• Stars
    star
    168
  • Rank 225,507 (Top 5 %)
  • Language
    Java
  • License
    Apache License 2.0
  • Created almost 3 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

log4j-tools

Quick links

Click to find:

Inclusions of log4j2 in compiled code Calls to log4j2 in compiled code Calls to log4j2 in source code
Sanity check for env mitigations Applicability of CVE-2021-45046 Xray wrapper for Log4Shell
Automatically patch container images in Artifactory

Overview

CVE-2021-44228 poses a serious threat to a wide range of Java-based applications. The important questions a developer may ask in this context are:

1. Does my code include log4j2?

Does the released code include log4j2? Which version of the library is included there? Answering these questions may not be immediate due to two factors:

  1. Transitive dependencies: while log4j2 may not be in the direct dependency list of the project, it may be used indirectly by some other dependency.

  2. The code of this library may not appear directly as a separate file (i.e., log4j2-core-2.xx.0.jar), but rather be bundled in some other code jar file.

JFrog is releasing a tool to help resolve this problem: scan_log4j_versions. The tool looks for the class code of JndiManager and JndiLookup classes (regardless of containing .jar file names and content of pom.xml files), and attempts to fingerprint the versions of the objects to report whether the included version of log4j2 is vulnerable. Both Python and Java implementations are included.

2. Where does my code use log4j2?

The question is relevant for the cases where the developer would like to verify if the calls to log4j2 in the codebase may pass potentially attacker-controlled data. While the safest way to fix the vulnerability, as discussed in the advisories, is to apply the appropriate patches and global flags, controlling for and verifying the potential impact under assumption of unpatched log4j2 may be valuable in many situations. In order to address this problem JFrog is releasing two scripts:

  1. scan_log4j2_calls_src.py, which locates calls to log4j2 logging functions (info, log, error etc.) with non-constant arguments in .java source files and reports the findings on the level of source file and line
  2. scan_log4j2_calls_jar.py, which locates the calls to logging functions in compiled .jars, and reports the findings as class name and method names in which each call appears.

3. Am I configuring this correctly?

Due to the high risk associated with the vulnerability, developers relying on mitigations may want to double check that the environment was indeed configured correctly (which Java runtime actually runs the application? Were environment and command line flags set correctly?). In order to simplify this sanity check, JFrog is releasing a few tools. The tools are intended to run in the same environment as a production application.

  • env_verify.jar will validate the proper application of mitigations against CVE-2021-44228.
  • scan_cve_2021_45046_config will validate the log4j2 configuration does not allow for exploitation of CVE-2021-45046.

Usage instructions

scan_log4j_versions.py

The tool requires Python 3, without additional dependencies.

Usage
python scan_log4j_versions.py root-folder [-quiet] [-exclude folder1 folder2 ..]

If python3 is not available, python2 ported version can be used:

python2 scan_log4j_versions_p2.py root-folder [-quiet] [-exclude folder1 folder2 ..]

The tool will scan root_folder recursively for .jar and .war files; in each located file the tool looks for a *log4j/core/net/JndiManager.class and *log4j/core/lookup/JndiLookup.class (recursively in each .jar file). If at least one of the classes is found, the tool attempts to fingerprint its version (including some variations found in patches and backport patches) in order to report whether the code is vulnerable.

With -quiet flag, only log4j version conclusions are printed out, and other messages (files not found/ archives failed to open/ password protected archives) are muted.

Folders appearing after -exclude (optional) are skipped.

To reiterate, the results depend on the code of the classes rather than file names and the metadata. Files where both JndiManager and JndiLookup classes are not present (and hence are not vulnerable to CVE-2021-44228), like log4j-1.x.xx.jar, or log4j-api-2.xx.x.jar, do not appear in the results. Otherwise, vulnerability status and estimated version/patch status are displayed. When the versions of the two classes follow a pattern not accounted for, inconsistent is reported; this result should be investigated further.

Currently recognized log4j versions:

Vulnerable Mitigated Fixed
2.0, 2.1 .. 2.14 2.15 2.12.2, 2.16, 2.17 ,JndiLookup removed; patched versions 2.17.1, 2.3.2, 2.12.4 classified as 2.17

Supported archive extensions: jar, war, ear, sar, par, zip.


scan_log4j_versions.jar

Compiled jar can be downloaded from here or compiled from source.

The tool requires java runtime, without additional dependencies.

