logpresso / CVE-2021-44228-Scanner

Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228
Apache License 2.0
852 stars 174 forks source link

Addressing CVE-2022-23302, CVE-2022-23305 and CVE-2022-23307 #259

Open jamesdpatterson opened 2 years ago

jamesdpatterson commented 2 years ago

In terms of log4j version 1.x, there were three new CVEs disclosed last week.

Could we also have the ability to strip JMSSink.class (CVE-2022-23302) and the chainsaw classes (CVE-2022-23307)? The other new issue is CVE-2022-23305, but this is mitigated by removing JMSAppender.class which is already in the code.

Here are the key lines from the RedHat descriptions of the three new CVEs:

https://access.redhat.com/security/cve/cve-2022-23302 Remove the JMSSink class from the server's jar files. For example: zip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class

https://access.redhat.com/security/cve/CVE-2022-23305 Remove the JDBCAppender class from the server's jar files. For example: zip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class

https://access.redhat.com/security/cve/CVE-2022-23307 Remove the Chainsaw classes from the log4j jar files. For example: zip -q -d log4j-.jar org/apache/log4j/chainsaw/

Thanks for all your work,

James.

xeraph commented 2 years ago

@jamesdpatterson Would you test v2.8.0 release?

bonsei0 commented 2 years ago

Hi, I just tested the new version 2.8.1. Removed step by step the classes from a log4j 1 jar file: $ file=log4j-1.2.17.jar

$ ./log4j2-scan $file --scan-log4j1 [?] Found CVE-2021-4104 (log4j 1.2) vulnerability in /home/webadm/dummy_log4j_jar/log4j-1.2.17_miti.jar, log4j 1.2.17

$ zip -q -d "$file" org/apache/log4j/net/JMSAppender.class $ ./log4j2-scan $file --scan-log4j1 [?] Found CVE-2021-4104 (log4j 1.2) vulnerability in /home/webadm/dummy_log4j_jar/log4j-1.2.17_miti.jar, log4j 1.2.17

$ zip -q -d "$file" org/apache/log4j/net/SocketServer.class $ ./log4j2-scan $file --scan-log4j1 [?] Found CVE-2021-4104 (log4j 1.2) vulnerability in /home/webadm/dummy_log4j_jar/log4j-1.2.17_miti.jar, log4j 1.2.17

Output is always CVE-2021-4104 Vulnerable. Dosen't matter if CVE-2021-4104 (JMSAppender) is already mitigated. I thought output may change to next Vulnerable CVE?

When all classes are removed, I get: [?] Found CVE-2021-4104 (log4j 1.2) vulnerability in /home/webadm/dummy_log4j_jar/log4j-1.2.17_miti.jar, log4j 1.2.17 (mitigated)

The final result (vulnerable/mitigated) is ok. But the CVE number dosen't really match.

xeraph commented 2 years ago

@bonsei0 Thank you for detail report. However, scanner present only representative CVE code for simplicity. Since log4j1 has multiple vulnerabilities, it is quite difficult to read scan report if scanner print all CVE codes for single JAR file.

Even if you eliminated some classes from JAR file, scanner detect vulnerability to support vulnerable file identification and patch process. (You should contact vendor and upgrade application)

However many users (#233 , #237) want to see all CVE codes and mitigation history for vulnerable files. We are preparing new web service called Logpresso Watch and scanner release for this.