A log4j vulnerability filesystem scanner and Lag equipment for inspecting JAR files.
Featured Content Ads
add advertising herePlacing in
Pre-compiled binaries are on hand as releases sources.
To install from source with an present Lag set up, either utilize
bolt install:
bolt install github.com/google/log4jscanner@newest
Or build from the repo in an instant:
Featured Content Ads
add advertising heregit clone https://github.com/google/log4jscanner.git
cd log4jscanner
bolt build -o log4jscanner
Suppose line instrument
This venture comprises a scanner that walks itemizing, printing any detected JARs
to stdout.
$ log4jscanner ./jar/testdata
./jar/testdata/bad_jar_in_jar.jar
./jar/testdata/log4j-core-2.1.jar
./jar/testdata/log4j-core-2.12.1.jar
./jar/testdata/log4j-core-2.14.0.jar
./jar/testdata/log4j-core-2.15.0.jar
./jar/testdata/vuln-class.jar
Optionally, the --rewrite flag can actively make a choice the inclined class from
detected JARs in-scheme.
Featured Content Ads
add advertising here$ zipinfo /tmp/vuln-class.jar | grep Jndi
-rw-r--r-- 3.0 unx 2937 bx defN 20-Nov-06 14: 03 lookup/JndiLookup.class
-rw-r--r-- 3.0 unx 5029 bx defN 20-Nov-06 14: 03 rep/JndiManager.class
-rw-r--r-- 3.0 unx 249 bx defN 20-Nov-06 14: 03 rep/JndiManager$1.class
-rw-r--r-- 3.0 unx 1939 bx defN 20-Nov-06 14: 03 rep/JndiManager$JndiManagerFactory.class
$ log4jscanner --rewrite /tmp
/tmp/vuln-class.jar
$ zipinfo /tmp/vuln-class.jar | grep Jndi
-rw-r--r-- 3.0 unx 5029 bx defN 20-Nov-06 14: 03 rep/JndiManager.class
-rw-r--r-- 3.0 unx 249 bx defN 20-Nov-06 14: 03 rep/JndiManager$1.class
-rw-r--r-- 3.0 unx 1939 bx defN 20-Nov-06 14: 03 rep/JndiManager$JndiManagerFactory.class
On MacOS, that you just might maybe furthermore scan your entire knowledge itemizing with:
$ sudo log4jscanner /Gadget/Volumes/Knowledge
The scanner might maybe presumably well presumably furthermore skip directories by passing glob patterns. On Linux, you
might maybe presumably well presumably furthermore make a choice to scan your entire root filesystem, however skip set up-grunt paths
(e.g. the /knowledge/* itemizing). By default log4jscanner is now now not going to scan magic
filesystems, equivalent to /proc and /sys.
$ sudo log4jscanner --skip '/knowledge/*' /
For heavy customization, equivalent to reporting to exterior endpoints, essential of the
instrument’s good judgment is exposed throught the jar.Walker API.
Equipment
Parsing good judgment is on hand through the jar equipment, and ought to even be worn to scan
sources stored in a kind of code repositories. On yarn of JARs utilize the ZIP format, this
equipment operates on archive/zip.Reader.
import ( "archive/zip" // ... "github.com/google/log4jscanner/jar" ) func most fundamental() { rc, err := zip.OpenReader(pathToJARFile) if err != nil { if errors.Is(err, zip.ErrFormat) { // File is rarely a ZIP file. return } log.Fatalf("opening class: %v", err) } defer rc.Shut() if !jar.IsJAR(&rc.Reader) { // ZIP file is rarely a JAR file. return } outcome, err := jar.Parse(&rc.Reader) if err != nil { log.Fatalf("parzing zip file: %v", err) } if outcome.Weak { fmt.Println("File is inclined") } }
Learn in regards to the examples/ itemizing for plump functions.
Untrue positives
Untrue positives had been observed for the scanner. Exercise warning when rewriting
JARs robotically or taking a kind of mitigations primarily primarily based totally on scan results.
Whenever you happen to realize hit a groundless amble, please commence a wretchedness.
Contributors
We unfortunately had to squash the history when commence sourcing. The next
contributors had been instrumental on this venture’s fashion:
- David Dworken (@ddworken)
- Eric Chiang (@ericchiang)
- Julian Bangert
- Mike Gerow (@gerow)
- Mit Dalsania
- Tom D’Netto