Giter VIP home page Giter VIP logo

log4j-remediation-tools's Introduction

log4j-remediation-tools

Tools for finding and reproducing the CVE-2021-44228 log4j2 vulnerability

Tools

Usage

Both of these tools scan all running JVM processes on a machine, and produce a CSV report about which processes may be / are vulnerable.

Check out the corresponding READMEs for find-vulnerabilities/ and confirm-vulnerabilities/ for usage details.

Which tool should I use?

Here are a few tradeoffs to help you determine which tool is right for your use case:

find-vulnerabilities is low-risk to run, but has the possibility of missing:

  • Cases where a system property is not set on the CLI, e.g. at runtime
  • Cases where the JVM has closed the file descriptor for the jar
  • Non-standard / patched releases of log4j2

confirm-vulnerabilities uses the JVM Attach API which:

  • May not work if an application explicitly disables this API
  • May crash the running JVM due to JVM bugs
  • May briefly slow down the running JVM while waiting for JVM pause

Contributing

This project welcomes feedback and contributions; however, we might be slow to respond to or triage your requests. We appreciate your patience.

License

This project uses the MIT license.

Code of conduct

This project has adopted the Stripe Code of conduct.

log4j-remediation-tools's People

Contributors

mfix-stripe avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

digitalarche ryandeivert noetro krxczo5 isabella232 an0nym0us3r ghas-results ghas-results thecodeofmontecristo

log4j-remediation-tools's Issues

Problem with build

Hello and thanks for sharing this tool! My apologies if i ask newbie things, but i have been worried about the log4j issue.

I am on an AWS instance
NAME="Amazon Linux" VERSION="2" ID="amzn" ID_LIKE="centos rhel fedora" VERSION_ID="2" PRETTY_NAME="Amazon Linux 2" ANSI_COLOR="0;33" CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2" HOME_URL="https://amazonlinux.com/"

$uname -a
Linux ip-172-31-89-223.ec2.internal 4.14.225-169.362.amzn2.x86_64 #1 SMP Mon Mar 22 20:14:50 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

I have installed golang
sudo yum install golang -y
$ go version
go version go1.15.14 linux/amd64

from the find-vulnerabilities folder I run
env GOOS=linux GOARCH=amd64 go build -o log4j-finder-amd64-linux *.go
but I get
helpers.go:7:2: package io/fs is not in GOROOT (/usr/lib/golang/src/io/fs)

Do I do something wrong?

Thank you so much!
Alex

Error trying to execute confirm-vulnerabilities

Hi, thank you for creating this tool. I had errors when I tried to run

java -jar target/is-it-vulnerable-1.0-SNAPSHOT.jar

The error is

18:38:14 ❯ java -jar target/is-it-vulnerable-1.0-SNAPSHOT.jar 
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.stripe.log4j.isitvuln.ProcessInfo (file:/Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT.jar) to field sun.management.RuntimeImpl.jvm
WARNING: Please consider reporting this to the maintainers of com.stripe.log4j.isitvuln.ProcessInfo
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Will use this jar for agent: /Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT.jar
date,host,tool,version,pid,path,jre,log4j,log4j version,formatMsgNoLookups,ldap trustURLCodebase,rmi trustURLCodebase,cosnaming trustURLCodebase,exploited

When I tried --illegal-access=permit, same problem.
When I tried --illegal-access=warn, I got

18:38:33 ❯ java --illegal-access=warn -jar target/is-it-vulnerable-1.0-SNAPSHOT.jar
WARNING: Illegal reflective access by com.stripe.log4j.isitvuln.ProcessInfo (file:/Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT.jar) to field sun.management.RuntimeImpl.jvm
WARNING: Illegal reflective access by com.stripe.log4j.isitvuln.ProcessInfo (file:/Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT.jar) to method sun.management.VMManagementImpl.getProcessId()
Will use this jar for agent: /Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT.jar
date,host,tool,version,pid,path,jre,log4j,log4j version,formatMsgNoLookups,ldap trustURLCodebase,rmi trustURLCodebase,cosnaming trustURLCodebase,exploited

I was able to build with maven without any issue

[INFO] Replacing original artifact with shaded artifact.
[INFO] Replacing /Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT.jar with /Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT-shaded.jar
[INFO] Dependency-reduced POM written at: /Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/dependency-reduced-pom.xml
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  2.659 s
[INFO] Finished at: 2021-12-17T18:15:41-08:00
[INFO] ------------------------------------------------------------------------

I am not sure if I am missing anything.

Thank you

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.