 100644 --- a/tools/log4shell/types/findings.go +++ b/tools/log4shell/types/findings.go @@ -14,14 +14,19 @@ // package types -import "io" +import ( + "archive/zip" + "io" +) -type ProcessArchiveFile func(reader io.Reader, path, fileName string) (finding *Finding) +type ProcessArchiveFile func(zipReader *zip.Reader, reader io.Reader, path, fileName string) (finding *Finding) type Finding struct { Path string `json:"path"` FileName string `json:"file_name"` Hash string `json:"hash"` + JndiLookupFileName string `json:"jndi_lookup_file_name"` + JndiLookupHash string `json:"jndi_lookup_hash"` Version string `json:"version"` CVE string `json:"cve"` Severity string `json:"severity"` From 72ee8878eea7a1eed2ab3a2a337669d7d4491f64 Mon Sep 17 00:00:00 2001 From: breadchris Date: Thu, 23 Dec 2021 13:50:11 -0500 Subject: [PATCH 11/15] generating hashes for the JndiLookup.class file to patch out Former-commit-id: 7d30321b222ecfa88b45e27808570491a2ded61a Former-commit-id: 76049c281d80719c2c9b8e14f93a9848d4f40857 --- tools/log4shell/analyze/analyze.go | 16 +- tools/log4shell/commands/patch.go | 2 +- tools/log4shell/constants/vulnerablehashes.go | 13 +- tools/log4shell/findings.json | 700 +----------------- tools/log4shell/log4j-library-hashes.json | 174 ++--- tools/log4shell/main.go | 2 +- tools/log4shell/scan/loadversions.go | 10 + tools/log4shell/scan/scanfile.go | 23 +- .../test/vulnerable-log4j2-versions/main.go | 2 +- tools/log4shell/types/vulnerablehashes.go | 5 + 10 files changed, 151 insertions(+), 796 deletions(-) diff --git a/tools/log4shell/analyze/analyze.go b/tools/log4shell/analyze/analyze.go index 4cd075f75..b3cdaaa2b 100644 --- a/tools/log4shell/analyze/analyze.go +++ b/tools/log4shell/analyze/analyze.go @@ -97,7 +97,7 @@ func fileNameToSemver(fileNameNoExt string) string { return semverVersion } -func getJndiLookupHash(zipReader *zip.Reader, filePath string) (fileName, fileHash string, err error) { +func GetJndiLookupHash(zipReader *zip.Reader, filePath string) (fileName, fileHash string, err error) { fileName = "org/apache/logging/log4j/core/lookup/JndiLookup.class" reader, err := zipReader.Open(fileName) @@ -163,10 +163,15 @@ func ProcessArchiveFile(zipReader *zip.Reader, reader io.Reader, filePath, fileN return } - jndiLookupFileName, jndiLookupFileHash, err := getJndiLookupHash(zipReader, filePath) - if err != nil { - jndiLookupFileName = "" - jndiLookupFileHash = "" + jndiLookupFileName := "" + jndiLookupFileHash := "" + + if versionIsInRange(fileNameNoExt, semverVersion, constants.JndiLookupPatchFileVersions) { + jndiLookupFileName, jndiLookupFileHash, err = GetJndiLookupHash(zipReader, filePath) + if err != nil { + jndiLookupFileName = "" + jndiLookupFileHash = "" + } } log.Log(). @@ -185,6 +190,7 @@ func ProcessArchiveFile(zipReader *zip.Reader, reader io.Reader, filePath, fileN JndiLookupHash: jndiLookupFileHash, Version: semverVersion, CVE: versionCve, + Severity: constants.CveSeverityLookup[versionCve], } return } diff --git a/tools/log4shell/commands/patch.go b/tools/log4shell/commands/patch.go index f9f8a2133..4c31b4bd5 100644 --- a/tools/log4shell/commands/patch.go +++ b/tools/log4shell/commands/patch.go @@ -117,7 +117,7 @@ func JavaArchivePatchCommand(c *cli.Context, globalBoolFlags map[string]bool) er } log.Debug(). Str("path", finding.Path). - Str("path", finding.Path). + Str("zipFilePath", finding.JndiLookupFileName). Msg("Found file to remove") } diff --git a/tools/log4shell/constants/vulnerablehashes.go b/tools/log4shell/constants/vulnerablehashes.go index 80aff5891..6092c83fc 100644 --- a/tools/log4shell/constants/vulnerablehashes.go +++ b/tools/log4shell/constants/vulnerablehashes.go @@ -23,6 +23,7 @@ import ( const ( Log4ShellCve = "CVE-2021-44228" CtxCve = "CVE-2021-45046" + RecursiveDosCve = "CVE-2021-45105" Log4j1RceCve = "CVE-2019-17571" ) @@ -30,9 +31,12 @@ var ( CveSeverityLookup = map[string]string { Log4ShellCve: "10.0", CtxCve: "9.0", + RecursiveDosCve: "7.5", Log4j1RceCve: "9.8", } + JndiLookupPatchFileVersions = semver.MustParseRange(">=2.0.0") + FileVersionChecks = []types.LibraryFileVersionCheck{ { Cve: Log4ShellCve, @@ -41,12 +45,17 @@ var ( }, { Cve: Log4ShellCve, - SemverRange: semver.MustParseRange(">=2.1.0 <=2.14.1"), + SemverRange: semver.MustParseRange(">=2.1.0 <2.15.0"), LibraryFile: "JndiManager.class", }, { Cve: CtxCve, - SemverRange: semver.MustParseRange("=2.15.0"), + SemverRange: semver.MustParseRange(">=2.15.0 <2.16.0"), + LibraryFile: "JndiManager.class", + }, + { + Cve: RecursiveDosCve, + SemverRange: semver.MustParseRange(">=2.16.0 <2.17.0"), LibraryFile: "JndiManager.class", }, { diff --git a/tools/log4shell/findings.json b/tools/log4shell/findings.json index 346b5875b..0f4df5fc1 100644 --- a/tools/log4shell/findings.json +++ b/tools/log4shell/findings.json @@ -1,708 +1,14 @@ { "vulnerable_libraries": [ { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-1.2.15/log4j-1.2.15.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "7b996623c05f1a25a57fb5b43c519c2ec02ec2e647c2b97b3407965af928c9a4", - "version": "1.2.15", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-1.2.16/log4j-1.2.16.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "688a3dadfb1c0a08fb2a2885a356200eb74e7f0f26a197d358d74f2faf6e8f46", - "version": "1.2.16", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-1.2.17/log4j-1.2.17.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "8ef0ebdfbf28ec14b2267e6004a8eea947b4411d3c30d228a7b48fae36431d74", - "version": "1.2.17", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-beta9-bin/log4j-core-2.0-beta9.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", - "version": "2.0.0-beta9, 2.0.0-rc1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-beta9-osgi-bin/log4j-core-osgi-reduced-2.0-beta9.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", - "version": "2.0.0-beta9, 2.0.0-rc1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-bin/log4j-core-2.0.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29", - "version": "2.0.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc1-bin/log4j-core-2.0-rc1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", - "version": "2.0.0-beta9, 2.0.0-rc1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc1-osgi-bin/log4j-core-osgi-reduced-2.0-rc1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", - "version": "2.0.0-beta9, 2.0.0-rc1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc2-bin/log4j-core-2.0-rc2.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2", - "version": "2.0.0-rc2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", - "version": "2.0.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0.2-bin/log4j-core-2.0.2.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c", - "version": "2.0.2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.1-bin/log4j-core-2.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", - "version": "2.1.0, 2.2.0, 2.3.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.10.0-bin/log4j-core-2.10.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", - "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.11.0-bin/log4j-core-2.11.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", - "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.11.1-bin/log4j-core-2.11.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", - "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.11.2-bin/log4j-core-2.11.2.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", - "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.12.0-bin/log4j-core-2.12.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de", - "version": "2.12.0, 2.12.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.12.1-bin/log4j-core-2.12.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de", - "version": "2.12.0, 2.12.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.12.2-bin/log4j-core-2.12.2.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "b1960d63a3946f9e16e1920624f37c152b58b98932ed04df99ed5d9486732afb", - "version": "2.12.2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.0-bin/log4j-core-2.13.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", - "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.1-bin/log4j-core-2.13.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", - "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.2-bin/log4j-core-2.13.2.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", - "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.3-bin/log4j-core-2.13.3.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", - "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6", - "version": "2.14.0, 2.14.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.14.1-bin/log4j-core-2.14.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6", - "version": "2.14.0, 2.14.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.15.0-bin/log4j-core-2.15.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "db07ef1ea174e000b379732681bd835cfede648a7971bf4e9a0d31981582d69e", - "version": "2.15.0", - "cve": "CVE-2021-45046", - "severity": "3.7" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.2-bin/log4j-core-2.2.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", - "version": "2.1.0, 2.2.0, 2.3.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.3-bin/log4j-core-2.3.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", - "version": "2.1.0, 2.2.0, 2.3.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.4-bin/log4j-core-2.4.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", - "version": "2.4.0, 2.4.1, 2.5.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.4.1-bin/log4j-core-2.4.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", - "version": "2.4.0, 2.4.1, 2.5.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.5-bin/log4j-core-2.5.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", - "version": "2.4.0, 2.4.1, 2.5.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.6-bin/log4j-core-2.6.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", - "version": "2.6.0, 2.6.1, 2.6.2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.6.1-bin/log4j-core-2.6.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", - "version": "2.6.0, 2.6.1, 2.6.2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.6.2-bin/log4j-core-2.6.2.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", - "version": "2.6.0, 2.6.1, 2.6.2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.7-bin/log4j-core-2.7.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", - "version": "2.7.0, 2.8.0, 2.8.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.8-bin/log4j-core-2.8.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", - "version": "2.7.0, 2.8.0, 2.8.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.8.1-bin/log4j-core-2.8.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", - "version": "2.7.0, 2.8.0, 2.8.