xeraph
commented
2 years ago @sunilsrinivas93 Use --scan-log4j1 switch. :D
Closed sunilsrinivas93 closed 2 years ago
xeraph
commented
2 years ago @sunilsrinivas93 Use --scan-log4j1 switch. :D
markus8899
commented
2 years ago hello,
I just noticed that .jar files that are vulnerable to CVE-2021-4104 seem to have a problem when exporting out to .csv or .json.
I run log4j-scan.exe with the parameter --fix --Report-csv --report-json. The console shows that there are findings and that they have been fixed. This is also written to the log file.
If I then run the scan again to check whether everything is OK, the console shows that the files were found but have already been mitigated. However, a different status is written in the report, namely "Potentially vulnerable". This only happens with files that are affected by CVE-2021-4104. All other files are correctly written in the log with "Mitigated".
I can reproduce this on any computer with this CVE.
Thanks for all your work! Regards, Markus
xeraph
commented
2 years ago @markus8899 Oh.. I reproduced bug. Would you open new issue?
markus8899
commented
2 years ago done
Hi Support It is noticed that scanner is not scanning CVE-2021-4104 files on the server. log4j versions on 1.X
Regards Sunil S