logpresso / CVE-2021-44228-Scanner

Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228
Apache License 2.0
852 stars 173 forks source link

Beginning with v2.4.0, CSV reporting can produce a segmentation fault on Enterprise Linux 8.x systems (Rocky, RHEL, CentOS) #192

Closed jadamcraig closed 2 years ago

jadamcraig commented 2 years ago

Hello!

It appears that scanning using versions after 2.3.7 can produce a segmentation fault on some systems running Enterprise Linux 8.x (including Rocky, CentOS, and RHEL) if CSV reporting is enabled.

Scanning an EL 8.x system using v2.5.1 with reporting disabled:

$ sudo /usr/local/bin/log4j2-scan --exclude-config /etc/sysconfig/log4scan-exclude.conf --silent /
Logpresso CVE-2021-44228 Vulnerability Scanner 2.5.1 (2021-12-21)
Scanning directory: / (without /dev, /dev/shm, /run, /sys/fs/cgroup, /tmp, /run/user/299601419)
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in <redacted>, log4j 2.11.0
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in <redacted>, log4j 2.11.0
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in <redacted>, log4j 2.13.3
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in <redacted>, log4j 2.13.3
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in <redacted>, log4j 2.16.0
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in <redacted>, log4j 2.16.0
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in <redacted>, log4j 2.16.0

Scanned 15848 directories and 113952 files
Found 7 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 62.75 seconds

Scanning the same EL 8.x system using v2.5.1 with CSV reporting enabled:

$ sudo /usr/local/bin/log4j2-scan --exclude-config /etc/sysconfig/log4scan-exclude.conf --report-csv --report-path /var/cache/log4j2-scan-results/log4j2_scan_report.csv --no-empty-report --silent /
Logpresso CVE-2021-44228 Vulnerability Scanner 2.5.1 (2021-12-21)
Scanning directory: / (without /dev, /dev/shm, /run, /sys/fs/cgroup, /tmp, /run/user/299601419)
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in <redacted>, log4j 2.11.0
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in <redacted>, log4j 2.11.0
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in <redacted>, log4j 2.13.3
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in <redacted>, log4j 2.13.3
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in <redacted>, log4j 2.16.0
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in <redacted>, log4j 2.16.0
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in <redacted>, log4j 2.16.0
zsh: segmentation fault  sudo /usr/local/bin/log4j2-scan

Scanning the same EL 8.x using v2.3.7 with CSV reporting enabled:

$ sudo /usr/local/bin/log4j2-scan --exclude-config /etc/sysconfig/log4scan-exclude.conf --report-csv --report-path /var/cache/log4j2-scan-results/log4j2_scan_report.csv --no-empty-report --silent /
Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.7 (2021-12-20)
Scanning directory: / (without /dev, /dev/shm, /run, /sys/fs/cgroup, /tmp, /run/user/299601419)
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in <redacted>, log4j 2.11.0
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in <redacted>, log4j 2.11.0
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in <redacted>, log4j 2.13.3
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in <redacted>, log4j 2.13.3
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in <redacted>, log4j 2.16.0
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in <redacted>, log4j 2.16.0
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in <redacted>, log4j 2.16.0

Scanned 15848 directories and 113953 files
Found 7 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 60.60 seconds

Thanks for the excellent work on this helpful tool!

xeraph commented 2 years ago

@jadamcraig Hmm .. maybe graalvm native-image bug.. Would you try native binary in github actions menu?

https://github.com/logpresso/CVE-2021-44228-Scanner/suites/4726268628/artifacts/130117434

jadamcraig commented 2 years ago

@xeraph --

You may be on to something there!

