{"id":13621832,"url":"https://github.com/logpresso/CVE-2021-44228-Scanner","last_synced_at":"2025-04-15T05:32:36.549Z","repository":{"id":41246206,"uuid":"437261211","full_name":"logpresso/CVE-2021-44228-Scanner","owner":"logpresso","description":"Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228","archived":false,"fork":false,"pushed_at":"2022-04-07T14:47:03.000Z","size":5310,"stargazers_count":853,"open_issues_count":49,"forks_count":175,"subscribers_count":33,"default_branch":"main","last_synced_at":"2024-08-01T21:49:23.207Z","etag":null,"topics":["cve-2021-4104","cve-2021-42550","cve-2021-44228","cve-2021-44832","cve-2021-45046","cve-2021-45105","cve-2022-23302","cve-2022-23305","cve-2022-23307","log4j2","patch","scanner"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/logpresso.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-12-11T11:18:46.000Z","updated_at":"2024-07-10T15:59:55.000Z","dependencies_parsed_at":"2022-08-02T11:53:10.472Z","dependency_job_id":null,"html_url":"https://github.com/logpresso/CVE-2021-44228-Scanner","commit_stats":null,"previous_names":[],"tags_count":60,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/logpresso%2FCVE-2021-44228-Scanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/logpresso%2FCVE-2021-44228-Scanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/logpresso%2FCVE-2021-44228-Scanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/logpresso%2FCVE-2021-44228-Scanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/logpresso","download_url":"https://codeload.github.com/logpresso/CVE-2021-44228-Scanner/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223661152,"owners_count":17181611,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve-2021-4104","cve-2021-42550","cve-2021-44228","cve-2021-44832","cve-2021-45046","cve-2021-45105","cve-2022-23302","cve-2022-23305","cve-2022-23307","log4j2","patch","scanner"],"created_at":"2024-08-01T21:01:11.004Z","updated_at":"2024-11-08T09:30:19.802Z","avatar_url":"https://github.com/logpresso.png","language":"Java","funding_links":[],"categories":["Java","Software Composition Analysis"],"sub_categories":[],"readme":"![Logpresso Logo](logo.png)\n\nlog4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch. It also supports nested JAR file scanning and patch. It also detects CVE-2021-45046 (log4j 2.15.0), CVE-2021-45105 (log4j 2.16.0), CVE-2021-44832 (log4j 2.17.0), CVE-2021-4104, CVE-2019-17571, CVE-2017-5645, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307 (log4j 1.x), and CVE-2021-42550 (logback 0.9-1.2.7) vulnerabilities.\n\n### Log4j Risk Management\nYou can integrate log4j2-scan with [Logpresso Watch](https://logpresso.watch) service for reporting and patch management. Visit https://logpresso.watch for details.\n\n### Download\n* [log4j2-scan 3.0.1 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.1/logpresso-log4j2-scan-3.0.1-win64.7z)\n* [log4j2-scan 3.0.1 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.1/logpresso-log4j2-scan-3.0.1-win64.zip)\n  * If you get `VCRUNTIME140.dll not found` error, install [Visual C++ Redistributable](https://docs.microsoft.com/en-US/cpp/windows/latest-supported-vc-redist?view=msvc-170).\n  * If native executable doesn't work, use the JAR instead. 32bit is not supported.  \n  * 7zip is available from www.7zip.org, and is open source and free.\n* [log4j2-scan 3.0.1 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.1/logpresso-log4j2-scan-3.0.1-linux.tar.gz)\n* [log4j2-scan 3.0.1 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.1/logpresso-log4j2-scan-3.0.1-linux-aarch64.tar.gz)\n  * If native executable doesn't work, use the JAR instead. 32bit is not supported.\n* [log4j2-scan 3.0.1 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.1/logpresso-log4j2-scan-3.0.1-darwin.zip)\n* [log4j2-scan 3.0.1 (Any OS, 620KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.1/logpresso-log4j2-scan-3.0.1.jar)\n\n### Build\n* [How to build Native Image](https://github.com/logpresso/CVE-2021-44228-Scanner/wiki/FAQ#how-to-build-native-image)\n\n### How to use\nJust run log4j2-scan.exe or log4j2-scan with target directory path. The logpresso-log4j2-scan.jar should work with JRE/JDK 7+\n\n`--fix` option is supported for following vulnerabilities:\n* Log4j v2\n  * CVE-2021-44228 (JndiLookup)\n  * CVE-2021-45046 (JndiLookup)\n* Log4j v1\n  * CVE-2021-4104 (JMSAppender)\n  * CVE-2019-17571 (SocketServer)\n  * CVE-2020-9488 (SMTPAppender)\n  * CVE-2022-23302 (JMSSink)\n  * CVE-2022-23305 (JDBCAppender)\n  * CVE-2022-23307 (chainsaw package)\n\n`--fix` option doesn't mitigate following vulnerabilities:\n* Log4j v2\n  * CVE-2021-44832 (JDBCAppender)\n  * CVE-2021-45105 (DoS)\n  * CVE-2017-5645 (SocketServer)\n  * CVE-2020-9488 (SMTPAppender)\n* Logback\n  * CVE-2021-42550\n\nUsage\n```\nLogpresso CVE-2021-44228 Vulnerability Scanner 3.0.1 (2022-02-13)\nUsage: log4j2-scan [--scan-log4j1] [--fix] target_path1 target_path2\n\n-f [config_file_path]\n        Specify config file path which contains scan target paths.