Closed jadamcraig closed 2 years ago
xeraph
commented
2 years ago @jadamcraig Hmm .. maybe graalvm native-image bug.. Would you try native binary in github actions menu?
https://github.com/logpresso/CVE-2021-44228-Scanner/suites/4726268628/artifacts/130117434
jadamcraig
commented
2 years ago @xeraph --
You may be on to something there!
When I use either the .jar file or the Linux binary from the package.zip download, all works great. However, the binary from the "Releases" page produces the segmentation fault:
JAR from package.zip:
$ sudo java -jar log4j2-scanner-2.5.3.jar --exclude-config /etc/sysconfig/log4scan-exclude.conf --report-csv --report-path /var/cache/log4j2-scan-results/log4j2_scan_report.csv --no-empty-report --silent /
Logpresso CVE-2021-44228 Vulnerability Scanner 2.5.3 (2021-12-22)
Scanning directory: / (without /dev, /dev/shm, /run, /sys/fs/cgroup, /run/user/299601419)
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in <redacted>, log4j 2.11.1
Scanned 12087 directories and 79608 files
Found 1 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 0.75 secondsBinary from package.zip:
$ sudo ./log4j2-scanner-linux-amd64 --exclude-config /etc/sysconfig/log4scan-exclude.conf --report-csv --report-path /var/cache/log4j2-scan-results/log4j2_scan_report.csv --no-empty-report --silent /
Logpresso CVE-2021-44228 Vulnerability Scanner 2.5.3 (2021-12-22)
Scanning directory: / (without /dev, /dev/shm, /run, /sys/fs/cgroup, /run/user/299601419, /run/user/0)
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in <redacted>, log4j 2.11.1
Scanned 12088 directories and 79611 files
Found 1 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 0.67 secondsJAR from "Releases" page:
$ sudo ./logpresso-log4j2-scan-2.5.3.jar --exclude-config /etc/sysconfig/log4scan-exclude.conf --report-csv --report-path /var/cache/log4j2-scan-results/log4j2_scan_report.csv --no-empty-report --silent /
Logpresso CVE-2021-44228 Vulnerability Scanner 2.5.3 (2021-12-22)
Scanning directory: / (without /dev, /dev/shm, /run, /sys/fs/cgroup, /run/user/299601419, /run/user/0)
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in <redacted>, log4j 2.11.1
Scanned 12088 directories and 79611 files
Found 1 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 0.67 secondsBinary from "Releases" page:
$ sudo ./log4j2-scan --exclude-config /etc/sysconfig/log4scan-exclude.conf --report-csv --report-path /var/cache/log4j2-scan-results/log4j2_scan_report.csv --no-empty-report --silent /
Logpresso CVE-2021-44228 Vulnerability Scanner 2.5.3 (2021-12-22)
Scanning directory: / (without /dev, /dev/shm, /run, /sys/fs/cgroup, /run/user/299601419)
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in <redacted>, log4j 2.11.1
zsh: segmentation fault sudo logpresso-2.5.3/log4j2-scan@jadamcraig Thank you for detail regression! I will upgrade my local graalvm native-image.
xeraph
commented
2 years ago Root cause was --static option. Maybe this is the same issue. https://github.com/oracle/graal/issues/3099
Stacktrace for the failing thread 0x0000000002b34d40:
SP 0x00007fff65ef9378 IP 0x0000000000000000 IP is not within Java code. Trying frame anchor of last Java frame instead.