Usage
java -jar scan_jndimanager_versions.jar root-folder

The operation and displayed results are equivalent to the Python version.


scan_log4j_calls_jar.py

The tool requires python 3 and the following 3rd party libraries: jawa, tqdm, easyargs, colorama

Dependencies installation
pip install -r requirements.txt
Usage

The default use case:

python scan_log4j_calls_jar.py root-folder

will recursively scan all .jar files in root-folder, for each printing out locations (class name and method name) of calls to info/warn/error/log/debug /trace/fatal methods of log4j2.Logger.

The tool may be configured for additional use cases using the following command line flags.

Flag Default value Use
--class_regex .*log4j/Logger Regular expression for required class name
--method_regex 1 Regular expression for required method name
--quickmatch_string log4j Pre-condition for file analysis: .jar files not containing the specified string will be ignored
--class_existence Not set When not set, look for calls to class::method as specified by regexes. When set, --method_regex is ignored, and the tool will look for existence of classes specified by --class_regex in the jar.
--no_quickmatch Not set When set, the value of --quickmatch_string is ignored and all jar files are analyzed
--caller_block .*org/apache/logging If caller class matches this regex, it will not be displayed

For example,

python scan_log4j_calls_jar.py --class_regex ".*JndiManager$" --class_existence --no_quickmatch root-folder

Will scan all .jar files (even if they do have no mentions of log4j2) for the existence of a class ending with JndiManager.

Typical results output looks like this:


scan_log4j_calls_src.py

The tool requires python 3 and the following 3rd party libraries: javalang, tqdm, easyargs, colorama

Dependencies installation
pip install -r requirements.txt
Usage

The default use case:

python scan_log4j_calls_src.py root-folder

will recursively scan all .java files in root-folder, for each printing out the locations (file name and corresponding code lines) of calls to log4j2 logging methods.

The tool may be configured for additional use cases using the following command line flags:

Flag Default value Use
--class_regex org/apache/logging/log4j/Logger Regular expression for required class name
--method_regex 1 Regular expression for required method name

Typical output looks like this:


env_verify.jar

Compiled jar can be downloaded from here or compiled from source, and does not require additional dependencies.

Usage

The intended use is running the tool in the same setting precisely as the production application. For example, for the original launch line in the start-up script:

eval "\"${JAVA_CMD}\" ${VMARG_LIST} application ${CLASSNAME} ${ARGS[@]}" &>/dev/null &

We add the following to the script:

eval "\"${JAVA_CMD}\" ${VMARG_LIST} -jar env_verify.jar" > /tmp/env_verify

And read the result after the start-up script completes:


scan_cve_2021_45046_config

Dependencies

Python version requires installing dependencies:

pip install -r requirements.txt
Usage

Jar version can be compiled from source or downloaded from here.

python scan_cve_2021_45046_config.py root-folder

or

java -jar scan_cve_2021_45046_config.jar root-folder

Will recursively scan root-folder and all archive files in it, looking for probable log4j configuration files (xml, yml, properties,json), in each looking for configuration options which may enable an attacker to exploit CVE-2021-45046.

Please note that an "applicable" result only means that the configuration may be problematic and should be inspected.

A "non-applicable" result is more conclusive, and means the configuration does not contain even the basic (publicly known) options for the exploitation of CVE-2021-45046.


log4shell_xray_wrapper

Dependencies

Python version requires installing dependencies:

pip install -r requirements.txt

In addition, the following tools must be available in your PATH:

  • JFrog CLI 2.6.2 or later (either jfrog or jf) - configured with an "Xray URL"
  • Either maven or gradle (according to the project you are planning to scan)
Usage

Jar version can be compiled from source or downloaded from here.

java -jar log4shell_xray_wrapper.jar [--recurse] [--verbose] target_dir

or running the Python version:

python log4shell_xray_wrapper.py [--recurse] [--verbose] target_dir

The tool looks for Maven and Gradle projects , either directly at target_dir or (if --recurse is specified) in any child directory of target_dir.

Any detected project will be scanned using Xray (via the JFrog CLI), and results will be filtered to show only the Log4Shell vulnerabilities:

  • CVE-2021-44228
  • CVE-2021-45046
  • CVE-2021-45105

Compiling scan_log4j_versions.jar from source

cd scan_log4j_versions/java
gradle build
cp build/libs/scan_log4j_versions.jar ..

Compiling env_verify.jar from source

cd env_verify/java
gradle build
cp build/libs/env_verify.jar ..