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.8.2-bin/log4j-core-2.8.2.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "764b06686dbe06e3d5f6d15891250ab04073a0d1c357d114b7365c70fa8a7407", - "version": "2.8.2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.9.0-bin/log4j-core-2.9.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", - "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", - "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.1/dist/lib/log4j-1.2.1.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d", - "version": "1.2.1, 1.2.2, 1.2.3, 1.2.4", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.2/dist/lib/log4j-1.2.2.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d", - "version": "1.2.1, 1.2.2, 1.2.3, 1.2.4", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.3/dist/lib/log4j-1.2.3.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d", - "version": "1.2.1, 1.2.2, 1.2.3, 1.2.4", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.4/dist/lib/log4j-1.2.4.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d", - "version": "1.2.1, 1.2.2, 1.2.3, 1.2.4", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.5/dist/lib/log4j-1.2.5.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "ed5d53deb29f737808521dd6284c2d7a873a59140e702295a80bd0f26988f53a", - "version": "1.2.5", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.6/dist/lib/log4j-1.2.6.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "3ef93e9cb937295175b75182e42ba9a0aa94f9f8e295236c9eef914348efeef0", - "version": "1.2.6, 1.2.7, 1.2.9", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.7/dist/lib/log4j-1.2.7.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "3ef93e9cb937295175b75182e42ba9a0aa94f9f8e295236c9eef914348efeef0", - "version": "1.2.6, 1.2.7, 1.2.9", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.8/dist/lib/log4j-1.2.8.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "bee4a5a70843a981e47207b476f1e705c21fc90cb70e95c3b40d04a2191f33e9", - "version": "1.2.8", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.11/dist/lib/log4j-1.2.11.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "d778227b779f8f3a2850987e3cfe6020ca26c299037fdfa7e0ac8f81385963e6", - "version": "1.2.11", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.12/dist/lib/log4j-1.2.12.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "f3b815a2b3c74851ff1b94e414c36f576fbcdf52b82b805b2e18322b3f5fc27c", - "version": "1.2.12", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.13/dist/lib/log4j-1.2.13.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "fbda3cfc5853ab4744b853398f2b3580505f5a7d67bfb200716ef6ae5be3c8b7", - "version": "1.2.13, 1.2.14", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.14/dist/lib/log4j-1.2.14.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "fbda3cfc5853ab4744b853398f2b3580505f5a7d67bfb200716ef6ae5be3c8b7", - "version": "1.2.13, 1.2.14", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.9/dist/lib/log4j-1.2.9.jar", - "file_name": "org/apache/log4j/net/SocketNode.class", - "hash": "3ef93e9cb937295175b75182e42ba9a0aa94f9f8e295236c9eef914348efeef0", - "version": "1.2.6, 1.2.7, 1.2.9", - "cve": "CVE-2019-17571", - "severity": "9.8" - }, - { - "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar", + "path": "/home/breadchris/projects/lunasec-monorepo/tools/log4shell/test/vulnerable-log4j2-versions/apache/apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar", "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", "hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", "version": "2.0.1", "cve": "CVE-2021-44228", "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0-rc1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", - "version": "2.0.0-beta9, 2.0.0-rc1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0-rc2.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2", - "version": "2.0.0-rc2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.1.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", - "version": "2.0.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.2.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c", - "version": "2.0.2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.jar", - "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "hash": "fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29", - "version": "2.0.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", - "version": "2.1.0, 2.2.0, 2.3.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.10.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", - "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.11.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", - "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.11.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", - "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.11.2.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", - "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.12.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de", - "version": "2.12.0, 2.12.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.12.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de", - "version": "2.12.0, 2.12.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.12.2.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "b1960d63a3946f9e16e1920624f37c152b58b98932ed04df99ed5d9486732afb", - "version": "2.12.2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", - "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", - "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.2.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", - "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.3.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", - "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.14.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6", - "version": "2.14.0, 2.14.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.14.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6", - "version": "2.14.0, 2.14.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.15.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "db07ef1ea174e000b379732681bd835cfede648a7971bf4e9a0d31981582d69e", - "version": "2.15.0", - "cve": "CVE-2021-45046", - "severity": "3.7" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.2.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", - "version": "2.1.0, 2.2.0, 2.3.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.3.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", - "version": "2.1.0, 2.2.0, 2.3.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.4.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", - "version": "2.4.0, 2.4.1, 2.5.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.4.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", - "version": "2.4.0, 2.4.1, 2.5.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.5.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", - "version": "2.4.0, 2.4.1, 2.5.0", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.6.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", - "version": "2.6.0, 2.6.1, 2.6.2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.6.2.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", - "version": "2.6.0, 2.6.1, 2.6.2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.6.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", - "version": "2.6.0, 2.6.1, 2.6.2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.7.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", - "version": "2.7.0, 2.8.0, 2.8.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.8.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", - "version": "2.7.0, 2.8.0, 2.8.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.8.2.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "764b06686dbe06e3d5f6d15891250ab04073a0d1c357d114b7365c70fa8a7407", - "version": "2.8.2", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.8.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", - "version": "2.7.0, 2.8.0, 2.8.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.9.0.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", - "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", - "cve": "CVE-2021-44228", - "severity": "10.0" - }, - { - "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.9.1.jar", - "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", - "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", - "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", - "cve": "CVE-2021-44228", - "severity": "10.0" } ] } \ No newline at end of file diff --git a/tools/log4shell/log4j-library-hashes.json b/tools/log4shell/log4j-library-hashes.json index b4aa07123..9aeb4ef6d 100644 --- a/tools/log4shell/log4j-library-hashes.json +++ b/tools/log4shell/log4j-library-hashes.json @@ -8,7 +8,7 @@ "jndi_lookup_hash": "", "version": "1.2.15", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-1.2.16/log4j-1.2.16.jar", @@ -18,7 +18,7 @@ "jndi_lookup_hash": "", "version": "1.2.16", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-1.2.17/log4j-1.2.17.jar", @@ -28,7 +28,7 @@ "jndi_lookup_hash": "", "version": "1.2.17", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-beta9-bin/log4j-core-2.0-beta9.jar", @@ -38,7 +38,7 @@ "jndi_lookup_hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", "version": "2.0.0-beta9", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-beta9-osgi-bin/log4j-core-osgi-reduced-2.0-beta9.jar", @@ -48,7 +48,7 @@ "jndi_lookup_hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", "version": "2.0.0-beta9", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-bin/log4j-core-2.0.jar", @@ -58,7 +58,7 @@ "jndi_lookup_hash": "fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29", "version": "2.0.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc1-bin/log4j-core-2.0-rc1.jar", @@ -68,7 +68,7 @@ "jndi_lookup_hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", "version": "2.0.0-rc1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc1-osgi-bin/log4j-core-osgi-reduced-2.0-rc1.jar", @@ -78,7 +78,7 @@ "jndi_lookup_hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", "version": "2.0.0-rc1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc2-bin/log4j-core-2.0-rc2.jar", @@ -88,7 +88,7 @@ "jndi_lookup_hash": "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2", "version": "2.0.0-rc2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar", @@ -98,7 +98,7 @@ "jndi_lookup_hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", "version": "2.0.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0.2-bin/log4j-core-2.0.2.jar", @@ -108,7 +108,7 @@ "jndi_lookup_hash": "9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c", "version": "2.0.2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.1-bin/log4j-core-2.1.jar", @@ -118,7 +118,7 @@ "jndi_lookup_hash": "a768e5383990b512f9d4f97217eda94031c2fa4aea122585f5a475ab99dc7307", "version": "2.1.