\n        Paths should be separated by new line. Prepend # for comment.\n--scan-log4j1\n        Enables scanning for log4j 1 versions.\n--scan-logback\n        Enables scanning for logback CVE-2021-42550.\n--scan-zip\n        Scan also .zip extension files. This option may slow down scanning.\n--zip-charset\n        Specify an alternate zip encoding other than utf-8. System default charset is used if not specified.\n--fix\n        Backup original file and remove JndiLookup.class from JAR recursively.\n        With --scan-log4j1 option, it also removes JMSAppender.class, SocketServer.class, SMTPAppender.class, SMTPAppender$1.class,\n        JMSSink.class, JDBCAppender.class, and all classes of org.apache.log4j.chainsaw package\n--force-fix\n        Do not prompt confirmation. Don't use this option unless you know what you are doing.\n--restore [backup_file_path]\n        Unfix JAR files using zip archived file.\n--backup-path [zip_output_path]\n        Specify backup file path.\n--backup-ext [zip]\n        Specify backup file extension. zip by default.\n        If --backup-path is specified, this option is ignored.\n--all-drives\n        Scan all drives on Windows\n--drives c,d\n        Scan specified drives on Windows. Spaces are not allowed here.\n--no-symlink\n        Do not detect symlink as vulnerable file.\n--exclude [path_prefix]\n        Path prefixes of directories whose absolute path starts with the specified value will be excluded.\n        Does not support relative paths. You can specify multiple --exclude [path_prefix] pairs\n--exclude-config [config_file_path]\n        Specify exclude path prefix list in text file. Paths should be separated by new line. Prepend # for comment.\n--exclude-pattern [pattern]\n        Exclude specified paths of directories by pattern. Supports fragments.\n        You can specify multiple --exclude-pattern [pattern] pairs (non regex)\n--exclude-file-config [config_file_path]\n        Specify exclude file path list in text file. Paths should be separated by new line. Prepend # for comment.\n--exclude-fs nfs,tmpfs\n        Exclude paths by file system type. nfs, nfs3, nfs4, afs, cifs, autofs,\n        tmpfs, devtmpfs, fuse.sshfs, smbfs and iso9660 is ignored by default.\n--api-key [key]\n        Send reports to Logpresso Watch service.\n--http-proxy [addr:port]\n        Send reports via specified HTTP proxy server.\n--syslog-udp [host:port]\n        Send reports to remote syslog host.\n        Send vulnerable, potentially vulnerable, and mitigated reports by default.\n--syslog-level [level]\n        Send reports only if report is higher or equal to specified level.\n        Specify alert for vulnerable and potentially vulnerable reports.\n        Specify info for vulnerable, potentially vulnerable, and mitigated reports.\n        Specify debug for vulnerable, potentially vulnerable, mitigated, and error reports.\n--syslog-facility [code]\n        Default value is 16 (LOCAL0). Facility value must be in the range of 0 to 23 inclusive.\n--rfc5424\n        Follow RFC5424 The Syslog Protocol strictly.\n--report-csv\n        Generate log4j2_scan_report_yyyyMMdd_HHmmss.csv in working directory if not specified otherwise via --report-path [path]\n--report-json\n        Generate log4j2_scan_report_yyyyMMdd_HHmmss.json in working directory if not specified otherwise via --report-path [path]\n--report-patch\n        Report also patched log4j file.\n--report-path\n        Specify report output path including filename. Implies --report-csv.\n--report-dir\n        Specify report output directory. Implies --report-csv.\n--no-empty-report\n        Do not generate empty report.\n--csv-log-path\n        Specify csv log file path. If log file exists, log will be appended.\n--json-log-path\n        Specify json log file path. If log file exists, log will be appended.\n--old-exit-code\n        Return sum of vulnerable and potentially vulnerable files as exit code.\n--debug\n        Print exception stacktrace for debugging.