stripe / log4j-remediation-tools Goto Github PK

View Code? Open in Web Editor NEW

42.0 9.0 10.0 37 KB

Tools for remediating the recent log4j2 RCE vulnerability (CVE-2021-44228)

License: MIT License

Java 37.78% Go 62.22%

log4j2 remediation tools

log4j-remediation-tools's Issues

confirm-vulnerabilities has log4j-core 2.14 as dependency in its pom.xml

Is the program creating a vulnerability or finding a vulnerability?

log4j-remediation-tools/confirm-vulnerabilities/pom.xml

Lines 18 to 21 in 167e1f9

 <groupId>org.apache.logging.log4j</groupId> 

 <artifactId>log4j-core</artifactId> 

 <version>2.14.1</version> 

 </dependency>

Error trying to execute confirm-vulnerabilities

Hi, thank you for creating this tool. I had errors when I tried to run

java -jar target/is-it-vulnerable-1.0-SNAPSHOT.jar

The error is

18:38:14 ❯ java -jar target/is-it-vulnerable-1.0-SNAPSHOT.jar 
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.stripe.log4j.isitvuln.ProcessInfo (file:/Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT.jar) to field sun.management.RuntimeImpl.jvm
WARNING: Please consider reporting this to the maintainers of com.stripe.log4j.isitvuln.ProcessInfo
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Will use this jar for agent: /Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT.jar
date,host,tool,version,pid,path,jre,log4j,log4j version,formatMsgNoLookups,ldap trustURLCodebase,rmi trustURLCodebase,cosnaming trustURLCodebase,exploited

When I tried --illegal-access=permit, same problem.
When I tried --illegal-access=warn, I got

18:38:33 ❯ java --illegal-access=warn -jar target/is-it-vulnerable-1.0-SNAPSHOT.jar
WARNING: Illegal reflective access by com.stripe.log4j.isitvuln.ProcessInfo (file:/Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT.jar) to field sun.management.RuntimeImpl.jvm
WARNING: Illegal reflective access by com.stripe.log4j.isitvuln.ProcessInfo (file:/Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT.jar) to method sun.management.VMManagementImpl.getProcessId()
Will use this jar for agent: /Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT.jar
date,host,tool,version,pid,path,jre,log4j,log4j version,formatMsgNoLookups,ldap trustURLCodebase,rmi trustURLCodebase,cosnaming trustURLCodebase,exploited

I was able to build with maven without any issue

[INFO] Replacing original artifact with shaded artifact.
[INFO] Replacing /Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT.jar with /Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/target/is-it-vulnerable-1.0-SNAPSHOT-shaded.jar
[INFO] Dependency-reduced POM written at: /Users/thienphan/code/log4j-remediation-tools/confirm-vulnerabilities/dependency-reduced-pom.xml
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  2.659 s
[INFO] Finished at: 2021-12-17T18:15:41-08:00
[INFO] ------------------------------------------------------------------------

I am not sure if I am missing anything.

Thank you

Problem with build

Hello and thanks for sharing this tool! My apologies if i ask newbie things, but i have been worried about the log4j issue.

I am on an AWS instance
NAME="Amazon Linux" VERSION="2" ID="amzn" ID_LIKE="centos rhel fedora" VERSION_ID="2" PRETTY_NAME="Amazon Linux 2" ANSI_COLOR="0;33" CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2" HOME_URL="https://amazonlinux.com/"

$uname -a
Linux ip-172-31-89-223.ec2.internal 4.14.225-169.362.amzn2.x86_64 #1 SMP Mon Mar 22 20:14:50 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

I have installed golang
sudo yum install golang -y
$ go version
go version go1.15.14 linux/amd64

from the find-vulnerabilities folder I run
env GOOS=linux GOARCH=amd64 go build -o log4j-finder-amd64-linux *.go
but I get
helpers.go:7:2: package io/fs is not in GOROOT (/usr/lib/golang/src/io/fs)

Do I do something wrong?

Thank you so much!
Alex

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.

	<groupId>org.apache.logging.log4j</groupId>
	<artifactId>log4j-core</artifactId>
	<version>2.14.1</version>
	</dependency>