Alpine linux support - Githubissues

logpresso / CVE-2021-44228-Scanner

Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228

Apache License 2.0

850 stars 174 forks source link

Alpine linux support #170

Closed lmalmeida closed 2 years ago

lmalmeida commented 2 years ago

The current binary does not support Alpine Linux or RHEL 6. An alternative is to build a (fully) static binary.

Example command line to build:

native-image --static -jar log4j2-scanner-2.3.7.jar log4j2-scanner-2.3.7 -H:-CheckToolchain -H:+AllowIncompleteClasspath

I suggest primarily a change on the documentation

xeraph commented 2 years ago

@lmalmeida Would you test this binary? I will release it if it works as expected. logpresso-log4j2-scan-2.3.7-linux-static.tar.gz

lmalmeida commented 2 years ago

Seems to work. For reference, I've used containers to test it, similar to:

#FROM centos:6
FROM tomcat:alpine
COPY log4j2-scan-static /tmp
RUN /tmp/log4j2-scan-static /

xeraph commented 2 years ago

@lmalmeida Thank you very much. --static switch was what I looking for. Additionally, I had to install yum install glibc-static to use --static switch.

xeraph commented 2 years ago

@lmalmeida Just released v2.4.0. Would you test it?

jgstew commented 2 years ago

Does this static option remove the dependency on glibc? Does the same option work on windows to remove the need for VC++ runtime?

xeraph commented 2 years ago

@jgstew Yes. I applied same option for windows build.

$ file log4j2-scan
log4j2-scan: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=c19344ff54e5eaa74a485f5be0f45df5c4b533f8, not stripped

lmalmeida commented 2 years ago

Tested v2.4.1. Seems to work. Thanks

lmalmeida commented 2 years ago

BTW, for windows, it still has dependencies.

D:\temp>dumpbin /dependents log4j2-scan.exe
Microsoft (R) COFF/PE Dumper Version 14.30.30706.0
Copyright (C) Microsoft Corporation.  All rights reserved.

Dump of file log4j2-scan.exe

File Type: EXECUTABLE IMAGE

  Image has the following dependencies:

    VERSION.dll
    ADVAPI32.dll
    WS2_32.dll
    USERENV.dll
    MSWSOCK.dll
    USER32.dll
    KERNEL32.dll
    VCRUNTIME140.dll
    api-ms-win-crt-runtime-l1-1-0.dll
    api-ms-win-crt-environment-l1-1-0.dll
    api-ms-win-crt-heap-l1-1-0.dll
    api-ms-win-crt-string-l1-1-0.dll
    api-ms-win-crt-convert-l1-1-0.dll
    api-ms-win-crt-stdio-l1-1-0.dll
    api-ms-win-crt-filesystem-l1-1-0.dll
    api-ms-win-crt-math-l1-1-0.dll
    api-ms-win-crt-locale-l1-1-0.dll
    IPHLPAPI.DLL

  Summary

        2000 .data
        3000 .pdata
       14000 .rdata
        5000 .reloc
        4000 .rodata
      61F000 .svm_hea
      47A000 .text

xeraph commented 2 years ago

Oh no.. then --static doesn't work for windows version. Fixed v2.4.0 release note.

xeraph commented 2 years ago

@lmalmeida Do you have any idea? Segmentation fault when System.getProperty() or new SimpleDateFormat() is invoked. https://github.com/logpresso/CVE-2021-44228-Scanner/issues/192#issuecomment-999648864

I guess I'll have to give up static build...