Help read/iterpret output - Githubissues

logpresso / CVE-2021-44228-Scanner

Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228

Apache License 2.0

851 stars 174 forks source link

Help read/iterpret output #118

Closed tp111 closed 2 years ago

tp111 commented 2 years ago

So when I scan inkluding --scan-log4j1 I get this output. How shoul I interpret when same file, like "client.jar" is MITIGATED & POTENTIALLY_VULNERABLE at the same time. Also what about "bookitboot.jar" "N/A - potentially vulnerable","POTENTIALLY_VULNERABLE"

Hostname,Path,Entry,Version,Status,Fixed,Detected at
Computername,"C:\Program Files (x86)\Axiell\BOOK-IT10.2\lib\bookitboot.jar","","N/A - potentially vulnerable","POTENTIALLY_VULNERABLE","","2021-12-17 12:57:05"
Computername,"C:\Program Files (x86)\Axiell\BOOK-IT10.2\lib\client.jar","","2.7","MITIGATED","","2021-12-17 12:57:05"
Computername,"C:\Program Files (x86)\Axiell\BOOK-IT10.2\lib\client.jar","","1.2.17","POTENTIALLY_VULNERABLE","","2021-12-17 12:57:05"
Computername,"C:\Users\utb2\BOOK-IT\lib\10.1\client.jar","","2.7","MITIGATED","","2021-12-17 12:57:07"
Computername,"C:\Users\utb2\BOOK-IT\lib\10.1\client.jar","","1.2.17","POTENTIALLY_VULNERABLE","","2021-12-17 12:57:07"

xeraph commented 2 years ago

Maybe bug.. I will check it soon.

xeraph commented 2 years ago

@tp111 Would you unzip client.jar and upload following files?

META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties META-INF/maven/log4j/log4j/pom.properties

If you can rename client.jar to client.jar.zip and upload it, it will be the best.

tp111 commented 2 years ago

bookitboot.jar.zip Here you go but there are no folders in META-INF folder.

xeraph commented 2 years ago

@tp111 bookit.jar contains no pom.properties, therfore scanner cannot determine log4j version. However, since it contains JMSAppender.class, it is marked as potentially vulnerable. It is log4j 1.2.x binary.

client.jar may contains both log4j1 and log4j2 classes. Would you upload client.jar ?

xeraph commented 2 years ago

v2.3.6 added Product and CVE code to report file for better readability.

tp111 commented 2 years ago

Can't upplode Client.jar. Get "in not included in the list"

tp111 commented 2 years ago

@tp111 Would you unzip client.jar and upload following files?

META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties META-INF/maven/log4j/log4j/pom.properties

If you can rename client.jar to client.jar.zip and upload it, it will be the best. Core.jar-files.zip Here are the properties-files

xeraph commented 2 years ago

@tp111 In your Core.jar-files.zip, /pom.properties specifies that this jar has log4j-core 2.7 binaries.

#Generated by Maven
#Sun Oct 02 11:24:13 MST 2016
version=2.7
groupId=org.apache.logging.log4j
artifactId=log4j-core

However, actually log4j1 class files are detected. Scanner gets confused.

Summary:

2.7 pom found, but JndiLookup.class not found -> print mitigated
1.x pom not found, but JmsAppender.class found -> print potentially vulnerable

In some cases, one jar can contains both 1.x and 2.x classes.