When I use either the .jar file or the Linux binary from the package.zip download, all works great. However, the binary from the "Releases" page produces the segmentation fault:

JAR from package.zip:

$ sudo java -jar log4j2-scanner-2.5.3.jar --exclude-config /etc/sysconfig/log4scan-exclude.conf --report-csv --report-path /var/cache/log4j2-scan-results/log4j2_scan_report.csv --no-empty-report --silent /
Logpresso CVE-2021-44228 Vulnerability Scanner 2.5.3 (2021-12-22)
Scanning directory: / (without /dev, /dev/shm, /run, /sys/fs/cgroup, /run/user/299601419)
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in <redacted>, log4j 2.11.1

Scanned 12087 directories and 79608 files
Found 1 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 0.75 seconds

Binary from package.zip:

$ sudo ./log4j2-scanner-linux-amd64 --exclude-config /etc/sysconfig/log4scan-exclude.conf --report-csv --report-path /var/cache/log4j2-scan-results/log4j2_scan_report.csv --no-empty-report --silent /
Logpresso CVE-2021-44228 Vulnerability Scanner 2.5.3 (2021-12-22)
Scanning directory: / (without /dev, /dev/shm, /run, /sys/fs/cgroup, /run/user/299601419, /run/user/0)
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in <redacted>, log4j 2.11.1

Scanned 12088 directories and 79611 files
Found 1 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 0.67 seconds

JAR from "Releases" page:

$ sudo ./logpresso-log4j2-scan-2.5.3.jar --exclude-config /etc/sysconfig/log4scan-exclude.conf --report-csv --report-path /var/cache/log4j2-scan-results/log4j2_scan_report.csv --no-empty-report --silent /
Logpresso CVE-2021-44228 Vulnerability Scanner 2.5.3 (2021-12-22)
Scanning directory: / (without /dev, /dev/shm, /run, /sys/fs/cgroup, /run/user/299601419, /run/user/0)
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in <redacted>, log4j 2.11.1

Scanned 12088 directories and 79611 files
Found 1 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 0.67 seconds

Binary from "Releases" page:

$ sudo ./log4j2-scan --exclude-config /etc/sysconfig/log4scan-exclude.conf --report-csv --report-path /var/cache/log4j2-scan-results/log4j2_scan_report.csv --no-empty-report --silent /
Logpresso CVE-2021-44228 Vulnerability Scanner 2.5.3 (2021-12-22)
Scanning directory: / (without /dev, /dev/shm, /run, /sys/fs/cgroup, /run/user/299601419)
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in <redacted>, log4j 2.11.1
zsh: segmentation fault  sudo logpresso-2.5.3/log4j2-scan
xeraph commented 2 years ago

@jadamcraig Thank you for detail regression! I will upgrade my local graalvm native-image.

xeraph commented 2 years ago

Root cause was --static option. Maybe this is the same issue. https://github.com/oracle/graal/issues/3099

