search

mergebase / log4j-detector

A public open sourced tool. Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too! TAG_OS_TOOL, OWNER_KELLY, DC_PUBLIC
Other
638 stars 98 forks source link

Detect log4j 2.15.x also as vulnerable #22

Closed ChKemper closed 2 years ago

ChKemper commented 2 years ago

According to This Apache Post all versions < 2.16.0 should be detected as vulnerable

juliusmusseau commented 2 years ago

Okay, we'll do that shortly.

juliusmusseau commented 2 years ago

Done. Reports it like so:

/var/tmp/ll/log4j-core-2.10.0.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_ :-(
/var/tmp/ll/log4j-core-2.12.2.jar contains Log4J-2.x   >= 2.12.2 _SAFE_ :-)
/var/tmp/ll/log4j-core-2.14.1.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_ :-(
/var/tmp/ll/log4j-core-2.15.0.jar contains Log4J-2.x   >= 2.15.0 _OKAY_ :-|
/var/tmp/ll/log4j-core-2.16.0.jar contains Log4J-2.x   >= 2.16.0 _SAFE_ :-)

Also exits with non-zero for 2.15.0.

Good scans print this message now:

-- Congratulations, the supplied paths are not vulnerable to CVE-2021-44228 or CVE-2021-45046 !  :-)