xeraph
commented
2 years ago @greg-michael
TL;DR - If scanner detects Log4j version, it is very unlikely to return a false positive.
- First of all, scanner tries to detect if log4j exists.
- If
META-INF/maven/org.apache.logging.log4j/log4j-core/pom.propertiesexists, scanner can read exact log4j 2 version from that manifest file. - If
org/apache/logging/log4j/core/lookup/JndiLookup.classfound, then JAR contains log4j 2 library even if pom.properties does not exist. - Some applications doesn't embed log4j 2 as is. For example, newrelic renamed package name from
org.apache.logging.log4j.coretocom.newrelic.agent.deps.org.apache.logging.log4j.core. It is called 'shaded library'. To detect shaded libary, scanner tries to find zip entry which ends with/log4j/core/lookup/JndiLookup.class. - Scanning is performed recursively. A JAR file can contain JAR files, and those also can contain JAR files.
- If
- Detect log4j version.
- As I said above, scanner can read exact log4j version from pom.properties.
- If JAR doesn't contain pom.properties, then scanner tries to determine log4j version using MD5 hashes.
- If MD5 matches, log4j version is accurately detected.
- See https://github.com/logpresso/CVE-2021-44228-Scanner/wiki/MD5-for-log4j-2.x-classes
- However, scanner cannot match MD5 for shaded libary. MD5 hash is changed if package is renamed.
- Report vulnerable Log4j
- Safe versions are 2.17.1 (for jdk8+) or 2.12.4 (for jdk7) or 2.3.2 (for jdk6)
- If scanner detects Log4j version, then it is very unlikely to return a false positive.
- If scanner cannot detect Log4j version, it report CVE-2021-44228 with potentially vulnerable mark (starts with
[?])
A vendor-provided JAR file - which has been patched by the vendor - is being scanned and is reporting vulnerable to CVE-2021-44228.
Can you provide the exact criteria that would trigger the scanner to report CVE-2021-44228 vulnerabilities in a JAR? I'd like to pass this along to the vendor so that they can confirm the false positive. Since it's a vendor-provided file, I don't know that I can provide it to you for testing without written permission from the vendor.