• This repository has been archived on 13/May/2024
  • Stars
    star
    343
  • Rank 123,371 (Top 3 %)
  • Language
    PowerShell
  • License
    BSD 2-Clause "Sim...
  • Created almost 3 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Scanners for Jar files that may be vulnerable to CVE-2021-44228

CVE-2021-44228_scanner

Applications that are vulnerable to the log4j CVE-2021-44228 issue may be detectable by scanning jar, war, and ear files to search for the presence of JndiLookup.class.

Depending on the platform that you are investigating, the PowerShell or the Python3 script may make more sense to run. In both cases, the optional argument is the top-level directory that you would like to use to begin your search.

Any file discovered is worth investigation to determine if the application using it is vulnerable. For any JndiLookup.class that is present, log4j commonly includes the version in the jar file name. For example, a hit on log4j-core-2.14.1.jar would be indicative of a vulnerable application. Alternatively, log4j-core-2.16.jar may also produce a hit because the JndiLookup code is still present in the 2.16 version of log4j, but it is disabled by default. See VU#930724 for more details.

Screenshots

For example, here is an invocation of the PowerShell version of the scanner: checkjndi.ps1 execution on c:\

Similarly, here is an invocation of the Python3 version: checkjndi.py execution on c:\

Finally, here is an invocation of the Bash version: checkjndi.sh execution on ~/in

Interpreting results

Note that the Bash and Python versions of this script will by design limit scans to a single filesystem. With the PowerShell version, locations to scan can be piped into the script to have control of what is checked. For example, to scan a list of paths conatined in a the file paths.txt:

get-content .\paths.txt | .\checkjndi.ps1

Let's look at the first hit on our Windows scan execution:

WARNING: C:\tmp\2.15\log4j-core-2.15.0.jar contains org/apache/logging/log4j/core/lookup/JndiLookup.class

Based on the jar name, this is a library from log4j 2.15. While this version of log4j fixes CVE-2021-44228, it still contained a flaw that is outlined as CVE-2021-45046. The impact of CVE-2021-45046 is a denial of service for only certain Java applications that use log4j 2.15. For Java applications that use log4j versions prior to 2.15 and that also fit the prerequisites for CVE-2021-45046 applying, the impact is RCE.

Let's look at the second hit:

C:\tmp\2.16\log4j-core-2.16.0.jar contains org/apache/logging/log4j/core/lookup/JndiLookup.class ** BUT APPEARS TO BE PATCHED **

This jar file contains a 2.16 version of log4j, which is not vulnerable to CVE-2021-44228. This result is reported for information purposes, which shows that a vendor has patched their product.

Let's look at the third hit:

WARNING: C:\tmp\ghidra_10.0_PUBLIC\Ghidra\Framework\Generic\lib\log4j-core-2.12.1.jar contains org/apache/logging/log4j/core/lookup/JndiLookup.class

Here we can see that Ghidra uses log4j version 2.12.1, and as such we should assume it to be vulnerable. And indeed, Ghidra versions before 10.1 are vulnerable to CVE-2021-44228.

You should investigate any hits reported by either of these scripts, and confirm that either the log4j version is indeed the fixed 2.16 version, or reach out to your software vendor to obtain a fixed version of the software. Alternatively, VU#930724 has information about how JndiLookup.class can be removed from vulnerable jar files.

Errors returned

The PowerShell version of the scanner has additional error reporting when files or directories cannot be investigated. In particular, any Unable to scan errors reporting UnauthorizedAccessException is indicative of a permission problem in accessing a directory and/or a file. Any Unable to scan errors reporting InvalidDataException is usually due to a corrupt archive.

More Repositories

1

keyfinder

A tool for finding and analyzing private (and public) key files, including support for Android APK files.
Python
266
star
2

certfuzz

This project contains the source code for the CERT Basic Fuzzing Framework (BFF) and the CERT Failure Observation Engine (FOE).
Python
262
star
3

trommel

TROMMEL: Sift Through Embedded Device Files to Identify Potential Vulnerable Indicators
Python
204
star
4

tapioca

CERT Tapioca for MITM network analysis
Python
180
star
5

PoC-Exploits

Select proof-of-concept exploits for software vulnerabilities to aid in identifying and testing vulnerable systems.
Python
180
star
6

SSVC

Stakeholder-Specific Vulnerability Categorization
Python
127
star
7

labyrinth

Come inside, and have a nice cup of tea.
96
star
8

Vulnerability-Data-Archive

With the hope that someone finds the data useful, we used to periodically publish an archive of almost all of the non-sensitive vulnerability information in our vulnerability reports database. See also https://github.com/CERTCC/Vulnerability-Data-Archive-Tools
87
star
9

privesc

Process Monitor filter for finding privilege escalation vulnerabilities on Windows
77
star
10

SBOM

Examples and proof-of-concept for Software Bill of Materials (SBOM) code & data
JavaScript
57
star
11

VINCE

VINCE is the Vulnerability Information and Coordination Environment developed and used by the CERT Coordination Center to improve coordinated vulnerability disclosure. VINCE is a Python-based web platform.
Python
53
star
12

dranzer

Dranzer is a tool that enables users to examine effective techniques for fuzz testing ActiveX controls
C++
32
star
13

Vulnerability-Data-Archive-Tools

Tools for working with the CERT Vulnerability Data Archive. See also https://github.com/CERTCC/Vulnerability-Data-Archive
Python
19
star
14

cveClient

A client and library to cve-services 2.x to provide CVE management for CNA and CERTs
JavaScript
17
star
15

Vultron

Vultron is a protocol for Coordinated Vulnerability Disclosure
Python
10
star
16

vulnerability_disclosure_policy_templates

A collection of templates for generating vulnerability disclosure policies. (NOTE: As of 2024, these templates are now part of the CERT Guide to Coordinated Vulnerability Disclosure, see link in README.)
9
star
17

CERT-Guide-to-CVD

Content for the CERT Guide to Coordinated Vulnerability Disclosure
Shell
7
star
18

UEFI-Analysis-Resources

Documentation, examples, and other resources regarding analyzing EDK2 based UEFI firmware
PHP
6
star
19

Linux-Kernel-Analysis-Environment

Container-based environment for debugging and analyzing Linux kernels using QEMU and GDB
Shell
5
star
20

git_vul_driller

Drills through git commit histories to find vulnerability IDs in change logs.
Jupyter Notebook
3
star
21

ip6tables-configuration

Automatically exported from code.google.com/p/ip6tables-configuration
Shell
3
star
22

metasploit_json_parser

Parser for the JSON database included in metasploit-framework that emits a CSV file of modules keyed by vulnerability IDs and references. NOTE: Superseded by git_vul_driller linked below.
Python
2
star
23

Syzbot-Repro-Runner

Automatically build and run a custom kernel and crasher from a syzbot report
Python
1
star