Stacktrace for the failing thread 0x0000000002b34d40:
  SP 0x00007fff65ef9378 IP 0x0000000000000000  IP is not within Java code. Trying frame anchor of last Java frame instead.
  SP 0x00007fff65ef9aa0 IP 0x0000000000490fff  [image code] com.oracle.svm.core.posix.headers.Pwd.getpwuid(Pwd.java)
  SP 0x00007fff65ef9aa0 IP 0x0000000000490fff  [image code] com.oracle.svm.core.posix.PosixSystemPropertiesSupport.userHomeValue(PosixSystemPropertiesSupport.java:52)
  SP 0x00007fff65ef9ae0 IP 0x000000000047ab46  [image code] com.oracle.svm.core.jdk.SystemPropertiesSupport.userHome(SystemPropertiesSupport.java:240)
  SP 0x00007fff65ef9ae0 IP 0x000000000047ab46  [image code] com.oracle.svm.core.jdk.SystemPropertiesSupport$$Lambda$c08be315aa20ccffc6d99c8ceeebd4e4a45b68c0.get(Unknown Source)
  SP 0x00007fff65ef9b00 IP 0x000000000047b1eb  [image code] com.oracle.svm.core.jdk.SystemPropertiesSupport.initializeLazyValue(SystemPropertiesSupport.java:216)
  SP 0x00007fff65ef9b30 IP 0x000000000047aeaf  [image code] com.oracle.svm.core.jdk.SystemPropertiesSupport.ensureFullyInitialized(SystemPropertiesSupport.java:148)
  SP 0x00007fff65ef9b50 IP 0x00000000006df04d  [image code] com.oracle.svm.core.jdk.SystemPropertiesSupport.getProperties(SystemPropertiesSupport.java:164)
  SP 0x00007fff65ef9b50 IP 0x00000000006df04d  [image code] java.lang.System.getProperties(System.java:270)
  SP 0x00007fff65ef9b50 IP 0x00000000006df04d  [image code] sun.security.action.GetPropertyAction.privilegedGetProperties(GetPropertyAction.java:148)
  SP 0x00007fff65ef9b50 IP 0x00000000006df04d  [image code] java.util.TimeZone.setDefaultZone(TimeZone.java:663)
  SP 0x00007fff65ef9ba0 IP 0x00000000006de344  [image code] java.util.TimeZone.getDefaultRef(TimeZone.java:653)
  SP 0x00007fff65ef9ba0 IP 0x00000000006de344  [image code] java.util.TimeZone.getDefault(TimeZone.java:642)
  SP 0x00007fff65ef9bb0 IP 0x0000000000661338  [image code] java.util.Calendar.defaultTimeZone(Calendar.java:1679)
  SP 0x00007fff65ef9bd0 IP 0x0000000000661a9b  [image code] java.util.Calendar.getInstance(Calendar.java:1660)
  SP 0x00007fff65ef9bf0 IP 0x000000000062ef58  [image code] java.text.SimpleDateFormat.initializeCalendar(SimpleDateFormat.java:676)
  SP 0x00007fff65ef9c10 IP 0x000000000062c31e  [image code] java.text.SimpleDateFormat.<init>(SimpleDateFormat.java:620)
  SP 0x00007fff65ef9c40 IP 0x00000000004252ea  [image code] java.text.SimpleDateFormat.<init>(SimpleDateFormat.java:599)
  SP 0x00007fff65ef9c40 IP 0x00000000004252ea  [image code] com.logpresso.scanner.ReportGenerator.generateReportFileName(ReportGenerator.java:122)
  SP 0x00007fff65ef9cb0 IP 0x000000000042a8f5  [image code] com.logpresso.scanner.ReportGenerator.writeReportFile(ReportGenerator.java:56)
  SP 0x00007fff65ef9d10 IP 0x000000000041f5ff  [image code] com.logpresso.scanner.Log4j2Scanner.scanAndFix(Log4j2Scanner.java:234)
  SP 0x00007fff65ef9e20 IP 0x000000000041ddfe  [image code] com.logpresso.scanner.Log4j2Scanner.run(Log4j2Scanner.java:83)
  SP 0x00007fff65ef9e60 IP 0x000000000041c1dc  [image code] com.logpresso.scanner.Log4j2Scanner.main(Log4j2Scanner.java:40)
  SP 0x00007fff65ef9e90 IP 0x000000000044e9d6  [image code] com.oracle.svm.core.JavaMainWrapper.runCore(JavaMainWrapper.java:147)
  SP 0x00007fff65ef9e90 IP 0x000000000044e9d6  [image code] com.oracle.svm.core.JavaMainWrapper.run(JavaMainWrapper.java:183)
  SP 0x00007fff65ef9e90 IP 0x000000000044e9d6  [image code] com.oracle.svm.core.code.IsolateEnterStub.JavaMainWrapper_run_5087f5482cc9a6abc971913ece43acb471d2631b(IsolateEnterStub.java:0)
lmalmeida commented 2 years ago

From a quick look, the binary I've build seems to work. And the release binary works in my Ubuntu/WSL environment, but fails on Centos 8.

