search

logpresso / CVE-2021-44228-Scanner

Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228
Apache License 2.0
854 stars 175 forks source link

Scanner crashes with -Xmx option and very low memory limits #272

Open thl-cmk opened 2 years ago

thl-cmk commented 2 years ago

Hi,

if you run the scanner with the -Xmx option and very low limits (like 1M), then the scanner srashes with

Error: Garbage-collected heap size exceeded.
java.lang.OutOfMemoryError: Garbage-collected heap size exceeded.

Scanner run with -Xmx1M option

$ sudo /usr/lib/check_mk_agent/bin/log4j2-scan / -Xmx1M
Logpresso CVE-2021-44228 Vulnerability Scanner 2.9.1 (2022-02-03)
Scanning directory by user 'root': / (without /dev, /run, /dev/shm, /run/lock, /sys/fs/cgroup, /proc/sys/fs/binfmt_misc, /run/user/126, /run/user/1000)

Scanned 1098 directories and 13102 files
Found 0 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 0.07 seconds
Error: Garbage-collected heap size exceeded.
java.lang.OutOfMemoryError: Garbage-collected heap size exceeded.

Scanner run with -Xmx10M option

$ sudo /usr/lib/check_mk_agent/bin/log4j2-scan / -Xmx10M
Logpresso CVE-2021-44228 Vulnerability Scanner 2.9.1 (2022-02-03)
Scanning directory by user 'root': / (without /dev, /run, /dev/shm, /run/lock, /sys/fs/cgroup, /proc/sys/fs/binfmt_misc, /run/user/126, /run/user/1000)

Scanned 28716 directories and 221340 files
Found 0 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 1.37 seconds
xeraph commented 2 years ago

@thl-cmk In general, that is not intended memory limit. Most JVM application cannot run under 64MB.

thl-cmk commented 2 years ago

I see, maybe you can add a lower limit, just to avoid the crash.