Not working for log4j-1.x where JMSAppender.class exists

fox-it / log4j-finder

Find vulnerable Log4j2 versions on disk and also inside Java Archive Files (Log4Shell CVE-2021-44228, CVE-2021-45046, CVE-2021-45105)

MIT License

435 stars 97 forks source link

Not working for log4j-1.x where JMSAppender.class exists #65

Open prsng opened 2 years ago

prsng commented 2 years ago

We are using logpresso scanner and it seems to be flagging a lot more files with potential vulnerability after log4j 1.x was added to the CVEs. log4j-finder is however skipping those files entirely and not flagging anything.

I am curious as to which one is reliable and why is it that log4j-finder thinks that this one is not potentially vulnerable.

Attaching a file for reference log4j.jar.zip .

yunzheng commented 2 years ago

This tool was mainly developed to catch vulnerable log4j 2.x versions. There is a ticket to add log4j 1.x support, see #14

next version will probably also have support for this and also other corner cases.