SP 0x00007fff65ef9aa0 IP 0x0000000000490fff [image code] com.oracle.svm.core.posix.headers.Pwd.getpwuid(Pwd.java)
SP 0x00007fff65ef9aa0 IP 0x0000000000490fff [image code] com.oracle.svm.core.posix.PosixSystemPropertiesSupport.userHomeValue(PosixSystemPropertiesSupport.java:52)
SP 0x00007fff65ef9ae0 IP 0x000000000047ab46 [image code] com.oracle.svm.core.jdk.SystemPropertiesSupport.userHome(SystemPropertiesSupport.java:240)
SP 0x00007fff65ef9ae0 IP 0x000000000047ab46 [image code] com.oracle.svm.core.jdk.SystemPropertiesSupport$$Lambda$c08be315aa20ccffc6d99c8ceeebd4e4a45b68c0.get(Unknown Source)
SP 0x00007fff65ef9b00 IP 0x000000000047b1eb [image code] com.oracle.svm.core.jdk.SystemPropertiesSupport.initializeLazyValue(SystemPropertiesSupport.java:216)
SP 0x00007fff65ef9b30 IP 0x000000000047aeaf [image code] com.oracle.svm.core.jdk.SystemPropertiesSupport.ensureFullyInitialized(SystemPropertiesSupport.java:148)
SP 0x00007fff65ef9b50 IP 0x00000000006df04d [image code] com.oracle.svm.core.jdk.SystemPropertiesSupport.getProperties(SystemPropertiesSupport.java:164)
SP 0x00007fff65ef9b50 IP 0x00000000006df04d [image code] java.lang.System.getProperties(System.java:270)
SP 0x00007fff65ef9b50 IP 0x00000000006df04d [image code] sun.security.action.GetPropertyAction.privilegedGetProperties(GetPropertyAction.java:148)
SP 0x00007fff65ef9b50 IP 0x00000000006df04d [image code] java.util.TimeZone.setDefaultZone(TimeZone.java:663)
SP 0x00007fff65ef9ba0 IP 0x00000000006de344 [image code] java.util.TimeZone.getDefaultRef(TimeZone.java:653)
SP 0x00007fff65ef9ba0 IP 0x00000000006de344 [image code] java.util.TimeZone.getDefault(TimeZone.java:642)
SP 0x00007fff65ef9bb0 IP 0x0000000000661338 [image code] java.util.Calendar.defaultTimeZone(Calendar.java:1679)
SP 0x00007fff65ef9bd0 IP 0x0000000000661a9b [image code] java.util.Calendar.getInstance(Calendar.java:1660)
SP 0x00007fff65ef9bf0 IP 0x000000000062ef58 [image code] java.text.SimpleDateFormat.initializeCalendar(SimpleDateFormat.java:676)
SP 0x00007fff65ef9c10 IP 0x000000000062c31e [image code] java.text.SimpleDateFormat.<init>(SimpleDateFormat.java:620)
SP 0x00007fff65ef9c40 IP 0x00000000004252ea [image code] java.text.SimpleDateFormat.<init>(SimpleDateFormat.java:599)
SP 0x00007fff65ef9c40 IP 0x00000000004252ea [image code] com.logpresso.scanner.ReportGenerator.generateReportFileName(ReportGenerator.java:122)
SP 0x00007fff65ef9cb0 IP 0x000000000042a8f5 [image code] com.logpresso.scanner.ReportGenerator.writeReportFile(ReportGenerator.java:56)
SP 0x00007fff65ef9d10 IP 0x000000000041f5ff [image code] com.logpresso.scanner.Log4j2Scanner.scanAndFix(Log4j2Scanner.java:234)
SP 0x00007fff65ef9e20 IP 0x000000000041ddfe [image code] com.logpresso.scanner.Log4j2Scanner.run(Log4j2Scanner.java:83)
SP 0x00007fff65ef9e60 IP 0x000000000041c1dc [image code] com.logpresso.scanner.Log4j2Scanner.main(Log4j2Scanner.java:40)
SP 0x00007fff65ef9e90 IP 0x000000000044e9d6 [image code] com.oracle.svm.core.JavaMainWrapper.runCore(JavaMainWrapper.java:147)
SP 0x00007fff65ef9e90 IP 0x000000000044e9d6 [image code] com.oracle.svm.core.JavaMainWrapper.run(JavaMainWrapper.java:183)
SP 0x00007fff65ef9e90 IP 0x000000000044e9d6 [image code] com.oracle.svm.core.code.IsolateEnterStub.JavaMainWrapper_run_5087f5482cc9a6abc971913ece43acb471d2631b(IsolateEnterStub.java:0)
lmalmeida
commented
2 years ago From a quick look, the binary I've build seems to work. And the release binary works in my Ubuntu/WSL environment, but fails on Centos 8.
