Correctly detect vulnerable log4j <2.1

google / log4jscanner

A log4j vulnerability filesystem scanner and Go package for analyzing JAR files.

Apache License 2.0

1.56k stars 121 forks source link

Correctly detect vulnerable log4j <2.1 #54

Closed singlethink closed 2 years ago

singlethink commented 2 years ago

This change correctly detects vulnerable log4j versions <2.1, which do not contain JndiManager.class, by detecting the presence of ReflectiveCallerClassUtility.class which was present in all log4j releases >=2.0-beta9 and <2.1.

nikaiw commented 2 years ago

Would you consider detecting something related to the vulnerability instead such as the presence of "javax.naming.InitialContext" in jndilookup ? E.g: https://github.com/nikaiw/log4jscanner/blob/0def0d6a7ba714dbcfd1565a2954290948d2f062/jar/jar.go#L328

singlethink commented 2 years ago

Sure

singlethink commented 2 years ago

Done

ericchiang commented 2 years ago

@ddworken mind taking a look at this one?

singlethink commented 2 years ago

Added a comment to document the commit that removed InitialContext from JndiLookup