[root@linux target]# ./log4j2-scanner-2.5.3 --report-csv --report-path dummy-mine --no-empty-report --silent /var/lib/
Logpresso CVE-2021-44228 Vulnerability Scanner 2.5.3 (2021-12-22)
Scanning directory: /var/lib/ (without /dev, /dev/shm, /run, /sys/fs/cgroup, /var/lib/docker/containers/0cae07a350b8cb5ddab4a4fa180c45136696e92eec73180b9309efc157a68529/mounts/shm, /var/lib/docker/containers/62536bcfef6e494e0f0f097b5b9ef6d1f5fc5d4ba2b0abd860bea52b7bd166f0/mounts/shm, /var/lib/docker/containers/159f93460c89c153ec4f1a26300e96051808120983ce8833fbd7fa23418540ca/mounts/shm, /var/lib/docker/containers/a4fad77231761bfe8a91e21b84d601f5ae46537777a484c23c9b0e1a2a911eba/mounts/shm, /var/lib/docker/containers/f3d5d5d8df3e6de23def463c20930dab5bb441bf8f8a613f0ac71a7a780ab48e/mounts/shm, /var/lib/docker/containers/0bf0d04b0f310a12a44594efc351298369db1ac2f5fbdf9b48838d16fa37a506/mounts/shm, /run/user/0)
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/dcbf0d7b201fb78511e7d3db787a82348520cde5397a6267d35ee268fae09c26/diff/usr/share/elasticsearch/bin/elasticsearch-sql-cli-7.16.1.jar, log4j 2.11.1
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/dcbf0d7b201fb78511e7d3db787a82348520cde5397a6267d35ee268fae09c26/diff/usr/share/elasticsearch/lib/elasticsearch-log4j-7.16.1.jar, log4j 2.11.1 (mitigated)
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/36bfbe82256d8a9260f3e8afddd65107e13cf0aba9dcc49425d0f9fd584bc183/diff/usr/lib/unifi/lib/log4j-core-2.16.0.jar, log4j 2.16.0
[*] Found CVE-2021-45046 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/c68c816c6e8ac7dcb3c6ca11f69962ebf07b846d4317abc1f0624d64f860db56/diff/usr/lib/unifi/lib/log4j-core-2.15.0.jar, log4j 2.15.0
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/a0ff5657327cc73413e9dc957ab8ee7e8c3cac8d62528bb94c20b65f2ff8422e/diff/usr/lib/unifi/lib/log4j-core-2.16.0.jar, log4j 2.16.0
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/a0ff5657327cc73413e9dc957ab8ee7e8c3cac8d62528bb94c20b65f2ff8422e/merged/usr/lib/unifi/lib/log4j-core-2.16.0.jar, log4j 2.16.0