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.10.0-bin/log4j-core-2.10.0.jar", @@ -128,7 +128,7 @@ "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.10.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.11.0-bin/log4j-core-2.11.0.jar", @@ -138,7 +138,7 @@ "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.11.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.11.1-bin/log4j-core-2.11.1.jar", @@ -148,7 +148,7 @@ "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.11.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.11.2-bin/log4j-core-2.11.2.jar", @@ -158,7 +158,7 @@ "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.11.2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.12.0-bin/log4j-core-2.12.0.jar", @@ -168,7 +168,7 @@ "jndi_lookup_hash": "5c104d16ff9831b456e4d7eaf66bcf531f086767782d08eece3fb37e40467279", "version": "2.12.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.12.1-bin/log4j-core-2.12.1.jar", @@ -178,7 +178,7 @@ "jndi_lookup_hash": "5c104d16ff9831b456e4d7eaf66bcf531f086767782d08eece3fb37e40467279", "version": "2.12.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.12.2-bin/log4j-core-2.12.2.jar", @@ -188,7 +188,7 @@ "jndi_lookup_hash": "febbc7867784d0f06934fec59df55ee45f6b24c55b17fff71cc4fca80bf22ebb", "version": "2.12.2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.0-bin/log4j-core-2.13.0.jar", @@ -198,7 +198,7 @@ "jndi_lookup_hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", "version": "2.13.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.1-bin/log4j-core-2.13.1.jar", @@ -208,7 +208,7 @@ "jndi_lookup_hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", "version": "2.13.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.2-bin/log4j-core-2.13.2.jar", @@ -218,7 +218,7 @@ "jndi_lookup_hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", "version": "2.13.2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.3-bin/log4j-core-2.13.3.jar", @@ -228,7 +228,7 @@ "jndi_lookup_hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", "version": "2.13.3", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar", @@ -238,7 +238,7 @@ "jndi_lookup_hash": "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f", "version": "2.14.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.14.1-bin/log4j-core-2.14.1.jar", @@ -248,7 +248,7 @@ "jndi_lookup_hash": "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f", "version": "2.14.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.15.0-bin/log4j-core-2.15.0.jar", @@ -258,7 +258,7 @@ "jndi_lookup_hash": "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f", "version": "2.15.0", "cve": "CVE-2021-45046", - "severity": "" + "severity": "9.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.2-bin/log4j-core-2.2.jar", @@ -268,7 +268,7 @@ "jndi_lookup_hash": "a768e5383990b512f9d4f97217eda94031c2fa4aea122585f5a475ab99dc7307", "version": "2.2.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.3-bin/log4j-core-2.3.jar", @@ -278,7 +278,7 @@ "jndi_lookup_hash": "a768e5383990b512f9d4f97217eda94031c2fa4aea122585f5a475ab99dc7307", "version": "2.3.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.4-bin/log4j-core-2.4.jar", @@ -288,7 +288,7 @@ "jndi_lookup_hash": "a534961bbfce93966496f86c9314f46939fd082bb89986b48b7430c3bea903f7", "version": "2.4.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.4.1-bin/log4j-core-2.4.1.jar", @@ -298,7 +298,7 @@ "jndi_lookup_hash": "a534961bbfce93966496f86c9314f46939fd082bb89986b48b7430c3bea903f7", "version": "2.4.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.5-bin/log4j-core-2.5.jar", @@ -308,7 +308,7 @@ "jndi_lookup_hash": "a534961bbfce93966496f86c9314f46939fd082bb89986b48b7430c3bea903f7", "version": "2.5.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.6-bin/log4j-core-2.6.jar", @@ -318,7 +318,7 @@ "jndi_lookup_hash": "e8ffed196e04f81b015f847d4ec61f22f6731c11b5a21b1cfc45ccbc58b8ea45", "version": "2.6.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.6.1-bin/log4j-core-2.6.1.jar", @@ -328,7 +328,7 @@ "jndi_lookup_hash": "e8ffed196e04f81b015f847d4ec61f22f6731c11b5a21b1cfc45ccbc58b8ea45", "version": "2.6.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.6.2-bin/log4j-core-2.6.2.jar", @@ -338,7 +338,7 @@ "jndi_lookup_hash": "e8ffed196e04f81b015f847d4ec61f22f6731c11b5a21b1cfc45ccbc58b8ea45", "version": "2.6.2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.7-bin/log4j-core-2.7.jar", @@ -348,7 +348,7 @@ "jndi_lookup_hash": "cee2305065bb61d434cdb45cfdaa46e7da148e5c6a7678d56f3e3dc8d7073eae", "version": "2.7.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.8-bin/log4j-core-2.8.jar", @@ -358,7 +358,7 @@ "jndi_lookup_hash": "66c89e2d5ae674641138858b571e65824df6873abb1677f7b2ef5c0dd4dbc442", "version": "2.8.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.8.1-bin/log4j-core-2.8.1.jar", @@ -368,7 +368,7 @@ "jndi_lookup_hash": "66c89e2d5ae674641138858b571e65824df6873abb1677f7b2ef5c0dd4dbc442", "version": "2.8.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.8.2-bin/log4j-core-2.8.2.jar", @@ -378,7 +378,7 @@ "jndi_lookup_hash": "d4ec57440cd6db6eaf6bcb6b197f1cbaf5a3e26253d59578d51db307357cbf15", "version": "2.8.2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.9.0-bin/log4j-core-2.9.0.jar", @@ -388,7 +388,7 @@ "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.9.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar", @@ -398,7 +398,7 @@ "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.9.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.1/dist/lib/log4j-1.2.1.jar", @@ -408,7 +408,7 @@ "jndi_lookup_hash": "", "version": "1.2.1", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.2/dist/lib/log4j-1.2.2.jar", @@ -418,7 +418,7 @@ "jndi_lookup_hash": "", "version": "1.2.2", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.3/dist/lib/log4j-1.2.3.jar", @@ -428,7 +428,7 @@ "jndi_lookup_hash": "", "version": "1.2.3", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.4/dist/lib/log4j-1.2.4.jar", @@ -438,7 +438,7 @@ "jndi_lookup_hash": "", "version": "1.2.4", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.5/dist/lib/log4j-1.2.5.jar", @@ -448,7 +448,7 @@ "jndi_lookup_hash": "", "version": "1.2.5", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.6/dist/lib/log4j-1.2.6.jar", @@ -458,7 +458,7 @@ "jndi_lookup_hash": "", "version": "1.2.6", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.7/dist/lib/log4j-1.2.7.jar", @@ -468,7 +468,7 @@ "jndi_lookup_hash": "", "version": "1.2.7", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.8/dist/lib/log4j-1.2.8.jar", @@ -478,7 +478,7 @@ "jndi_lookup_hash": "", "version": "1.2.8", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.11/dist/lib/log4j-1.2.11.jar", @@ -488,7 +488,7 @@ "jndi_lookup_hash": "", "version": "1.2.11", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.12/dist/lib/log4j-1.2.12.jar", @@ -498,7 +498,7 @@ "jndi_lookup_hash": "", "version": "1.2.12", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.13/dist/lib/log4j-1.2.13.jar", @@ -508,7 +508,7 @@ "jndi_lookup_hash": "", "version": "1.2.13", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.14/dist/lib/log4j-1.2.14.jar", @@ -518,7 +518,7 @@ "jndi_lookup_hash": "", "version": "1.2.14", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.9/dist/lib/log4j-1.2.9.jar", @@ -528,7 +528,7 @@ "jndi_lookup_hash": "", "version": "1.2.9", "cve": "CVE-2019-17571", - "severity": "" + "severity": "9.8" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0-rc1.jar", @@ -538,7 +538,7 @@ "jndi_lookup_hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", "version": "2.0.0-rc1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0-rc2.jar", @@ -548,7 +548,7 @@ "jndi_lookup_hash": "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2", "version": "2.0.0-rc2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.1.jar", @@ -558,7 +558,7 @@ "jndi_lookup_hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", "version": "2.0.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.2.jar", @@ -568,7 +568,7 @@ "jndi_lookup_hash": "9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c", "version": "2.0.2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.jar", @@ -578,7 +578,7 @@ "jndi_lookup_hash": "fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29", "version": "2.0.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.1.jar", @@ -588,7 +588,7 @@ "jndi_lookup_hash": "a768e5383990b512f9d4f97217eda94031c2fa4aea122585f5a475ab99dc7307", "version": "2.1.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.10.0.jar", @@ -598,7 +598,7 @@ "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.10.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.11.0.jar", @@ -608,7 +608,7 @@ "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.11.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.11.1.jar", @@ -618,7 +618,7 @@ "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.11.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.11.2.jar", @@ -628,7 +628,7 @@ "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.11.2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.12.0.jar", @@ -638,7 +638,7 @@ "jndi_lookup_hash": "5c104d16ff9831b456e4d7eaf66bcf531f086767782d08eece3fb37e40467279", "version": "2.12.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.12.1.jar", @@ -648,7 +648,7 @@ "jndi_lookup_hash": "5c104d16ff9831b456e4d7eaf66bcf531f086767782d08eece3fb37e40467279", "version": "2.12.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.12.2.jar", @@ -658,7 +658,7 @@ "jndi_lookup_hash": "febbc7867784d0f06934fec59df55ee45f6b24c55b17fff71cc4fca80bf22ebb", "version": "2.12.2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.0.jar", @@ -668,7 +668,7 @@ "jndi_lookup_hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", "version": "2.13.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.1.jar", @@ -678,7 +678,7 @@ "jndi_lookup_hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", "version": "2.13.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.2.jar", @@ -688,7 +688,7 @@ "jndi_lookup_hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", "version": "2.13.2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.3.jar", @@ -698,7 +698,7 @@ "jndi_lookup_hash": "2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f", "version": "2.13.3", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.14.0.jar", @@ -708,7 +708,7 @@ "jndi_lookup_hash": "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f", "version": "2.14.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.14.1.jar", @@ -718,7 +718,7 @@ "jndi_lookup_hash": "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f", "version": "2.14.