search

logpresso / CVE-2021-44228-Scanner

Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228
Apache License 2.0
851 stars 174 forks source link

Error with filename recognition #94

Closed theCamelCaser closed 2 years ago

theCamelCaser commented 2 years ago

Hi, we stumbled upon this during our scans: 

C:\VM>log4j2-scan-1.6.3.exe --debug log4j-core-2.0-beta7.jar
Logpresso CVE-2021-44228 Vulnerability Scanner 1.6.3 (2021-12-16)
Scanning directory: C:\VM\log4j-core-2.0-beta7.jar
Scan error: 'For input string: "0-beta7"' on file: log4j-core-2.0-beta7.jar
java.lang.NumberFormatException: For input string: "0-beta7"
        at java.lang.Integer.parseInt(Integer.java:652)
        at java.lang.Integer.parseInt(Integer.java:770)
        at com.logpresso.scanner.Log4j2Scanner.loadVulnerableLog4jVersion(Log4j2Scanner.java:1018)
        at com.logpresso.scanner.Log4j2Scanner.checkLog4jVersion(Log4j2Scanner.java:877)
        at com.logpresso.scanner.Log4j2Scanner.scanJarFile(Log4j2Scanner.java:812)
        at com.logpresso.scanner.Log4j2Scanner.traverse(Log4j2Scanner.java:754)
        at com.logpresso.scanner.Log4j2Scanner.run(Log4j2Scanner.java:363)
        at com.logpresso.scanner.Log4j2Scanner.run(Log4j2Scanner.java:117)
        at com.logpresso.scanner.Log4j2Scanner.main(Log4j2Scanner.java:86)

Scanned 0 directories and 1 files
Found 0 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 0.01 seconds

guess he don't like to calc with 0-beta ^^

bernysk commented 2 years ago

Same here, tried to download some testing jars and running the tool

log4j2-scan.exe C:\Users\a\Downloads\ Logpresso CVE-2021-44228 Vulnerability Scanner 1.6.3 (2021-12-16) Scanning directory: C:\Users\a\Downloads Scan error: 'For input string: "0-alpha1"' on file: C:\Users\a\Downloads\apache-log4j-2.0-alpha1-bin\log4j-2.0-alpha1\log4j-core-2.0-alpha1-tests.jar Scan error: 'For input string: "0-alpha1"' on file: C:\Users\a\Downloads\apache-log4j-2.0-alpha1-bin\log4j-2.0-alpha1\log4j-core-2.0-alpha1.jar

but other than that it's a great tool, thanks!

xeraph commented 2 years ago

@NineOfSeven @bernysk Thank you for bug reporting! I will fix this.

xeraph commented 2 years ago

@NineOfSeven @bernysk Would you test v1.7.0 release?

bernysk commented 2 years ago

Tested 2.0.0, works great, thanks!

theCamelCaser commented 2 years ago

@NineOfSeven @bernysk Would you test v1.7.0 release?

works 4 me thx

xeraph commented 2 years ago

@bernysk @NineOfSeven Thank you for test report!