Releases: lunasec-io/lunasec
v1.3.0-log4shell
Changelog
This release fixes some issues that were raised about false positives with Log4j 2.15.0. This cli tool is also tested on both apache libraries and maven libraries since their hashes were observered to be different in some cases.
ab5abab Basic technical analysis of the Log4Shell exploit
99d8996 Better phrasing
5aadc82 Blog post updates
9a159fd CLI UX improvements and more legalish warnings
861c385 Fix bad image links by using MDX syntax instead
13cd33f Fix formatting
4395867 Fix image link for bad image also
d74964c Fix image links to be persistent
a60fddc Fix some typos
a582d5c Merge branch 'hotpatch-improvements' of github.com:lunasec-io/lunasec into hotpatch-improvements
6e4314a Merge branch 'master' into improve-scanner-reliability
53d0b1c Merge pull request #311 from lunasec-io/hotpatch-improvements
64254cd Merge pull request #312 from lunasec-io/update-patch-section
c7043c6 Merge pull request #313 from lunasec-io/fix-bad-image-links
e74319f Merge pull request #319 from natrem/detect-elastic-apm
6b8618e Merge pull request #322 from lunasec-io/fix-post-warning
4126b0b Merge pull request #329 from dhoizner/feat/scan-zip-archives
9e91702 Merge pull request #331 from lunasec-io/fix-typo-in-property-name
cf60212 Merge pull request #333 from lunasec-io/log4j-exploit-analysis-blog-post
bb8d253 Tweaks
9f24892 Update Patch section with new notes
254ade8 Update timestamps
fbf14b1 Wordsmithing
195cbc4 add payload url to the print out in the cli
65dbfe8 bump version
400c6e3 feat: scan into zip archives in addition to jar+war
34c7611 fix typo
0e27f16 log4shell and 2.15.0 cves are distinct in findings now
1f0f3bf pull all maven and apache versions of log4j
fc35788 scan library before browsing it
ea2f1af script for downloading all log4j versions
4a3d922 update blog post to fix changes suggested in issues
79aab2e update blog to include java decomp
f42427a use webarchive to reference zero day tweet
v1.1.2-log4shell
Changelog
898e19d Change links to the generic Releases page
ee9655e Merge branch 'master' into hotpatch-improvements
58e1478 Merge pull request #309 from lunasec-io/blog-includes-hot-patch-cli
f92099d Merge pull request #310 from lunasec-io/cli-ux
2132b5a Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx
579472e add docker-compose and update readme with some commands
f1945c3 add live patch blog post
02f39cf added more options to the hotpatch server and added a landing page
cc2b915 blog mentions hot patch cli
4856a51 bump version of log4shell cli
3cf4659 change dependency to not panic
c6a4f57 update blog posts
6187edd update hotpatch server to have more descriptive text
v1.1.1-log4shell
Changelog
scan now pretty prints results by default
v1.1.0-log4shell
Changelog
Added hotpatch command which attempts to use the bug against itself to patch the vulnerability in a running server.
Added severity levels to different log4j versions detected by scan, and included 2.15.0 in vulnerable versions.
Commit Log
dfa5cb5 Add CVE number back to first line of text for SEO
f0478fa Add log4j to first sentence
f4ef8a1 Add log4shell CLI tool
3df9089 Add option to write outputs to a file.
007212a Add social links and update main Readme
6849b46 Adding command for running log4shell hotpatch server. The command brings up the servers, but they currently do not work.
2ebe83b Bump version
86d0fb5 Change version to beta
dd21d16 Content reworking
d020276 Enabled options for printing out json for parsing results.
6e88ba6 Fix Master CI
7fa24c4 Fix bad link in blog post
209e3ad Fix bad path
1d79cce Fix entrypoint for package
28f4278 Fix grammar in mitigation guide
18ff24a Fix renamed directory
457d281 Fix script to work with both a specific path or in the current folder
94ce327 Fix typo
aca37df Hotpatching works when being tested locally again vulnerable spring server.
a7384c0 Merge branch 'add-log4shell-cli' of github.com:lunasec-io/lunasec into add-log4shell-cli
86dc397 Merge branch 'master' into add-log4shell-cli
b89fed5 Merge branch 'master' into log4shell-vuln-finder
b7f58e4 Merge pull request #283 from lunasec-io/add-log4shell-cli
ad7840c Merge pull request #285 from lunasec-io/log4shell-vuln-finder
f5e6a3e Merge pull request #286 from lunasec-io/fix-ci-on-master
66cacc5 Merge pull request #288 from lunasec-io/update-mitigation-guide
9a1c3c8 Merge pull request #289 from lunasec-io/fix-bad-link-in-post
78e9ac5 Merge pull request #290 from slovdahl/patch-1
a3e5bfc Merge pull request #293 from lunasec-io/dec13-blog-edits
de48c4d Merge pull request #294 from lunasec-io/add-social-links-to-mitigation-guide
8eb17db Merge pull request #296 from lunasec-io/log4shell-vuln-finder
5252c62 Merge pull request #297 from lunasec-io/mitigation-edits-forrest
708a471 Merge pull request #302 from natrem/patch-1
5fb29d0 Merge pull request #303 from lunasec-io/no-lookups-no-worky
2307b8d Merge remote-tracking branch 'origin/master' into mitigation-edits-forrest
9a9a79a Mitigation edits forrest (#295)
8b896f1 More post cleanup
7831485 More post cleanup
4eac204 Remove thank you line
2279eb6 Scanner finds 2.15 (#305)
91d70d8 Update 2021-12-09-log4j-zero-day.md
90a4e6e Update 2021-12-09-log4j-zero-day.md
d81ffb4 WIP blog post
c59a38a Wrap up the Log4Shell Mitigation Guide doc
312a99d Write up the rest of the blog post
85060ce add contact form, what a doozy
471f56b add warnings about 2.15 and flag
cea63e8 also find war files
a1a365c better warning
ab10a9f big mitigation edits
c76f49b blog edits to header example
b6b2dcd few tiny edits
0431797 fix english (#304)
817388a fix package mistake
d59ad40 fix typo and add CVE name
1c0c95b log4shell scanning cli initial commit
54acae9 make hash downloading automatic even if not using NPM
a9145cf mention log4j 2.16
a2d7637 merge master
7c82887 more CVE mentions
b6a7004 move log4shell to tools
e0f9796 remove bad dep and eslint ignore something
a717e20 small edits linking two blog posts together and other nits
56fe994 update Log4ShellHotpatch
cddae2c update binary name to log4shell
a9199b7 when scanning archives, scan nested ones
v1.0.0-log4shell
Changelog
Initial release of the log4shell cli. These changes include functionality for searching directories for files which have a matching hash to known vulnerable log4j dependencies.