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.15.0.jar", @@ -728,7 +728,7 @@ "jndi_lookup_hash": "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f", "version": "2.15.0", "cve": "CVE-2021-45046", - "severity": "" + "severity": "9.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.2.jar", @@ -738,7 +738,7 @@ "jndi_lookup_hash": "a768e5383990b512f9d4f97217eda94031c2fa4aea122585f5a475ab99dc7307", "version": "2.2.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.3.jar", @@ -748,7 +748,7 @@ "jndi_lookup_hash": "a768e5383990b512f9d4f97217eda94031c2fa4aea122585f5a475ab99dc7307", "version": "2.3.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.4.1.jar", @@ -758,7 +758,7 @@ "jndi_lookup_hash": "a534961bbfce93966496f86c9314f46939fd082bb89986b48b7430c3bea903f7", "version": "2.4.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.4.jar", @@ -768,7 +768,7 @@ "jndi_lookup_hash": "a534961bbfce93966496f86c9314f46939fd082bb89986b48b7430c3bea903f7", "version": "2.4.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.5.jar", @@ -778,7 +778,7 @@ "jndi_lookup_hash": "a534961bbfce93966496f86c9314f46939fd082bb89986b48b7430c3bea903f7", "version": "2.5.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.6.1.jar", @@ -788,7 +788,7 @@ "jndi_lookup_hash": "e8ffed196e04f81b015f847d4ec61f22f6731c11b5a21b1cfc45ccbc58b8ea45", "version": "2.6.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.6.2.jar", @@ -798,7 +798,7 @@ "jndi_lookup_hash": "e8ffed196e04f81b015f847d4ec61f22f6731c11b5a21b1cfc45ccbc58b8ea45", "version": "2.6.2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.6.jar", @@ -808,7 +808,7 @@ "jndi_lookup_hash": "e8ffed196e04f81b015f847d4ec61f22f6731c11b5a21b1cfc45ccbc58b8ea45", "version": "2.6.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.7.jar", @@ -818,7 +818,7 @@ "jndi_lookup_hash": "cee2305065bb61d434cdb45cfdaa46e7da148e5c6a7678d56f3e3dc8d7073eae", "version": "2.7.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.8.1.jar", @@ -828,7 +828,7 @@ "jndi_lookup_hash": "66c89e2d5ae674641138858b571e65824df6873abb1677f7b2ef5c0dd4dbc442", "version": "2.8.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.8.2.jar", @@ -838,7 +838,7 @@ "jndi_lookup_hash": "d4ec57440cd6db6eaf6bcb6b197f1cbaf5a3e26253d59578d51db307357cbf15", "version": "2.8.2", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.8.jar", @@ -848,7 +848,7 @@ "jndi_lookup_hash": "66c89e2d5ae674641138858b571e65824df6873abb1677f7b2ef5c0dd4dbc442", "version": "2.8.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.9.0.jar", @@ -858,7 +858,7 @@ "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.9.0", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.9.1.jar", @@ -868,7 +868,7 @@ "jndi_lookup_hash": "0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e", "version": "2.9.1", "cve": "CVE-2021-44228", - "severity": "" + "severity": "10.0" } ] } \ No newline at end of file diff --git a/tools/log4shell/main.go b/tools/log4shell/main.go index c75de92af..de269f903 100644 --- a/tools/log4shell/main.go +++ b/tools/log4shell/main.go @@ -93,7 +93,7 @@ func main() { Commands: []*cli.Command{ { Name: "analyze", - Usage: "Scan known vulnerable Log4j dependencies and create a mapping of JndiLookup.class hash to version.", + Usage: "Note: This command is not used for scanning for vulnerable libraries, use the `scan` command. Analyze known vulnerable Log4j dependencies and create a mapping of JndiLookup.class hash to version.", Before: setGlobalBoolFlags, Flags: []cli.Flag{ &cli.StringFlag{ diff --git a/tools/log4shell/scan/loadversions.go b/tools/log4shell/scan/loadversions.go index 296c5be47..67f16bc35 100644 --- a/tools/log4shell/scan/loadversions.go +++ b/tools/log4shell/scan/loadversions.go @@ -80,16 +80,26 @@ func LoadVersionHashesFromBytes(versionHashesContent []byte) (hashLookup types.V newVersion += ", " + vulnerableLibrary.Version } + existingLookup.VulnerableFileHashLookup[vulnerableLibrary.JndiLookupHash] = types.VulnerableFile{ + FileName: vulnerableLibrary.JndiLookupFileName, + } + hashLookup[vulnerableLibrary.Hash] = types.VulnerableHash{ Name: vulnerableLibrary.Path + "::" + vulnerableLibrary.FileName, Version: newVersion, CVE: vulnerableLibrary.CVE, + VulnerableFileHashLookup: existingLookup.VulnerableFileHashLookup, } } else { hashLookup[vulnerableLibrary.Hash] = types.VulnerableHash{ Name: vulnerableLibrary.Path + "::" + vulnerableLibrary.FileName, Version: vulnerableLibrary.Version, CVE: vulnerableLibrary.CVE, + VulnerableFileHashLookup: map[string]types.VulnerableFile{ + vulnerableLibrary.Hash: { + vulnerableLibrary.JndiLookupFileName, + }, + }, } } } diff --git a/tools/log4shell/scan/scanfile.go b/tools/log4shell/scan/scanfile.go index dc0291d81..892abeabe 100644 --- a/tools/log4shell/scan/scanfile.go +++ b/tools/log4shell/scan/scanfile.go @@ -16,6 +16,7 @@ package scan import ( "archive/zip" + "github.com/lunasec-io/lunasec/tools/log4shell/analyze" "github.com/lunasec-io/lunasec/tools/log4shell/constants" "github.com/lunasec-io/lunasec/tools/log4shell/types" "github.com/lunasec-io/lunasec/tools/log4shell/util" @@ -64,11 +65,27 @@ func identifyPotentiallyVulnerableFile( Msg("No severity provided for CVE") } + jndiLookupFileName, jndiLookupFileHash, err := analyze.GetJndiLookupHash(zipReader, path) + if err == nil { + if _, ok := vulnerableFile.VulnerableFileHashLookup[jndiLookupFileHash]; !ok { + log.Warn(). + Str("path", path). + Str("jndiLookupFileName", jndiLookupFileName). + Str("jndiLookupHash", jndiLookupFileHash). + Msg("Discovered JndiLookup.class file is not a known vulnerable file. Patching this file out might have some unintended side effects.") + } + } else { + jndiLookupFileName = "" + jndiLookupFileHash = "" + } + log.Log(). Str("severity", severity). Str("path", path). - Str("fileName", fileName). - Str("hash", fileHash). + Str("versionIndicatorFileName", fileName). + Str("versionIndicatorHash", fileHash). + Str("jndiLookupFileName", jndiLookupFileName). + Str("jndiLookupHash", jndiLookupFileHash). Str("versionInfo", vulnerableFile.Version). Str("cve", vulnerableFile.CVE). Msg("Identified vulnerable path") @@ -86,6 +103,8 @@ func identifyPotentiallyVulnerableFile( Path: absolutePath, FileName: fileName, Hash: fileHash, + JndiLookupFileName: jndiLookupFileName, + JndiLookupHash: jndiLookupFileHash, Version: vulnerableFile.Version, CVE: vulnerableFile.CVE, Severity: severity, diff --git a/tools/log4shell/test/vulnerable-log4j2-versions/main.go b/tools/log4shell/test/vulnerable-log4j2-versions/main.go index 895b83fa6..e42bac9f9 100644 --- a/tools/log4shell/test/vulnerable-log4j2-versions/main.go +++ b/tools/log4shell/test/vulnerable-log4j2-versions/main.go @@ -30,7 +30,7 @@ import ( ) var ( - versions = []string{"2.16.0","2.15.0","2.14.1","2.14.0","2.13.3","2.13.2","2.13.1","2.13.0","2.12.2","2.12.1","2.12.0","2.11.2","2.11.1","2.11.0","2.10.0","2.9.1","2.9.0","2.8.2","2.8.1","2.8","2.7","2.6.2","2.6.1","2.6","2.5","2.4.1","2.4","2.3","2.2","2.1","2.0.2","2.0.1","2.0","2.0-rc2","2.0-rc1"} + versions = []string{"2.17.0","2.16.0","2.15.0","2.14.1","2.14.0","2.13.3","2.13.2","2.13.1","2.13.0","2.12.2", "2.12.1","2.12.0","2.11.2","2.11.1","2.11.0","2.10.0","2.9.1","2.9.0","2.8.2","2.8.1","2.8","2.7","2.6.2","2.6.1","2.6","2.5","2.4.1","2.4","2.3","2.2","2.1","2.0.2","2.0.1","2.0","2.0-rc2","2.0-rc1"} ) type ArtifactId struct { diff --git a/tools/log4shell/types/vulnerablehashes.go b/tools/log4shell/types/vulnerablehashes.go index 3f17d9a64..e4f00b3b6 100644 --- a/tools/log4shell/types/vulnerablehashes.go +++ b/tools/log4shell/types/vulnerablehashes.go @@ -16,10 +16,15 @@ package types import "github.com/blang/semver/v4" +type VulnerableFile struct { + FileName string `json:"file_name"` +} + type VulnerableHash struct { Name string `json:"name"` Version string `json:"version"` CVE string `json:"cve"` + VulnerableFileHashLookup map[string]VulnerableFile } type VulnerableHashLookup map[string]VulnerableHash From c2442bed9a749f9ffa992657503279363e66a7d6 Mon Sep 17 00:00:00 2001 From: breadchris Date: Fri, 24 Dec 2021 02:55:28 -0500 Subject: [PATCH 12/15] jar patcher is able to remove JndiLookup.class file from jars Former-commit-id: fbab2cfe6a6b06a6cb5d85a7c7a59d94e5dba172 Former-commit-id: 79cf150e1fa48b551f1fd282643585667c0670a6 --- tools/log4shell/analyze/analyze.go | 24 +- tools/log4shell/commands/patch.go | 285 ++++++++++++++---- tools/log4shell/commands/scan.go | 5 + tools/log4shell/constants/vulnerablehashes.go | 2 + tools/log4shell/log4j-library-hashes.json | 48 ++- tools/log4shell/main.go | 25 +- tools/log4shell/scan/scanfile.go | 38 ++- tools/log4shell/util/fs.go | 11 + 8 files changed, 337 insertions(+), 101 deletions(-) diff --git a/tools/log4shell/analyze/analyze.go b/tools/log4shell/analyze/analyze.go index b3cdaaa2b..c4ed345e9 100644 --- a/tools/log4shell/analyze/analyze.go +++ b/tools/log4shell/analyze/analyze.go @@ -97,12 +97,10 @@ func fileNameToSemver(fileNameNoExt string) string { return semverVersion } -func GetJndiLookupHash(zipReader *zip.Reader, filePath string) (fileName, fileHash string, err error) { - fileName = "org/apache/logging/log4j/core/lookup/JndiLookup.class" - - reader, err := zipReader.Open(fileName) +func GetJndiLookupHash(zipReader *zip.Reader, filePath string) (fileName, fileHash string) { + reader, err := zipReader.Open(constants.JndiLookupClasspath) if err != nil { - log.Warn(). + log.Debug(). Str("fieName", fileName). Str("path", filePath). Err(err). @@ -113,7 +111,7 @@ func GetJndiLookupHash(zipReader *zip.Reader, filePath string) (fileName, fileHa fileHash, err = util.HexEncodedSha256FromReader(reader) if err != nil { - log.Warn(). + log.Debug(). Str("fieName", fileName). Str("path", filePath). Err(err). @@ -124,6 +122,11 @@ func GetJndiLookupHash(zipReader *zip.Reader, filePath string) (fileName, fileHa } func ProcessArchiveFile(zipReader *zip.Reader, reader io.Reader, filePath, fileName string) (finding *types.Finding) { + var ( + jndiLookupFileName string + jndiLookupFileHash string + ) + _, file := path.Split(filePath) fileNameNoExt := strings.TrimSuffix(file, path.Ext(file)) @@ -163,15 +166,8 @@ func ProcessArchiveFile(zipReader *zip.Reader, reader io.Reader, filePath, fileN return } - jndiLookupFileName := "" - jndiLookupFileHash := "" - if versionIsInRange(fileNameNoExt, semverVersion, constants.JndiLookupPatchFileVersions) { - jndiLookupFileName, jndiLookupFileHash, err = GetJndiLookupHash(zipReader, filePath) - if err != nil { - jndiLookupFileName = "" - jndiLookupFileHash = "" - } + jndiLookupFileName, jndiLookupFileHash = GetJndiLookupHash(zipReader, filePath) } log.Log(). diff --git a/tools/log4shell/commands/patch.go b/tools/log4shell/commands/patch.go index 4c31b4bd5..415e2c848 100644 --- a/tools/log4shell/commands/patch.go +++ b/tools/log4shell/commands/patch.go @@ -17,109 +17,270 @@ package commands import ( "archive/zip" "encoding/json" + "fmt" + "github.com/lunasec-io/lunasec/tools/log4shell/scan" "github.com/lunasec-io/lunasec/tools/log4shell/types" "github.com/lunasec-io/lunasec/tools/log4shell/util" "github.com/rs/zerolog/log" "github.com/urfave/cli/v2" - "io/fs" "io/ioutil" "os" ) -func JavaArchivePatchCommand(c *cli.Context, globalBoolFlags map[string]bool) error { - enableGlobalFlags(c, globalBoolFlags) - - findingsFile := c.String("findings") +func scanForFindings( + log4jLibraryHashes []byte, + searchDirs []string, + excludeDirs []string, + noFollowSymlinks bool, +) (findings []types.Finding, err error) { + var ( + hashLookup types.VulnerableHashLookup + ) - findingsContent, err := ioutil.ReadFile(findingsFile) + hashLookup, err = loadHashLookup(log4jLibraryHashes, "", false) if err != nil { - log.Error(). - Err(err). - Str("findings", findingsFile). - Msg("Unable to open and read findings file") - return err + return } - var findings types.FindingsOutput - err = json.Unmarshal(findingsContent, &findings) - if err != nil { - log.Error(). - Err(err). - Str("findings", findingsFile). - Msg("Unable to unmarshal findings file") - return err - } + processArchiveFile := scan.IdentifyPotentiallyVulnerableFiles(false, hashLookup) + + scanner := scan.NewLog4jDirectoryScanner( + excludeDirs, false, noFollowSymlinks, processArchiveFile) + + findings = scanner.Scan(searchDirs) + return +} - for _, finding := range findings.VulnerableLibraries { - var file *os.File +func loadOrScanForFindings( + c *cli.Context, + log4jLibraryHashes []byte, +) (findings []types.Finding, err error) { + findingsFile := c.String("findings") + if findingsFile != "" { + var ( + findingsContent []byte + findingsOutput types.FindingsOutput + ) - file, err = os.Open(finding.Path) + findingsContent, err = ioutil.ReadFile(findingsFile) if err != nil { - log.Warn(). - Str("path", finding.Path). + log.Error(). Err(err). - Msg("Unable to open findings archive") - return err + Str("findings", findingsFile). + Msg("Unable to open and read findings file") + return } - defer file.Close() - info, _ := os.Stat(finding.Path) + err = json.Unmarshal(findingsContent, &findingsOutput) + if err != nil { + log.Error(). + Err(err). + Str("findings", findingsFile). + Msg("Unable to unmarshal findings file") + return + } + findings = findingsOutput.VulnerableLibraries + return + } + + searchDirs := c.Args().Slice() + + excludeDirs := c.StringSlice("exclude") + noFollowSymlinks := c.Bool("no-follow-symlinks") + + log.Info(). + Strs("searchDirs", searchDirs). + Strs("excludeDirs", excludeDirs). + Msg("Scanning directories for vulnerable Log4j libraries.") + + return scanForFindings(log4jLibraryHashes, searchDirs, excludeDirs, noFollowSymlinks) +} - var zipReader *zip.Reader +func askIfShouldSkipLibrary(msg string) (shouldSkip, forcePatch bool) { + var ( + patchPromptResp string + ) - zipReader, err = zip.NewReader(file, info.Size()) + for { + fmt.Printf("Are you sure you want to patch: %s? (y)es/(n)o/(a)ll: ", msg) + _, err := fmt.Scan(&patchPromptResp) if err != nil { - log.Warn(). - Str("path", finding.Path). + log.Error(). Err(err). - Msg("Unable to open archive for patching") - return err + Msg("Unable to process response.") + return true, false } + fmt.Println() - var zipFile fs.File + switch patchPromptResp { + case "y": + shouldSkip = false + case "n": + shouldSkip = true + case "a": + forcePatch = true + default: + fmt.Printf("Option %s is not valid, please enter 'y', 'n', or 'a'.\n", patchPromptResp) + continue + } + break + } + return +} - if finding.JndiLookupFileName == "" { - log.Warn(). +func filterOutJndiLookupFromZip( + finding types.Finding, + zipReader *zip.Reader, + writer *zip.Writer, +) error { + for _, member := range zipReader.File { + if member.Name == finding.JndiLookupFileName { + log.Debug(). Str("path", finding.Path). - Err(err). - Msg("Finding does not have JndiLookup.class file to patch") + Str("zipFilePath", finding.JndiLookupFileName). + Msg("Found file to remove in order to patch log4j library.") continue } - zipFile, err = zipReader.Open(finding.JndiLookupFileName) - if err != nil { - log.Warn(). - Str("path", finding.Path). - Str("jndiLookupFileName", finding.JndiLookupFileName). + if err := writer.Copy(member); err != nil { + log.Error(). Err(err). - Msg("Unable to open file from zip") + Msg("Error while copying zip file.") return err } + } + return nil +} - var zipFileHash string +func patchJavaArchive(finding types.Finding) (err error) { + var ( + libraryFile *os.File + zipReader *zip.Reader + ) - zipFileHash, err = util.HexEncodedSha256FromReader(zipFile) - if err != nil { + libraryFile, err = os.Open(finding.Path) + if err != nil { + log.Error(). + Str("path", finding.Path). + Err(err). + Msg("Unable to open findings archive") + return + } + defer libraryFile.Close() + + info, _ := os.Stat(finding.Path) + + zipReader, err = zip.NewReader(libraryFile, info.Size()) + if err != nil { + log.Error(). + Str("path", finding.Path). + Err(err). + Msg("Unable to open archive for patching") + return + } + + outZip, err := ioutil.TempFile(os.TempDir(), "*.zip") + if err != nil { + log.Error(). + Str("tmpDir", os.TempDir()). + Err(err). + Msg("Unable to create temporary libraryFile") + return + } + defer os.Remove(outZip.Name()) + + writer := zip.NewWriter(outZip) + defer writer.Close() + + err = filterOutJndiLookupFromZip(finding, zipReader, writer) + if err != nil { + return + } + + writer.Close() + + if err = libraryFile.Close(); err != nil { + log.Error(). + Str("outZipName", outZip.Name()). + Str("libraryFileName", finding.Path). + Err(err). + Msg("Unable to close library file.") + return + } + + if err = outZip.Close(); err != nil { + log.Error(). + Str("outZipName", outZip.Name()). + Str("libraryFileName", finding.Path). + Err(err). + Msg("Unable to close output zip.") + return + } + + _, err = util.CopyFile(outZip.Name(), finding.Path) + if err != nil { + log.Error(). + Str("outZipName", outZip.Name()). + Str("libraryFileName", finding.Path). + Err(err). + Msg("Unable to replace library file with patched library file.") + return + } + return +} + +func JavaArchivePatchCommand( + c *cli.Context, + globalBoolFlags map[string]bool, + log4jLibraryHashes []byte, +) error { + enableGlobalFlags(c, globalBoolFlags) + + findings, err := loadOrScanForFindings(c, log4jLibraryHashes) + if err != nil { + return err + } + + log.Info(). + Int("findingsCount", len(findings)). + Msg("Patching found vulnerable Log4j libraries.") + + forcePatch := c.Bool("force-patch") + + var patchedLibraries []string + + for _, finding := range findings { + var ( + shouldSkip bool + ) + + if finding.JndiLookupFileName == "" { log.Warn(). Str("path", finding.Path). Err(err). - Msg("Unable to hash zip file") - return err + Msg("Finding does not have JndiLookup.class file to patch") + continue } - if zipFileHash != finding.JndiLookupHash { - log.Warn(). - Str("path", finding.Path). - Str("hash", finding.JndiLookupHash). - Err(err). - Msg("Hashes do not match, not deleting") - return nil + if !forcePatch { + shouldSkip, forcePatch = askIfShouldSkipLibrary(finding.Path) + if !forcePatch && shouldSkip { + log.Info(). + Str("findingPath", finding.Path). + Msg("Skipping library for patching") + continue + } } - log.Debug(). - Str("path", finding.Path). - Str("zipFilePath", finding.JndiLookupFileName). - Msg("Found file to remove") + + err = patchJavaArchive(finding) + if err != nil { + continue + } + patchedLibraries = append(patchedLibraries, finding.Path) } + log.Info(). + Strs("patchedLibraries", patchedLibraries). + Msg("Successfully patched libraries.") return nil } diff --git a/tools/log4shell/commands/scan.go b/tools/log4shell/commands/scan.go index e1359499e..9fc54a18c 100644 --- a/tools/log4shell/commands/scan.go +++ b/tools/log4shell/commands/scan.go @@ -76,6 +76,11 @@ func scanDirectoriesForVulnerableLibraries( scanner := scan.NewLog4jDirectoryScanner( excludeDirs, onlyScanArchives, noFollowSymlinks, processArchiveFile) + log.Info(). + Strs("searchDirs", searchDirs). + Strs("excludeDirs", excludeDirs). + Msg("Scanning directories for vulnerable Log4j libraries.") + scannerFindings = scanner.Scan(searchDirs) return } diff --git a/tools/log4shell/constants/vulnerablehashes.go b/tools/log4shell/constants/vulnerablehashes.go index 6092c83fc..6cc418a59 100644 --- a/tools/log4shell/constants/vulnerablehashes.go +++ b/tools/log4shell/constants/vulnerablehashes.go @@ -37,6 +37,8 @@ var ( JndiLookupPatchFileVersions = semver.MustParseRange(">=2.0.0") + JndiLookupClasspath = "org/apache/logging/log4j/core/lookup/JndiLookup.class" + FileVersionChecks = []types.LibraryFileVersionCheck{ { Cve: Log4ShellCve, diff --git a/tools/log4shell/log4j-library-hashes.json b/tools/log4shell/log4j-library-hashes.json index 9aeb4ef6d..311b00ed1 100644 --- a/tools/log4shell/log4j-library-hashes.json +++ b/tools/log4shell/log4j-library-hashes.json @@ -34,8 +34,8 @@ "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-beta9-bin/log4j-core-2.0-beta9.jar", "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", - "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "jndi_lookup_hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "jndi_lookup_file_name": "", + "jndi_lookup_hash": "", "version": "2.0.0-beta9", "cve": "CVE-2021-44228", "severity": "10.0" @@ -44,8 +44,8 @@ "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-beta9-osgi-bin/log4j-core-osgi-reduced-2.0-beta9.jar", "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", - "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "jndi_lookup_hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "jndi_lookup_file_name": "", + "jndi_lookup_hash": "", "version": "2.0.0-beta9", "cve": "CVE-2021-44228", "severity": "10.0" @@ -64,8 +64,8 @@ "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc1-bin/log4j-core-2.0-rc1.jar", "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", - "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "jndi_lookup_hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "jndi_lookup_file_name": "", + "jndi_lookup_hash": "", "version": "2.0.0-rc1", "cve": "CVE-2021-44228", "severity": "10.0" @@ -74,8 +74,8 @@ "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc1-osgi-bin/log4j-core-osgi-reduced-2.0-rc1.jar", "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", - "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "jndi_lookup_hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "jndi_lookup_file_name": "", + "jndi_lookup_hash": "", "version": "2.0.0-rc1", "cve": "CVE-2021-44228", "severity": "10.0" @@ -84,8 +84,8 @@ "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc2-bin/log4j-core-2.0-rc2.jar", "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", "hash": "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2", - "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "jndi_lookup_hash": "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2", + "jndi_lookup_file_name": "", + "jndi_lookup_hash": "", "version": "2.0.0-rc2", "cve": "CVE-2021-44228", "severity": "10.0" @@ -260,6 +260,16 @@ "cve": "CVE-2021-45046", "severity": "9.0" }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "5210e6aae7dd8a61cd16c56937c5f2ed43941487830f46e99d0d3f45bfa6f953", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f", + "version": "2.16.0", + "cve": "CVE-2021-45105", + "severity": "7.5" + }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.2-bin/log4j-core-2.2.