Scanned 47080 directories and 206092 files
Found 5 vulnerable files
Found 0 potentially vulnerable files
Found 1 mitigated files
Completed in 19.29 seconds
[root@linux target]# ./log4j2-scan --report-csv --report-path dummy-mine --no-empty-report --silent /var/lib/
Logpresso CVE-2021-44228 Vulnerability Scanner 2.5.3 (2021-12-22)
Error: File already exists - /data/log4j/CVE-2021-44228-Scanner/target/dummy-mine
[root@linux target]# ./log4j2-scan --report-csv --report-path dummy-release --no-empty-report --silent /var/lib/
Logpresso CVE-2021-44228 Vulnerability Scanner 2.5.3 (2021-12-22)
Scanning directory: /var/lib/ (without /dev, /dev/shm, /run, /sys/fs/cgroup, /var/lib/docker/containers/0cae07a350b8cb5ddab4a4fa180c45136696e92eec73180b9309efc157a68529/mounts/shm, /var/lib/docker/containers/62536bcfef6e494e0f0f097b5b9ef6d1f5fc5d4ba2b0abd860bea52b7bd166f0/mounts/shm, /var/lib/docker/containers/159f93460c89c153ec4f1a26300e96051808120983ce8833fbd7fa23418540ca/mounts/shm, /var/lib/docker/containers/a4fad77231761bfe8a91e21b84d601f5ae46537777a484c23c9b0e1a2a911eba/mounts/shm, /var/lib/docker/containers/f3d5d5d8df3e6de23def463c20930dab5bb441bf8f8a613f0ac71a7a780ab48e/mounts/shm, /var/lib/docker/containers/0bf0d04b0f310a12a44594efc351298369db1ac2f5fbdf9b48838d16fa37a506/mounts/shm, /run/user/0)
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/dcbf0d7b201fb78511e7d3db787a82348520cde5397a6267d35ee268fae09c26/diff/usr/share/elasticsearch/bin/elasticsearch-sql-cli-7.16.1.jar, log4j 2.11.1
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/dcbf0d7b201fb78511e7d3db787a82348520cde5397a6267d35ee268fae09c26/diff/usr/share/elasticsearch/lib/elasticsearch-log4j-7.16.1.jar, log4j 2.11.1 (mitigated)
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/36bfbe82256d8a9260f3e8afddd65107e13cf0aba9dcc49425d0f9fd584bc183/diff/usr/lib/unifi/lib/log4j-core-2.16.0.jar, log4j 2.16.0
[*] Found CVE-2021-45046 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/c68c816c6e8ac7dcb3c6ca11f69962ebf07b846d4317abc1f0624d64f860db56/diff/usr/lib/unifi/lib/log4j-core-2.15.0.jar, log4j 2.15.0
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/a0ff5657327cc73413e9dc957ab8ee7e8c3cac8d62528bb94c20b65f2ff8422e/diff/usr/lib/unifi/lib/log4j-core-2.16.0.jar, log4j 2.16.0
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/a0ff5657327cc73413e9dc957ab8ee7e8c3cac8d62528bb94c20b65f2ff8422e/merged/usr/lib/unifi/lib/log4j-core-2.16.0.jar, log4j 2.16.0
Segmentation fault (core dumped)

They are different....

[root@linux target]# file log4j2-scanner-2.5.3 log4j2-scan
log4j2-scanner-2.5.3: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=67c1914437c067fcc85112b6b932d98ebc5f11a3, with debug_info, not stripped, too many notes (256)
log4j2-scan:          ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=4a76f569c4132e8d7916bc04d4e09987b23a49c1, with debug_info, not stripped

How I've build them:

 /data/log4j/graalvm-ce-java11-21.3.0/bin/native-image --static -jar log4j2-scanner-2.5.3.jar log4j2-scanner-2.5.3 -H:-CheckToolchain -H:+AllowIncompleteClasspath
lmalmeida commented 2 years ago

To clarify, feel free to use a dynamically linked binary as default. I try to build my own binaries.

lmalmeida commented 2 years ago

Another datapoint. I've build a version in WSL/Ubuntu, and that one fails in Centos8. Quick & dirty experiment: Can @xeraph try to change the build pipeline for Centos8, and see if the generated binary works? Another difference is that I'm using Java 8 in Centos & Java 11 in WSL/Ubuntu, but a quick change to Java 11 in CentOS didn`t seem to have any change (ie: still works for me)

xeraph commented 2 years ago

@lmalmeida I've built release binary on CentOS 7.7.1908 and graalvm-ce-java11-21.0.0.2. Already tried graalvm-ce-java11-21.3.0, graalvm-ce-java17-21.3.0, graalvm-ce-java8-19.3.0.2 on same machine.

Don't you use musl? I tried it but native-image with musl fails with link failure. If you just have added --static switch as above, I'll try other OS environments. Thank you for your help!

lmalmeida commented 2 years ago

Just plain glibc, I believe

xeraph commented 2 years ago

@jadamcraig v2.6.0 release binary is reverted to dynamic link to prevent segmentation fault.