Compiling scan_cve_2021_45046_config.jar from source

cd scan_cve_2021_45046_config/java
gradle build
cp build/libs/scan_cve_2021_45046_config.jar ..

Compiling log4shell_xray_wrapper.jar from source

cd log4shell_xray_wrapper/java
gradle shadowJar
cp build/libs/log4shell_xray_wrapper-all.jar ..

Footnotes

  1. (info|warn|error|log|debug|trace|fatal|catching|throwing|traceEntry|printf|logMessage) 2

More Repositories

1

project-examples

Small projects in universal build ecosystems to configure CI and Artifactory
C#
974
star
2

jfrog-cli

JFrog CLI is a client that provides a simple interface that automates access to the JFrog products.
Go
532
star
3

artifactory-user-plugins

Sample Artifactory User Plugins
Groovy
356
star
4

artifactory-docker-examples

Examples for using Artifactory Docker distribution in various environments
Shell
330
star
5

artifactory-client-java

Artifactory REST Client Java API bindings
Java
318
star
6

frogbot

🐸 Scans your Git repository with JFrog Xray for security vulnerabilities. 🤖
Go
299
star
7

terraform-provider-artifactory

Terraform provider to manage JFrog Artifactory
Go
275
star
8

charts

JFrog official Helm Charts
Shell
255
star
9

setup-jfrog-cli

Set up JFrog CLI in your GitHub Actions workflow
TypeScript
245
star
10

jfrog-client-go

All go clients for JFrog products
Go
211
star
11

gocenter

The Github README for JFrog Go-center. Use this for reporting issues
164
star
12

jfrog-idea-plugin

JFrog IntelliJ IDEA plugin
Java
153
star
13

jfrog-vscode-extension

JFrog VS-Code Extension
TypeScript
151
star
14

terraform-provider-xray

Terraform provider to manage JFrog Xray
Go
149
star
15

terraform-provider-project

Terraform provider to manage JFrog Projects
Go
148
star
16

build-info

Artifactory's open integration layer for CI build servers
Java
146
star
17

artifactory-scripts

Scripts for Artifactory (Usually, for REST API), community driven.
Groovy
143
star
18

text4shell-tools

Python
104
star
19

jfrog-spring-tools

Python
80
star
20

JFrog-Cloud-Installers

Template to deploy Artifactory Enterprise cluster.
CSS
78
star
21

jfrog-docker-desktop-extension

🐸 Scans any of your local Docker images for security vulnerabilities. 🐋
TypeScript
74
star
22

nexus2artifactory

NexusToArtifactory - A tool designed to ease migration from Sonatype Nexus to JFrog Artifactory.
Python
67
star
23

nimbuspwn-tools

Shell
64
star
24

build-info-go

build-info-go is a Go library and a CLI, which allows generating build-info for a source code project.
Go
63
star
25

jfrog-npm-tools

Python
54
star
26

cocoapods-art

CocoaPods Plugin to work against Artifactory Repository
Ruby
53
star
27

jfrog-cli-plugins-reg

Go
52
star
28

kubenab

Kubernetes Admission Webhook to enforce pulling of Docker images from the private registry.
Go
46
star
29

froggit-go

Froggit-Go is a universal Go library, allowing to perform actions on VCS providers.
Go
45
star
30

jfrog-CVE-2023-25136-OpenSSH_Double-Free

Python
43
star
31

vault-plugin-secrets-artifactory

HashiCorp Vault Secrets Plugin for Artifactory
Go
42
star
32

teamcity-artifactory-plugin

TeamCity plugin that enables traceable build artifacts with Artifactory
Java
42
star
33

jfrog-azure-devops-extension

JavaScript
41
star
34

chartcenter

The Central Helm Repository for the Community
Dockerfile
41
star
35

bamboo-artifactory-plugin

Atlassian Bamboo plugin that enables traceable build artifacts with Artifactory
Java
40
star
36

jfrog-docker-repo-simple-example

Getting started with JFrog Docker Repos - Example
Dockerfile
39
star
37

jfrog-CVE-2022-21449

Python
38
star
38

cve-2024-3094-tools

Shell
37
star
39

artifactory-cli-go

Artifactory CLI written in Golang
Go
33
star
40

jfrog-cli-core

Go
32
star
41

gitlab-templates

Templates for CI/CD in GitLab using JFrog CLI
30
star
42

docker2artifactory

Python
29
star
43

mlflow-jfrog-plugin

Python
28
star
44

log-analytics-prometheus

JFrog Prometheus Log Analytics Integration
27
star
45

artifactory-docker-builder

Groovy
27
star
46

auto-mat

A docker container to generate heap dump reports and indexes for eclipse MAT
Java
26
star
47