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", @@ -534,8 +544,8 @@ "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0-rc1.jar", "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", - "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "jndi_lookup_hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "jndi_lookup_file_name": "", + "jndi_lookup_hash": "", "version": "2.0.0-rc1", "cve": "CVE-2021-44228", "severity": "10.0" @@ -544,8 +554,8 @@ "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0-rc2.jar", "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", "hash": "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2", - "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", - "jndi_lookup_hash": "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2", + "jndi_lookup_file_name": "", + "jndi_lookup_hash": "", "version": "2.0.0-rc2", "cve": "CVE-2021-44228", "severity": "10.0" @@ -730,6 +740,16 @@ "cve": "CVE-2021-45046", "severity": "9.0" }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.16.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "5210e6aae7dd8a61cd16c56937c5f2ed43941487830f46e99d0d3f45bfa6f953", + "jndi_lookup_file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "jndi_lookup_hash": "84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f", + "version": "2.16.0", + "cve": "CVE-2021-45105", + "severity": "7.5" + }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.2.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", diff --git a/tools/log4shell/main.go b/tools/log4shell/main.go index de269f903..b540d0897 100644 --- a/tools/log4shell/main.go +++ b/tools/log4shell/main.go @@ -92,9 +92,10 @@ func main() { }, Commands: []*cli.Command{ { - Name: "analyze", - Usage: "Note: This command is not used for scanning for vulnerable libraries, use the `scan` command. Analyze known vulnerable Log4j dependencies and create a mapping of JndiLookup.class hash to version.", - Before: setGlobalBoolFlags, + Name: "analyze", + Aliases: []string{"a"}, + Usage: "Note: This command is not used for scanning for vulnerable libraries, use the `scan` command. Analyze known vulnerable Log4j dependencies and create a mapping of JndiLookup.class hash to version.", + Before: setGlobalBoolFlags, Flags: []cli.Flag{ &cli.StringFlag{ Name: "output", @@ -159,7 +160,7 @@ func main() { }, { Name: "livepatch", - Aliases: []string{"s"}, + Aliases: []string{"l"}, Usage: "Perform a live patch of a system by exploiting the log4shell vulnerability for immediate mitigation. The payload executed patches the running process to prevent further payloads from being able to be executed.", Before: setGlobalBoolFlags, Flags: []cli.Flag{ @@ -182,16 +183,28 @@ func main() { }, { Name: "patch", - Aliases: []string{"s"}, + Aliases: []string{"p"}, Usage: "Patches findings of libraries vulnerable toLog4Shell by removing the JndiLookup.class file from each.", Flags: []cli.Flag{ + &cli.StringSliceFlag{ + Name: "exclude", + Usage: "Exclude subdirectories from scanning. This can be helpful if there are directories which your user does not have access to when starting a scan from `/`.", + }, + &cli.BoolFlag{ + Name: "no-follow-symlinks", + Usage: "Disable the resolution of symlinks while scanning. Note: symlinks might resolve to files outside of the included directories and so this option might be useful if you strictly want to search in said directories.", + }, + &cli.BoolFlag{ + Name: "force-patch", + Usage: "Force patch all libraries reported in findings or scanned at runtime. Do not prompt each time a library is about to be patched.", + }, &cli.StringFlag{ Name: "findings", Usage: "Patches all vulnerable Java archives which have been identified.", }, }, Action: func(c *cli.Context) error { - return commands.JavaArchivePatchCommand(c, globalBoolFlags) + return commands.JavaArchivePatchCommand(c, globalBoolFlags, log4jLibraryHashes) }, }, }, diff --git a/tools/log4shell/scan/scanfile.go b/tools/log4shell/scan/scanfile.go index 892abeabe..9c9521103 100644 --- a/tools/log4shell/scan/scanfile.go +++ b/tools/log4shell/scan/scanfile.go @@ -16,6 +16,7 @@ package scan import ( "archive/zip" + "github.com/blang/semver/v4" "github.com/lunasec-io/lunasec/tools/log4shell/analyze" "github.com/lunasec-io/lunasec/tools/log4shell/constants" "github.com/lunasec-io/lunasec/tools/log4shell/types" @@ -34,12 +35,31 @@ func IdentifyPotentiallyVulnerableFiles(scanLog4j1 bool, archiveHashLookup types } } +func isVulnerableIfContainsJndiLookup(versions []string) bool { + for _, version := range versions { + semverVersion, err := semver.Parse(version) + if err != nil { + continue + } + + if constants.JndiLookupPatchFileVersions(semverVersion) { + return true + } + } + return false +} + func identifyPotentiallyVulnerableFile( zipReader *zip.Reader, reader io.Reader, path, fileName string, hashLookup types.VulnerableHashLookup, ) (finding *types.Finding) { + var ( + jndiLookupFileName string + jndiLookupFileHash string + ) + fileHash, err := util.HexEncodedSha256FromReader(reader) if err != nil { log.Warn(). @@ -50,7 +70,7 @@ func identifyPotentiallyVulnerableFile( return } - if strings.Contains(fileName, "JndiLookup.class") { + if strings.HasSuffix(fileName, "JndiLookup.class") { log.Debug(). Str("fileName", fileName). Str("fileHash", fileHash). @@ -65,8 +85,12 @@ func identifyPotentiallyVulnerableFile( Msg("No severity provided for CVE") } - jndiLookupFileName, jndiLookupFileHash, err := analyze.GetJndiLookupHash(zipReader, path) - if err == nil { + versions := strings.Split(vulnerableFile.Version, ", ") + patchableVersion := isVulnerableIfContainsJndiLookup(versions) + + jndiLookupFileName, jndiLookupFileHash = analyze.GetJndiLookupHash(zipReader, path) + + if jndiLookupFileHash != "" { if _, ok := vulnerableFile.VulnerableFileHashLookup[jndiLookupFileHash]; !ok { log.Warn(). Str("path", path). @@ -75,8 +99,12 @@ func identifyPotentiallyVulnerableFile( Msg("Discovered JndiLookup.class file is not a known vulnerable file. Patching this file out might have some unintended side effects.") } } else { - jndiLookupFileName = "" - jndiLookupFileHash = "" + if patchableVersion { + log.Warn(). + Str("path", path). + Msg("Library has been patched of the Log4Shell vulnerability.") + return + } } log.Log(). diff --git a/tools/log4shell/util/fs.go b/tools/log4shell/util/fs.go index 1bb2d9fe7..d58f7d0b1 100644 --- a/tools/log4shell/util/fs.go +++ b/tools/log4shell/util/fs.go @@ -16,6 +16,7 @@ package util import ( "github.com/rs/zerolog/log" + "io" "os" "path/filepath" "strings" @@ -74,3 +75,13 @@ func ResolveSymlinkFilePathAndInfo(symlinkPath string) (path string, info os.Fil } return } + +func CopyFile(in, out string) (int64, error) { + i, e := os.Open(in) + if e != nil { return 0, e } + defer i.Close() + o, e := os.Create(out) + if e != nil { return 0, e } + defer o.Close() + return io.Copy(o, i) +} \ No newline at end of file From 9634e834ffe4d8dbb0ba918080f478c0a6b224f7 Mon Sep 17 00:00:00 2001 From: breadchris Date: Mon, 27 Dec 2021 00:07:43 -0500 Subject: [PATCH 13/15] begin to support nested zips when patching Former-commit-id: 7e8c14638d3ac51edcddb909b1160ab7855e4f06 Former-commit-id: fffde071fa3812e75ea886ee1da387e2b70fadda --- tools/log4shell/Makefile | 2 +- tools/log4shell/analyze/analyze.go | 13 ++- tools/log4shell/commands/patch.go | 94 ++++++++++++++++--- tools/log4shell/main.go | 4 + tools/log4shell/scan/scanfile.go | 16 ++-- .../vulnerable-log4j2-versions/.gitignore | 1 + 6 files changed, 99 insertions(+), 31 deletions(-) diff --git a/tools/log4shell/Makefile b/tools/log4shell/Makefile index 289ce715e..e5c820476 100644 --- a/tools/log4shell/Makefile +++ b/tools/log4shell/Makefile @@ -9,7 +9,7 @@ payload: cli: touch ${LIBRARY_HASHES} - go build -o ${BINARY_NAME} . + CGO_ENABLED=0 GOOS=linux go build -o ${BINARY_NAME} . library-hashes: cli ./log4shell analyze --output ${LIBRARY_HASHES} test/vulnerable-log4j2-versions/apache test/vulnerable-log4j2-versions/target/dependency diff --git a/tools/log4shell/analyze/analyze.go b/tools/log4shell/analyze/analyze.go index c4ed345e9..ad4fa5387 100644 --- a/tools/log4shell/analyze/analyze.go +++ b/tools/log4shell/analyze/analyze.go @@ -97,11 +97,11 @@ func fileNameToSemver(fileNameNoExt string) string { return semverVersion } -func GetJndiLookupHash(zipReader *zip.Reader, filePath string) (fileName, fileHash string) { +func GetJndiLookupHash(zipReader *zip.Reader, filePath string) (fileHash string) { reader, err := zipReader.Open(constants.JndiLookupClasspath) if err != nil { log.Debug(). - Str("fieName", fileName). + Str("fieName", constants.JndiLookupClasspath). Str("path", filePath). Err(err). Msg("cannot find file in zip") @@ -112,7 +112,7 @@ func GetJndiLookupHash(zipReader *zip.Reader, filePath string) (fileName, fileHa fileHash, err = util.HexEncodedSha256FromReader(reader) if err != nil { log.Debug(). - Str("fieName", fileName). + Str("fieName", constants.JndiLookupClasspath). Str("path", filePath). Err(err). Msg("unable to hash JndiLookup.class file") @@ -123,7 +123,6 @@ func GetJndiLookupHash(zipReader *zip.Reader, filePath string) (fileName, fileHa func ProcessArchiveFile(zipReader *zip.Reader, reader io.Reader, filePath, fileName string) (finding *types.Finding) { var ( - jndiLookupFileName string jndiLookupFileHash string ) @@ -167,14 +166,14 @@ func ProcessArchiveFile(zipReader *zip.Reader, reader io.Reader, filePath, fileN } if versionIsInRange(fileNameNoExt, semverVersion, constants.JndiLookupPatchFileVersions) { - jndiLookupFileName, jndiLookupFileHash = GetJndiLookupHash(zipReader, filePath) + jndiLookupFileHash = GetJndiLookupHash(zipReader, filePath) } log.Log(). Str("path", filePath). Str("fileName", fileName). Str("fileHash", fileHash). - Str("jndiLookupFileName", jndiLookupFileName). + Str("jndiLookupFileName", constants.JndiLookupClasspath). Str("jndiLookupFileHash", jndiLookupFileHash). Msg("identified library version") @@ -182,7 +181,7 @@ func ProcessArchiveFile(zipReader *zip.Reader, reader io.Reader, filePath, fileN Path: filePath, FileName: fileName, Hash: fileHash, - JndiLookupFileName: jndiLookupFileName, + JndiLookupFileName: