search

mergebase / log4j-detector

A public open sourced tool. Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too! TAG_OS_TOOL, OWNER_KELLY, DC_PUBLIC
Other
638 stars 98 forks source link

Detection of Log4j 1.x as vulnerable #67

Closed dnjoe96 closed 2 years ago

dnjoe96 commented 2 years ago

According to the https://logging.apache.org/log4j/2.x/security.html "Log4j 1.x is not impacted by this vulnerability.". And currently the scanner detects this version as vulnerable, and collaborated by the README which states "Currently reports log4j-core versions 2.3.1, 2.12.3, and 2.17.0 as SAFE, 2.12.2, 2.15.0 and 2.16.0 as OKAY and all other versions as VULNERABLE"

rgmz commented 2 years ago

@dnjoe96 Can you share some output where log4j 1.x is detected as VULNERABLE? I've only seen it marked as "OLD".

juliusmusseau commented 2 years ago

I've updated the README.md to try and make this a little clearer:

Currently reports log4j-core versions 2.3.1, 2.12.3, and 2.17.0 as SAFE, 2.12.2, 2.15.0 and 2.16.0 as OKAY and all other versions as VULNERABLE (although it does report pre-2.0-beta9 as _POTENTIALLYSAFE). It reports older log4j-1.x versions as OLD.

(Technically, "log4j-core" was never released as a 1.x, because back then the artifact name was "log4j/log4j", and it was renamed to "log4j-core" starting with version 2.0, but that level of technical pedantry about the history of log4j component names probably not helpful to most people.)

rgmz commented 2 years ago

(Technically, "log4j-core" was never released as a 1.x, because back then the artifact name was "log4j/log4j", and it was renamed to "log4j-core" starting with version 2.0, but that level of technical pedantry about the history of log4j component names probably not helpful to most people.)

It's a common source of confusion that 1.x was literally called log4j but 2.x was released under a different groupId (org.apache.logging.log4j) and split into different modules.

dnjoe96 commented 2 years ago

@dnjoe96 Can you share some output where log4j 1.x is detected as VULNERABLE? I've only seen it marked as "OLD".

Okay, seeing as the READme has been updated. It is satisfactory now. I will ask that my customer to refer to the updated readme that had dem cringy.

I'm sorry, I did not get this output. I merely confirmed the customer's concerns with the readme of the application. Thanks you.

dnjoe96 commented 2 years ago

Thank you for this. Great work!