[root@linux target]# ./log4j2-scanner-2.5.3 --report-csv --report-path dummy-mine --no-empty-report --silent /var/lib/
Logpresso CVE-2021-44228 Vulnerability Scanner 2.5.3 (2021-12-22)
Scanning directory: /var/lib/ (without /dev, /dev/shm, /run, /sys/fs/cgroup, /var/lib/docker/containers/0cae07a350b8cb5ddab4a4fa180c45136696e92eec73180b9309efc157a68529/mounts/shm, /var/lib/docker/containers/62536bcfef6e494e0f0f097b5b9ef6d1f5fc5d4ba2b0abd860bea52b7bd166f0/mounts/shm, /var/lib/docker/containers/159f93460c89c153ec4f1a26300e96051808120983ce8833fbd7fa23418540ca/mounts/shm, /var/lib/docker/containers/a4fad77231761bfe8a91e21b84d601f5ae46537777a484c23c9b0e1a2a911eba/mounts/shm, /var/lib/docker/containers/f3d5d5d8df3e6de23def463c20930dab5bb441bf8f8a613f0ac71a7a780ab48e/mounts/shm, /var/lib/docker/containers/0bf0d04b0f310a12a44594efc351298369db1ac2f5fbdf9b48838d16fa37a506/mounts/shm, /run/user/0)
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/dcbf0d7b201fb78511e7d3db787a82348520cde5397a6267d35ee268fae09c26/diff/usr/share/elasticsearch/bin/elasticsearch-sql-cli-7.16.1.jar, log4j 2.11.1
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/dcbf0d7b201fb78511e7d3db787a82348520cde5397a6267d35ee268fae09c26/diff/usr/share/elasticsearch/lib/elasticsearch-log4j-7.16.1.jar, log4j 2.11.1 (mitigated)
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/36bfbe82256d8a9260f3e8afddd65107e13cf0aba9dcc49425d0f9fd584bc183/diff/usr/lib/unifi/lib/log4j-core-2.16.0.jar, log4j 2.16.0
[*] Found CVE-2021-45046 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/c68c816c6e8ac7dcb3c6ca11f69962ebf07b846d4317abc1f0624d64f860db56/diff/usr/lib/unifi/lib/log4j-core-2.15.0.jar, log4j 2.15.0
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/a0ff5657327cc73413e9dc957ab8ee7e8c3cac8d62528bb94c20b65f2ff8422e/diff/usr/lib/unifi/lib/log4j-core-2.16.0.jar, log4j 2.16.0
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/a0ff5657327cc73413e9dc957ab8ee7e8c3cac8d62528bb94c20b65f2ff8422e/merged/usr/lib/unifi/lib/log4j-core-2.16.0.jar, log4j 2.16.0
Scanned 47080 directories and 206092 files
Found 5 vulnerable files
Found 0 potentially vulnerable files
Found 1 mitigated files
Completed in 19.29 seconds
[root@linux target]# ./log4j2-scan --report-csv --report-path dummy-mine --no-empty-report --silent /var/lib/
Logpresso CVE-2021-44228 Vulnerability Scanner 2.5.3 (2021-12-22)
Error: File already exists - /data/log4j/CVE-2021-44228-Scanner/target/dummy-mine
[root@linux target]# ./log4j2-scan --report-csv --report-path dummy-release --no-empty-report --silent /var/lib/
Logpresso CVE-2021-44228 Vulnerability Scanner 2.5.3 (2021-12-22)
Scanning directory: /var/lib/ (without /dev, /dev/shm, /run, /sys/fs/cgroup, /var/lib/docker/containers/0cae07a350b8cb5ddab4a4fa180c45136696e92eec73180b9309efc157a68529/mounts/shm, /var/lib/docker/containers/62536bcfef6e494e0f0f097b5b9ef6d1f5fc5d4ba2b0abd860bea52b7bd166f0/mounts/shm, /var/lib/docker/containers/159f93460c89c153ec4f1a26300e96051808120983ce8833fbd7fa23418540ca/mounts/shm, /var/lib/docker/containers/a4fad77231761bfe8a91e21b84d601f5ae46537777a484c23c9b0e1a2a911eba/mounts/shm, /var/lib/docker/containers/f3d5d5d8df3e6de23def463c20930dab5bb441bf8f8a613f0ac71a7a780ab48e/mounts/shm, /var/lib/docker/containers/0bf0d04b0f310a12a44594efc351298369db1ac2f5fbdf9b48838d16fa37a506/mounts/shm, /run/user/0)