constants.JndiLookupClasspath, JndiLookupHash: jndiLookupFileHash, Version: semverVersion, CVE: versionCve, diff --git a/tools/log4shell/commands/patch.go b/tools/log4shell/commands/patch.go index 415e2c848..4df2ff882 100644 --- a/tools/log4shell/commands/patch.go +++ b/tools/log4shell/commands/patch.go @@ -25,6 +25,7 @@ import ( "github.com/urfave/cli/v2" "io/ioutil" "os" + "strings" ) func scanForFindings( @@ -96,7 +97,7 @@ func loadOrScanForFindings( return scanForFindings(log4jLibraryHashes, searchDirs, excludeDirs, noFollowSymlinks) } -func askIfShouldSkipLibrary(msg string) (shouldSkip, forcePatch bool) { +func askIfShouldSkipPatch(msg string) (shouldSkip, forcePatch bool) { var ( patchPromptResp string ) @@ -128,6 +129,28 @@ func askIfShouldSkipLibrary(msg string) (shouldSkip, forcePatch bool) { return } +func getHashOfZipMember(member *zip.File) (hash string) { + memberReader, err := member.Open() + if err != nil { + log.Warn(). + Err(err). + Str("name", member.Name). + Msg("Unable to open zip member") + return + } + defer memberReader.Close() + + hash, err = util.HexEncodedSha256FromReader(memberReader) + if err != nil { + log.Warn(). + Err(err). + Str("name", member.Name). + Msg("Unable to hash zip member") + return + } + return +} + func filterOutJndiLookupFromZip( finding types.Finding, zipReader *zip.Reader, @@ -135,13 +158,38 @@ func filterOutJndiLookupFromZip( ) error { for _, member := range zipReader.File { if member.Name == finding.JndiLookupFileName { + shouldSkip := false + log.Debug(). Str("path", finding.Path). Str("zipFilePath", finding.JndiLookupFileName). Msg("Found file to remove in order to patch log4j library.") - continue + + hash := getHashOfZipMember(member) + if hash != finding.JndiLookupHash { + shouldSkip, _ = askIfShouldSkipPatch( + fmt.Sprintf( + "located JndiLookup.class file hash does not match expected finding hash: \"%s\" != \"%s\" . Patching might result in unintended side effects.", + hash, finding.JndiLookupHash, + ), + ) + } + + if !shouldSkip { + continue + } + + log.Info(). + Str("findingPath", finding.Path). + Msg("Skipping library for patching") } + if member.FileInfo().IsDir() { + fmt.Println(member.Name, member.FileInfo().IsDir()) + fmt.Printf("%+v\n", member.FileHeader) + } + + if err := writer.Copy(member); err != nil { log.Error(). Err(err). @@ -152,13 +200,16 @@ func filterOutJndiLookupFromZip( return nil } -func patchJavaArchive(finding types.Finding) (err error) { +func patchJavaArchive(finding types.Finding, dryRun bool) (err error) { var ( libraryFile *os.File zipReader *zip.Reader ) - libraryFile, err = os.Open(finding.Path) + zipPaths := strings.Split(finding.Path, "::") + var zipReaders []*zip.Reader + + libraryFile, err = os.Open(zipPaths[0]) if err != nil { log.Error(). Str("path", finding.Path). @@ -169,14 +220,23 @@ func patchJavaArchive(finding types.Finding) (err error) { defer libraryFile.Close() info, _ := os.Stat(finding.Path) + zipSize := info.Size() - zipReader, err = zip.NewReader(libraryFile, info.Size()) - if err != nil { - log.Error(). - Str("path", finding.Path). - Err(err). - Msg("Unable to open archive for patching") - return + for _, zipPath := range zipPaths { + nestedZip, err := zipReader.Open(zipPath) + + nestedZip. + + zipReader, err = zip.NewReader(libraryFile, zipSize) + if err != nil { + log.Error(). + Str("path", finding.Path). + Str("zipPath", zipPath). + Err(err). + Msg("Unable to open archive for patching") + return + } + zipReaders = append(zipReaders, zipReader) } outZip, err := ioutil.TempFile(os.TempDir(), "*.zip") @@ -217,6 +277,13 @@ func patchJavaArchive(finding types.Finding) (err error) { return } + if dryRun { + log.Info(). + Str("library", finding.Path). + Msg("[Dry Run] Not completing patch process of overwriting existing library.") + return + } + _, err = util.CopyFile(outZip.Name(), finding.Path) if err != nil { log.Error(). @@ -246,6 +313,7 @@ func JavaArchivePatchCommand( Msg("Patching found vulnerable Log4j libraries.") forcePatch := c.Bool("force-patch") + dryRun := c.Bool("dry-run") var patchedLibraries []string @@ -263,7 +331,7 @@ func JavaArchivePatchCommand( } if !forcePatch { - shouldSkip, forcePatch = askIfShouldSkipLibrary(finding.Path) + shouldSkip, forcePatch = askIfShouldSkipPatch(finding.Path) if !forcePatch && shouldSkip { log.Info(). Str("findingPath", finding.Path). @@ -272,7 +340,7 @@ func JavaArchivePatchCommand( } } - err = patchJavaArchive(finding) + err = patchJavaArchive(finding, dryRun) if err != nil { continue } diff --git a/tools/log4shell/main.go b/tools/log4shell/main.go index b540d0897..2679ce7c3 100644 --- a/tools/log4shell/main.go +++ b/tools/log4shell/main.go @@ -198,6 +198,10 @@ func main() { Name: "force-patch", Usage: "Force patch all libraries reported in findings or scanned at runtime. Do not prompt each time a library is about to be patched.", }, + &cli.BoolFlag{ + Name: "dry-run", + Usage: "Perform a dry run of the patching process by only logging out actions which would be performed.", + }, &cli.StringFlag{ Name: "findings", Usage: "Patches all vulnerable Java archives which have been identified.", diff --git a/tools/log4shell/scan/scanfile.go b/tools/log4shell/scan/scanfile.go index 9c9521103..a66723188 100644 --- a/tools/log4shell/scan/scanfile.go +++ b/tools/log4shell/scan/scanfile.go @@ -55,11 +55,6 @@ func identifyPotentiallyVulnerableFile( path, fileName string, hashLookup types.VulnerableHashLookup, ) (finding *types.Finding) { - var ( - jndiLookupFileName string - jndiLookupFileHash string - ) - fileHash, err := util.HexEncodedSha256FromReader(reader) if err != nil { log.Warn(). @@ -88,13 +83,12 @@ func identifyPotentiallyVulnerableFile( versions := strings.Split(vulnerableFile.Version, ", ") patchableVersion := isVulnerableIfContainsJndiLookup(versions) - jndiLookupFileName, jndiLookupFileHash = analyze.GetJndiLookupHash(zipReader, path) - + jndiLookupFileHash := analyze.GetJndiLookupHash(zipReader, path) if jndiLookupFileHash != "" { if _, ok := vulnerableFile.VulnerableFileHashLookup[jndiLookupFileHash]; !ok { log.Warn(). Str("path", path). - Str("jndiLookupFileName", jndiLookupFileName). + Str("jndiLookupFileName", constants.JndiLookupClasspath). Str("jndiLookupHash", jndiLookupFileHash). Msg("Discovered JndiLookup.class file is not a known vulnerable file. Patching this file out might have some unintended side effects.") } @@ -102,6 +96,8 @@ func identifyPotentiallyVulnerableFile( if patchableVersion { log.Warn(). Str("path", path). + Str("jndiLookupFileName", constants.JndiLookupClasspath). + Str("jndiLookupHash", jndiLookupFileHash). Msg("Library has been patched of the Log4Shell vulnerability.") return } @@ -112,7 +108,7 @@ func identifyPotentiallyVulnerableFile( Str("path", path). Str("versionIndicatorFileName", fileName). Str("versionIndicatorHash", fileHash). - Str("jndiLookupFileName", jndiLookupFileName). + Str("jndiLookupFileName", constants.JndiLookupClasspath). Str("jndiLookupHash", jndiLookupFileHash). Str("versionInfo", vulnerableFile.Version). Str("cve", vulnerableFile.CVE). @@ -131,7 +127,7 @@ func identifyPotentiallyVulnerableFile( Path: absolutePath, FileName: fileName, Hash: fileHash, - JndiLookupFileName: jndiLookupFileName, + JndiLookupFileName: constants.JndiLookupClasspath, JndiLookupHash: jndiLookupFileHash, Version: vulnerableFile.Version, CVE: vulnerableFile.CVE, diff --git a/tools/log4shell/test/vulnerable-log4j2-versions/.gitignore b/tools/log4shell/test/vulnerable-log4j2-versions/.gitignore index 782fd9af3..d52b170dd 100644 --- a/tools/log4shell/test/vulnerable-log4j2-versions/.gitignore +++ b/tools/log4shell/test/vulnerable-log4j2-versions/.gitignore @@ -1,3 +1,4 @@ target/ pom.xml apache/ +apache-patch/ From b3325d38d05699d0d0f517349793203350703944 Mon Sep 17 00:00:00 2001 From: breadchris Date: Mon, 27 Dec 2021 03:01:04 -0500 Subject: [PATCH 14/15] patcher works on non-nested zips, but is truncating nested zips for some reason Former-commit-id: 6e991905ff46cf7766af85739b7c4fa85c65d01b Former-commit-id: fe4894d30974306ee800caa89634ace6e1290d09 --- .idea/vcs.xml | 1 + tools/log4shell/commands/patch.go | 236 +++++++++++++----- tools/log4shell/constants/version.go | 2 +- tools/log4shell/main.go | 9 + .../vulnerable.jar.REMOVED.git-id | 1 + tools/log4shell/util/fs.go | 28 ++- 6 files changed, 217 insertions(+), 60 deletions(-) create mode 100644 tools/log4shell/test/vulnerable-apps/vulnerable.jar.REMOVED.git-id diff --git a/.idea/vcs.xml b/.idea/vcs.xml index 3aa94e479..b3094af00 100644 --- a/.idea/vcs.xml +++ b/.idea/vcs.xml @@ -4,6 +4,7 @@ + \ No newline at end of file diff --git a/tools/log4shell/commands/patch.go b/tools/log4shell/commands/patch.go index 4df2ff882..e95b82300 100644 --- a/tools/log4shell/commands/patch.go +++ b/tools/log4shell/commands/patch.go @@ -23,6 +23,7 @@ import ( "github.com/lunasec-io/lunasec/tools/log4shell/util" "github.com/rs/zerolog/log" "github.com/urfave/cli/v2" + "io" "io/ioutil" "os" "strings" @@ -151,13 +152,160 @@ func getHashOfZipMember(member *zip.File) (hash string) { return } +func getNestedZipReader(zipReader *zip.Reader, zipPath string) (nestedZipReader *zip.Reader, err error) { + if zipPath == "" { + nestedZipReader = zipReader + return + } + + nestedZip, err := zipReader.Open(zipPath) + if err != nil { + log.Error().Err(err).Str("zipPath", zipPath).Msg("Unable to open nested zip path") + return + } + defer nestedZip.Close() + + info, err := nestedZip.Stat() + if err != nil { + log.Error().Err(err).Str("zipPath", zipPath).Msg("Unable to stat nested zip") + return + } + + nestedZipReader, err = util.NewZipFromReader(nestedZip, info.Size()) + if err != nil { + log.Error().Err(err).Str("zipPath", zipPath).Msg("Unable to create new zip reader") + return + } + return +} + +func head(s []string) string { + if len(s) > 0 { + return s[0] + } + return "" +} + +func tail(s []string) []string { + if len(s) > 1 { + return s[1:] + } + return []string{} +} + +func addFileToZip(zipWriter *zip.Writer, existingHeader zip.FileHeader, filename string) (err error) { + fileToZip, err := os.Open(filename) + if err != nil { + log.Error(). + Err(err). + Str("filename", filename). + Msg("Unable to open file") + return + } + defer fileToZip.Close() + + // Get the file information + info, err := fileToZip.Stat() + if err != nil { + log.Error(). + Err(err). + Str("filename", filename). + Msg("Unable to stat file") + return + } + + existingHeader.UncompressedSize64 = uint64(info.Size()) + + writer, err := zipWriter.CreateHeader(&existingHeader) + if err != nil { + log.Error(). + Err(err). + Str("filename", filename). + Msg("Unable to create zip header") + return + } + _, err = io.Copy(writer, fileToZip) + if err != nil { + log.Error(). + Err(err). + Str("filename", filename). + Msg("Unable to copy file contents to zip writer") + return + } + return +} + func