olzused.blogg.se - The used vulnerable zip

_POTENTIALLY_SAFE_ -> The “JndiLookup.class” file is not present, either because your version of Log4J is very old (pre-2.0-beta9), or because someone already removed this file. _OLD_ -> You are safe from CVE-2021-44228, but should plan to upgrade because Log4J 1.2.x has been EOL for 7 years and has several known vulnerabilities.

_SAFE_ -> We currently only report this for Log4J versions 2.17.0 and 2.12.2. _OKAY_ -> We only report this for Log4J versions 2.15.0 and 2.16.0. _VULNERABLE_ -> You need to upgrade or remove this file. That works, too! Understanding The Results If you don’t trust Maven you can go directly into the “src/main/java/com/mergebase/log4j” directory and type “javac *.java”. Great question! Since we include the complete source code here in Github (all 750 lines of Java), as well as the steps to build it, and since this tool has zero dependencies, it shouldn’t take too long to carefully study the code to your satisfaction. How Can I Be Sure This Isn’t A Trojan Pretending To Be A Log4J Detector? Any versions of Log4J without that String are vulnerable. Turns out that specific String literal is only present in the patched version of Log4J (version 2.15.0). If log4j-detector detects a file named “JndiManager.class” on your file system, it then examines that file for this String: “Invalid JNDI URI – ”. The Java compiler stores String literals directly in the compiled *.class files.

We currently maintain a collection of log4j-samples we use for testing. It reports older log4j-1.x versions as _OLD_.Ĭan correctly detect log4j inside executable spring-boot jars/wars, dependencies blended into uber jars, shaded jars, and even exploded jar files just sitting uncompressed on the file-system (aka *.class). Works on Linux, Windows, and Mac, and everywhere else Java runs, too!Ĭurrently reports log4j-core versions 2.3.1, 2.12.3, and 2.17.0 as _SAFE_, 2.12.2, 2.15.0 and 2.16.0 as _OKAY_ and all other versions as _VULNERABLE_ (although it does report pre-2.0-beta9 as _POTENTIALLY_SAFE_). It is able to even find instances that are hidden several layers deep. Detects Log4J versions on your file system within any application that are vulnerable to CVE-2021-44228 and CVE-2021-45046.