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/dcbf0d7b201fb78511e7d3db787a82348520cde5397a6267d35ee268fae09c26/diff/usr/share/elasticsearch/bin/elasticsearch-sql-cli-7.16.1.jar, log4j 2.11.1
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/dcbf0d7b201fb78511e7d3db787a82348520cde5397a6267d35ee268fae09c26/diff/usr/share/elasticsearch/lib/elasticsearch-log4j-7.16.1.jar, log4j 2.11.1 (mitigated)
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/36bfbe82256d8a9260f3e8afddd65107e13cf0aba9dcc49425d0f9fd584bc183/diff/usr/lib/unifi/lib/log4j-core-2.16.0.jar, log4j 2.16.0
[*] Found CVE-2021-45046 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/c68c816c6e8ac7dcb3c6ca11f69962ebf07b846d4317abc1f0624d64f860db56/diff/usr/lib/unifi/lib/log4j-core-2.15.0.jar, log4j 2.15.0
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/a0ff5657327cc73413e9dc957ab8ee7e8c3cac8d62528bb94c20b65f2ff8422e/diff/usr/lib/unifi/lib/log4j-core-2.16.0.jar, log4j 2.16.0
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in /var/lib/docker/overlay2/a0ff5657327cc73413e9dc957ab8ee7e8c3cac8d62528bb94c20b65f2ff8422e/merged/usr/lib/unifi/lib/log4j-core-2.16.0.jar, log4j 2.16.0
Segmentation fault (core dumped)They are different....
[root@linux target]# file log4j2-scanner-2.5.3 log4j2-scan
log4j2-scanner-2.5.3: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=67c1914437c067fcc85112b6b932d98ebc5f11a3, with debug_info, not stripped, too many notes (256)
log4j2-scan: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=4a76f569c4132e8d7916bc04d4e09987b23a49c1, with debug_info, not strippedHow I've build them:
/data/log4j/graalvm-ce-java11-21.3.0/bin/native-image --static -jar log4j2-scanner-2.5.3.jar log4j2-scanner-2.5.3 -H:-CheckToolchain -H:+AllowIncompleteClasspathTo clarify, feel free to use a dynamically linked binary as default. I try to build my own binaries.
lmalmeida
commented
2 years ago Another datapoint. I've build a version in WSL/Ubuntu, and that one fails in Centos8. Quick & dirty experiment: Can @xeraph try to change the build pipeline for Centos8, and see if the generated binary works? Another difference is that I'm using Java 8 in Centos & Java 11 in WSL/Ubuntu, but a quick change to Java 11 in CentOS didn`t seem to have any change (ie: still works for me)
xeraph
commented
2 years ago @lmalmeida I've built release binary on CentOS 7.7.1908 and graalvm-ce-java11-21.0.0.2. Already tried graalvm-ce-java11-21.3.0, graalvm-ce-java17-21.3.0, graalvm-ce-java8-19.3.0.2 on same machine.
Don't you use musl? I tried it but native-image with musl fails with link failure.
If you just have added --static switch as above, I'll try other OS environments.
Thank you for your help!
lmalmeida
commented
2 years ago Just plain glibc, I believe
xeraph
commented
2 years ago @jadamcraig v2.6.0 release binary is reverted to dynamic link to prevent segmentation fault.
Hello!
It appears that scanning using versions after 2.3.7 can produce a segmentation fault on some systems running Enterprise Linux 8.x (including Rocky, CentOS, and RHEL) if CSV reporting is enabled.
Scanning an EL 8.x system using v2.5.1 with reporting disabled:
Scanning the same EL 8.x system using v2.5.1 with CSV reporting enabled:
Scanning the same EL 8.x using v2.3.7 with CSV reporting enabled:
Thanks for the excellent work on this helpful tool!