filterOutJndiLookupFromZip( + finding types.Finding, + zipReader *zip.Reader, + nestedPaths []string, + zipWriter *zip.Writer, + existingHeader zip.FileHeader, +) (filename string, err error) { + validOutputFile := false + + outZip, err := ioutil.TempFile(os.TempDir(), "*.zip") + if err != nil { + log.Error(). + Str("tmpDir", os.TempDir()). + Err(err). + Msg("Unable to create temporary libraryFile") + return + } + defer func() { + outZip.Close() + if !validOutputFile { + os.Remove(outZip.Name()) + } + }() + + nestedZipWriter := zip.NewWriter(outZip) + defer nestedZipWriter.Close() + + err = copyAndFilterFilesFromZip(finding, zipReader, nestedZipWriter, nestedPaths) + if err != nil { + return + } + nestedZipWriter.Flush() + + if zipWriter == nil { + filename = outZip.Name() + validOutputFile = true + return + } + + err = addFileToZip(zipWriter, existingHeader, outZip.Name()) + if err != nil { + return + } + zipWriter.Flush() + return +} + +func copyAndFilterFilesFromZip( finding types.Finding, zipReader *zip.Reader, writer *zip.Writer, -) error { + nestedPaths []string, +) (err error) { + nestedPath := head(nestedPaths) for _, member := range zipReader.File { - if member.Name == finding.JndiLookupFileName { + if member.Name == nestedPath { + var nestedZipReader *zip.Reader + + nestedZipReader, err = getNestedZipReader(zipReader, nestedPath) + if err != nil { + return + } + + _, err = filterOutJndiLookupFromZip(finding, nestedZipReader, tail(nestedPaths), writer, member.FileHeader) + if err != nil { + return + } + continue + } + + if len(nestedPaths) == 0 && member.Name == finding.JndiLookupFileName { shouldSkip := false log.Debug(). @@ -185,19 +333,20 @@ func filterOutJndiLookupFromZip( } if member.FileInfo().IsDir() { - fmt.Println(member.Name, member.FileInfo().IsDir()) - fmt.Printf("%+v\n", member.FileHeader) + continue } - - if err := writer.Copy(member); err != nil { + err = writer.Copy(member) + if err != nil { log.Error(). Err(err). + Str("memberName", member.Name). + Str("member", fmt.Sprintf("%+v", member.FileHeader)). Msg("Error while copying zip file.") - return err + return } } - return nil + return } func patchJavaArchive(finding types.Finding, dryRun bool) (err error) { @@ -207,9 +356,10 @@ func patchJavaArchive(finding types.Finding, dryRun bool) (err error) { ) zipPaths := strings.Split(finding.Path, "::") - var zipReaders []*zip.Reader - libraryFile, err = os.Open(zipPaths[0]) + fsFile := head(zipPaths) + + libraryFile, err = os.Open(fsFile) if err != nil { log.Error(). Str("path", finding.Path). @@ -219,76 +369,43 @@ func patchJavaArchive(finding types.Finding, dryRun bool) (err error) { } defer libraryFile.Close() - info, _ := os.Stat(finding.Path) - zipSize := info.Size() - - for _, zipPath := range zipPaths { - nestedZip, err := zipReader.Open(zipPath) - - nestedZip. - - zipReader, err = zip.NewReader(libraryFile, zipSize) - if err != nil { - log.Error(). - Str("path", finding.Path). - Str("zipPath", zipPath). - Err(err). - Msg("Unable to open archive for patching") - return - } - zipReaders = append(zipReaders, zipReader) - } - - outZip, err := ioutil.TempFile(os.TempDir(), "*.zip") + info, err := os.Stat(fsFile) if err != nil { log.Error(). - Str("tmpDir", os.TempDir()). + Str("path", finding.Path). Err(err). - Msg("Unable to create temporary libraryFile") + Msg("Cannot stat file.") return } - defer os.Remove(outZip.Name()) - - writer := zip.NewWriter(outZip) - defer writer.Close() - err = filterOutJndiLookupFromZip(finding, zipReader, writer) + zipReader, err = zip.NewReader(libraryFile, info.Size()) if err != nil { - return - } - - writer.Close() - - if err = libraryFile.Close(); err != nil { log.Error(). - Str("outZipName", outZip.Name()). - Str("libraryFileName", finding.Path). + Str("path", finding.Path). Err(err). - Msg("Unable to close library file.") + Msg("Cannot create new zip reader for file.") return } - if err = outZip.Close(); err != nil { - log.Error(). - Str("outZipName", outZip.Name()). - Str("libraryFileName", finding.Path). - Err(err). - Msg("Unable to close output zip.") + filteredLibrary, err := filterOutJndiLookupFromZip(finding, zipReader, tail(zipPaths), nil, zip.FileHeader{}) + if err != nil { return } if dryRun { log.Info(). - Str("library", finding.Path). + Str("libraryFileName", fsFile). + Str("fullPathToLibrary", finding.Path). Msg("[Dry Run] Not completing patch process of overwriting existing library.") return } - _, err = util.CopyFile(outZip.Name(), finding.Path) + _, err = util.CopyFile(filteredLibrary, fsFile) if err != nil { log.Error(). - Str("outZipName", outZip.Name()). - Str("libraryFileName", finding.Path). + Str("outZipName", filteredLibrary). + Str("libraryFileName", fsFile). + Str("fullPathToLibrary", finding.Path). Err(err). Msg("Unable to replace library file with patched library file.") return @@ -342,6 +459,9 @@ func JavaArchivePatchCommand( err = patchJavaArchive(finding, dryRun) if err != nil { + log.Error(). + Str("path", finding.Path). + Msg("Unable to patch library successfully.") continue } patchedLibraries = append(patchedLibraries, finding.Path) @@ -349,6 +469,6 @@ func JavaArchivePatchCommand( log.Info(). Strs("patchedLibraries", patchedLibraries). - Msg("Successfully patched libraries.") + Msg("Completed patched libraries.") return nil } diff --git a/tools/log4shell/constants/version.go b/tools/log4shell/constants/version.go index 4d07c2f07..307ab23a9 100644 --- a/tools/log4shell/constants/version.go +++ b/tools/log4shell/constants/version.go @@ -14,4 +14,4 @@ // package constants -const Version = "1.4.1" +const Version = "1.5.0" diff --git a/tools/log4shell/main.go b/tools/log4shell/main.go index 2679ce7c3..a626ac734 100644 --- a/tools/log4shell/main.go +++ b/tools/log4shell/main.go @@ -185,6 +185,7 @@ func main() { Name: "patch", Aliases: []string{"p"}, Usage: "Patches findings of libraries vulnerable toLog4Shell by removing the JndiLookup.class file from each.", + Before: setGlobalBoolFlags, Flags: []cli.Flag{ &cli.StringSliceFlag{ Name: "exclude", @@ -206,6 +207,14 @@ func main() { Name: "findings", Usage: "Patches all vulnerable Java archives which have been identified.", }, + &cli.BoolFlag{ + Name: "json", + Usage: "Display findings in json format.", + }, + &cli.BoolFlag{ + Name: "debug", + Usage: "Display helpful information while debugging the CLI.", + }, }, Action: func(c *cli.Context) error { return commands.JavaArchivePatchCommand(c, globalBoolFlags, log4jLibraryHashes) diff --git a/tools/log4shell/test/vulnerable-apps/vulnerable.jar.REMOVED.git-id b/tools/log4shell/test/vulnerable-apps/vulnerable.jar.REMOVED.git-id new file mode 100644 index 000000000..06b231c2c --- /dev/null +++ b/tools/log4shell/test/vulnerable-apps/vulnerable.jar.REMOVED.git-id @@ -0,0 +1 @@ +214373a78b4024e557c297e5081f9305b65c9587 \ No newline at end of file diff --git a/tools/log4shell/util/fs.go b/tools/log4shell/util/fs.go index d58f7d0b1..050c6a3f4 100644 --- a/tools/log4shell/util/fs.go +++ b/tools/log4shell/util/fs.go @@ -15,8 +15,11 @@ package util import ( + "archive/zip" + "bytes" "github.com/rs/zerolog/log" "io" + "io/ioutil" "os" "path/filepath" "strings" @@ -76,8 +79,31 @@ func ResolveSymlinkFilePathAndInfo(symlinkPath string) (path string, info os.Fil return } +// NewZipFromReader ... +func NewZipFromReader(file io.ReadCloser, size int64) (*zip.Reader, error) { + in := file.(io.Reader) + + if _, ok := in.(io.ReaderAt); ok != true { + buffer, err := ioutil.ReadAll(in) + + if err != nil { + return nil, err + } + + in = bytes.NewReader(buffer) + size = int64(len(buffer)) + } + + reader, err := zip.NewReader(in.(io.ReaderAt), size) + if err != nil { + return nil, err + } + + return reader, nil +} + func CopyFile(in, out string) (int64, error) { - i, e := os.Open(in) + i, e := os.Open(in) if e != nil { return 0, e } defer i.Close() o, e := os.Create(out) From fad8feb7c422d6cad625c49952cc68d94fa01505 Mon Sep 17 00:00:00 2001 From: breadchris Date: Mon, 27 Dec 2021 03:19:15 -0500 Subject: [PATCH 15/15] nested patching works now Former-commit-id: 449f700436a60e9caa665ca98a2280d1d50cf0a7 Former-commit-id: dc5ab77722ed7ee49bf0a5e460198c1783e7efe6 --- tools/log4shell/commands/patch.go | 19 +++++++++++++++++-- .../patched.jar.REMOVED.git-id | 1 + .../vulnerable.jar.REMOVED.git-id | 2 +- 3 files changed, 19 insertions(+), 3 deletions(-) create mode 100644 tools/log4shell/test/vulnerable-apps/patched.jar.REMOVED.git-id diff --git a/tools/log4shell/commands/patch.go b/tools/log4shell/commands/patch.go index e95b82300..f3d78e519 100644 --- a/tools/log4shell/commands/patch.go +++ b/tools/log4shell/commands/patch.go @@ -194,6 +194,8 @@ func tail(s []string) []string { } func addFileToZip(zipWriter *zip.Writer, existingHeader zip.FileHeader, filename string) (err error) { + defer zipWriter.Flush() + fileToZip, err := os.Open(filename) if err != nil { log.Error(). @@ -224,6 +226,7 @@ func addFileToZip(zipWriter *zip.Writer, existingHeader zip.FileHeader, filename Msg("Unable to create zip header") return } + _, err = io.Copy(writer, fileToZip) if err != nil { log.Error(). @@ -266,7 +269,6 @@ func filterOutJndiLookupFromZip( if err != nil { return } - nestedZipWriter.Flush() if zipWriter == nil { filename = outZip.Name() @@ -274,11 +276,13 @@ func filterOutJndiLookupFromZip( return } + nestedZipWriter.Close() + outZip.Close() + err = addFileToZip(zipWriter, existingHeader, outZip.Name()) if err != nil { return } - zipWriter.Flush() return } @@ -288,6 +292,8 @@ func copyAndFilterFilesFromZip( writer *zip.Writer, nestedPaths []string, ) (err error) { + defer writer.Flush() + nestedPath := head(nestedPaths) for _, member := range zipReader.File { if member.Name == nestedPath { @@ -333,6 +339,15 @@ func copyAndFilterFilesFromZip( } if member.FileInfo().IsDir() { + _, err = writer.Create(member.Name) + if err != nil { + log.Error(). + Err(err). + Str("memberName", member.Name). + Str("member", fmt.Sprintf("%+v", member.FileHeader)). + Msg("Error while copying zip dir.") + return + } continue } diff --git a/tools/log4shell/test/vulnerable-apps/patched.jar.REMOVED.git-id b/tools/log4shell/test/vulnerable-apps/patched.jar.REMOVED.git-id new file mode 100644 index 000000000..313638f6a --- /dev/null +++ b/tools/log4shell/test/vulnerable-apps/patched.jar.REMOVED.git-id @@ -0,0 +1 @@ +172a1004a051c61f3a8abe3ea3ee002e290f15a2 \ No newline at end of file diff --git a/tools/log4shell/test/vulnerable-apps/vulnerable.jar.REMOVED.git-id b/tools/log4shell/test/vulnerable-apps/vulnerable.jar.REMOVED.git-id index 06b231c2c..a346a2f42 100644 --- a/tools/log4shell/test/vulnerable-apps/vulnerable.jar.REMOVED.git-id +++ b/tools/log4shell/test/vulnerable-apps/vulnerable.jar.REMOVED.git-id @@ -1 +1 @@ -214373a78b4024e557c297e5081f9305b65c9587 \ No newline at end of file +0578ffb72bc2ade6a743bc18d4d2e03123a1ea64 \ No newline at end of file