https://github.com/pfichtner/log4shell-hunter

Scanner that scans local files for log4shell vulnerability. Does bytecode analysis so it does not rely on metadata. Will find vulnerable log4j even it has been self-compiled/repackaged/shaded/nested (e.g. uberjar, fatjar) and even obfuscated.
https://github.com/pfichtner/log4shell-hunter

cve-2021-44228 cve-2021-45046 cve-2021-45105 java log4j log4j-rce log4shell scanner vulnerability-scanner

Last synced: 6 months ago
JSON representation

Scanner that scans local files for log4shell vulnerability. Does bytecode analysis so it does not rely on metadata. Will find vulnerable log4j even it has been self-compiled/repackaged/shaded/nested (e.g. uberjar, fatjar) and even obfuscated.

• Host: GitHub
• URL: https://github.com/pfichtner/log4shell-hunter
• Owner: pfichtner
• License: gpl-3.0
• Created: 2021-12-15T14:25:24.000Z (over 3 years ago)
• Default Branch: main
• Last Pushed: 2024-10-24T06:28:42.000Z (7 months ago)
• Last Synced: 2024-10-25T03:04:40.375Z (7 months ago)
• Topics: cve-2021-44228, cve-2021-45046, cve-2021-45105, java, log4j, log4j-rce, log4shell, scanner, vulnerability-scanner
• Language: Java
• Homepage:
• Size: 41.9 MB
• Stars: 7
• Watchers: 3
• Forks: 4
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE.txt

Awesome Lists containing this project

README

        
# log4shell-hunter

[![Java CI with Maven](https://github.com/pfichtner/log4shell-hunter/actions/workflows/maven.yml/badge.svg)](https://github.com/pfichtner/log4shell-hunter/actions/workflows/maven.yml)

[![GitLicense](https://gitlicense.com/badge/pfichtner/log4shell-hunter)](https://gitlicense.com/license/pfichtner/log4shell-hunter)

[![Known Vulnerabilities](https://snyk.io/test/github/pfichtner/log4shell-hunter/badge.svg?targetFile=pom.xml)](https://snyk.io/test/github/pfichtner/log4shell-hunter?targetFile=pom.xml)

[![codecov](https://codecov.io/gh/pfichtner/log4shell-hunter/branch/main/graph/badge.svg?token=9KPRQO35RS)](https://codecov.io/gh/pfichtner/log4shell-hunter)

[![BCH compliance](https://bettercodehub.com/edge/badge/pfichtner/log4shell-hunter?branch=main)](https://bettercodehub.com/)

[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fpfichtner%2Flog4shell-hunter.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fpfichtner%2Flog4shell-hunter?ref=badge_shield)

Are you afraid of having JARs or even commercial (e.g. closed source) applications where a vulnerable version of log4j is included (shaded) or that your coders copied  vulnerable log4j classes in some of their projects? This is where most scanners will have false negatives because they rely on metadata like pom.xml describing the log4j version. 

This scanner does bytecode analysis! So it does **not** depend on: 

- fingerprinted jar files

- fingerprinted class files

- class names (e.g. ```JndiLookup```)

- poms/pom entries

So log4shell-hunter will find vulnerable log4j versions even if: 

- log4j's source has been compiled by third-parties (no matter what compiler/compiler version)

- log4j (or parts of it) has/have been included/copied in/to other jars

- log4j was repacked (uberjar, fatjar), even if packages have been renamed, e.g. org.apache.logging -> org.acme.foo.logger.bar

The scanner analyzes jars and tries to detect: 

- classes that are annotated with log4j's Plugin annotation ```org.apache.logging.log4j.core.config.plugins.Plugin```. 

- This even works if the Plugin has renamed or even obfuscated (depending on the log4shell-hunter's mode parameter)

### Usage

Example usage

```console

find \( -name "*.jar" -o -name "*.zip" -o -name "*.ear" -o -name "*.war" \) -exec java -jar log4shell-hunter-0.0.3.jar -m obfuscatorComparator {} \;

```

Example output

```console

./log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.war

> Possible 2.1+ match found in class org.apache.logging.log4j.core.lookup.JndiLookup in resource /WEB-INF/lib/log4j-core-2.10.0.jar

```

Mode can be se to one of ```defaultComparator```, ```repackageComparator```, ```obfuscatorComparator```. 

- defaultComparator: Log4j classes have to match exactly the expected class+package name. Same apply for their methods. 

- repackageComparator: Log4j classes have to match the expected names where package name will be ignored. Method names have to match exactly (**default**)

- obfuscatorComparator: log4shell-hunter does not depend on any class or method names but tries to detect log4 classes by some criteria. This mode will find even repackaged log4js even if the jar has been obfuscated

### Build from source

```console

git clone https://github.com/pfichtner/log4shell-hunter.git

cd log4shell-hunter/

# build using included maven wrapper 

# of course you can use your locally installed "mvn" instead of the maven wrapper "./mvnw"

./mvnw package 

java -jar target/log4shell-hunter-0.0.3.jar

```

### License

[GNU General Public License v3.0](LICENSE.txt)