\n--trace\n        Print all directories and files while scanning.\n--silent\n        Do not print progress message.\n--throttle\n        Limit scan files per second.\n--help\n        Print this help.\n```\n\nOn Windows\n```\nlog4j2-scan [--fix] target_path\n```\nOn Linux\n```\n./log4j2-scan [--fix] target_path\n```\nOn UNIX (AIX, Solaris, and so on)\n```\njava -jar logpresso-log4j2-scan-3.0.1.jar [--fix] target_path\n```\n\nIf you add `--fix` option, this program will copy vulnerable original JAR file to .bak file, and create new JAR file without `org/apache/logging/log4j/core/lookup/JndiLookup.class` entry. All .bak files are archived into the single zip file which is named by `log4j2_scan_backup_yyyyMMdd_HHmmss.zip`, then deleted safely. In most environments, JNDI lookup feature will not be used. However, you must use this option at your own risk. You can easily restore original vulnerable JAR files using `--restore` option.\n\nDepending the Operating System:\n\n- Windows: It is necessary to shutdown any running JVM process before applying patch due to lock files. Start affected JVM process after fix.\n- Linux/macOS: Apply patch, restart the JVM after\n\nIf you want to automate patch job, use `--force-fix` option. With this option, this program will no longer prompt for confirmation.\n\n`(mitigated)` tag will be displayed if `org/apache/logging/log4j/core/lookup/JndiLookup.class` entry is removed from JAR file.\n\nIf you add `--trace` option, this program will print all visited directories and files. Use this option only for debugging.\n\nOn Windows:\n```\nCMD\u003e log4j2-scan.exe D:\\tmp\n[*] Found CVE-2021-44228 vulnerability in D:\\tmp\\elasticsearch-7.16.0\\bin\\elasticsearch-sql-cli-7.16.0.jar, log4j 2.11.1\n[*] Found CVE-2021-44228 vulnerability in D:\\tmp\\elasticsearch-7.16.0\\lib\\log4j-core-2.11.1.jar, log4j 2.11.1\n[*] Found CVE-2021-44228 vulnerability in D:\\tmp\\flink-1.14.0\\lib\\log4j-core-2.14.1.jar, log4j 2.14.1\n[*] Found CVE-2021-44228 vulnerability in D:\\tmp\\logstash-7.16.0\\logstash-core\\lib\\jars\\log4j-core-2.14.0.jar, log4j 2.14.0\n[*] Found CVE-2021-44228 vulnerability in D:\\tmp\\logstash-7.16.0\\vendor\\bundle\\jruby\\2.5.0\\gems\\logstash-input-tcp-6.2.1-java\\vendor\\jar-dependencies\\org\\logstash\\inputs\\logstash-input-tcp\\6.2.1\\logstash-input-tcp-6.2.1.jar, log4j 2.9.1\n[*] Found CVE-2021-44228 vulnerability in D:\\tmp\\solr-7.7.3\\solr-7.7.3\\contrib\\prometheus-exporter\\lib\\log4j-core-2.11.0.jar, log4j 2.11.0\n[*] Found CVE-2021-44228 vulnerability in D:\\tmp\\solr-7.7.3\\solr-7.7.3\\server\\lib\\ext\\log4j-core-2.11.0.jar, log4j 2.11.0\n[*] Found CVE-2021-44228 vulnerability in D:\\tmp\\solr-8.11.0\\contrib\\prometheus-exporter\\lib\\log4j-core-2.14.1.jar, log4j 2.14.1\n[*] Found CVE-2021-44228 vulnerability in D:\\tmp\\solr-8.11.0\\server\\lib\\ext\\log4j-core-2.14.1.jar, log4j 2.14.1\n\nScanned 5047 directories and 26251 files\nFound 9 vulnerable files\nCompleted in 0.42 seconds\n```\n\n### How it works\nRun in 5 steps:\n1. Find all .jar, .war, .ear, .aar, .rar, .nar files recursively.\n2. Find `META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties` entry from JAR file.\n3. Read groupId, artifactId, and version.\n4. Compare log4j2 version and print vulnerable version.\n5. If --fix option is used, backup vulnerable file and patch it.\n   * For example, original vulnerable.jar is copied to vulnerable.jar.bak\n6. Archive all backup files into the zip file `log4j2_scan_backup_yyyyMMdd_HHmmss.zip`, then delete .bak files.   \n\n### Exit code for automation\n* -1 failed to run\n* 0 for clean (No vulnerability)\n* 1 for found\n* 2 for some errors\n\n### Tool Integrations\n* [HCL BigFix](https://forum.bigfix.com/t/log4j-cve-2021-44228-cve-2021-45046-summary-page)\n* [Checkmk](https://checkmk.com/blog/automatically-detecting-log4j-vulnerabilities-in-your-it)\n  * See also [checkmk CVE-log4j agent plugin](https://github.com/thl-cmk/CVE-log4j-check_mk-plugin)\n\n### Contact\nIf you have any question or issue, create an issue in this repository.\n\n### About Logpresso\nLogpresso is a leading company in the AI and big data industry located in South Korea.\nLogpresso provides SIEM, SOAR, Log management, and FDS solutions with its own big data platform.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flogpresso%2FCVE-2021-44228-Scanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flogpresso%2FCVE-2021-44228-Scanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flogpresso%2FCVE-2021-44228-Scanner/lists"}