kubexray

JFrog KubeXray scanner on Kubernetes
Go
25
star
48

artifactory-maven-plugin

A Maven plugin to resolve artifacts from Artifactory, deploy artifacts to Artifactory, capture and publish build info.
Java
23
star
49

jfrog-registry-operator

Enhancing AWS Security: JFrog's Seamless Integration and the Power of AssumeRole
Go
22
star
50

artifactory-gradle-plugin

JFrog Gradle plugin for Build Info extraction and Artifactory publishing.
Java
21
star
51

log-analytics

JFrog Log Analytics
Shell
19
star
52

polkit-tools

Shell
18
star
53

jfrog-cli-plugins

Go
17
star
54

gofrog

A collection of go utilities
Go
16
star
55

bower-art-resolver

JavaScript
15
star
56

jfrog-openssl-tools

Python
15
star
57

DevRel

Java
12
star
58

artifactory-sbt-plugin

The SBT Plugin for Artifactory resolve and pulish
Scala
12
star
59

artifactory-user-plugins-devenv

Development Environment for writting Artifactory User Plugins
Shell
12
star
60

aws-codestar

Artifactory-Code Star integration
Shell
12
star
61

gradle-dep-tree

Gradle plugin that reads the Gradle dependencies of a given Gradle project, and generates a dependency tree.
Java
12
star
62

SwampUp2022

Shell
12
star
63

jfrog-client-js

Xray Javascript Client
TypeScript
11
star
64

maven-anno-mojo

Write Maven plugins using annotations
Java
11
star
65

jfrog-ecosystem-integration-env

A Docker image containing all the tools JFrog CLI integrates with and supports.
Dockerfile
11
star
66

bamboo-jfrog-plugin

Easy integration between Bamboo and the JFrog Platform.
Java
10
star
67

xray-client-java

Xray Java Client
Java
9
star
68

artifactory-bosh-release

Bosh release of Artifactory for the PCF
HTML
9
star
69

msbuild-artifactory-plugin

Artifactory integration with MSBuild
C#
8
star
70

documentation

Go
8
star
71

log-analytics-splunk

JFrog Splunk Log Analytics Integration
JavaScript
8
star
72

docker-compose-demos

JFrog example demos using docker compose
Shell
8
star
73

jfrog-visual-studio-extension

C#
8
star
74

log-analytics-elastic

JFrog Elastic Fluentd Kibana Log Analytics Integration
8
star
75

jfrog-ui-essentials

JavaScript
8
star
76

jfrog-ide-webview

JFrog-IDE-Webview is a React-based HTML page designed to be seamlessly embedded within JFrog VS Code Extension and the JFrog IDEA Plugin.
TypeScript
8
star
77

go-mockhttp

Go
7
star
78

ide-plugins-common

Common code used by the JFrog Idea Plugin and the JFrog Eclipse plugin
Java
7
star
79

jfrog-pipelines-task

7
star
80

nuget-deps-tree

This npm package reads the NuGet dependencies of a .NET project, and generates a dependencies tree object.
TypeScript
7
star
81

log-analytics-datadog

JFrog Datadog Log Analytics Integration
Dockerfile
7
star
82

knife-art

Knife Artifactory integration
Ruby
7
star
83

jfrog-pipelines-go-task

Makefile
7
star
84

jfrog-mission-control-2.0

Jfrog Mission Control 2.0 example scripts
Groovy
7
star
85

jfrog-cli-plugin-template

Go
6
star
86

npm_domain_check

Python
6
star
87

go-license-discovery

A go library for matching text against known OSS licenses
Go
6
star
88

sample-soleng-python-project

Python
6
star
89

jfrog-distroless

Starlark
6
star
90

maven-dep-tree

Maven plugin that reads the Maven dependencies of a given Maven project, and generates a dependency tree.
Java
6
star
91

terraform-provider-pipeline

Terraform provider to manage Artifactory Pipelines
Go
6
star
92

docker-remote-util

A groovy util library to interact with docker remote api
Groovy
6
star
93

webapp-examples

Examples of Web Application that use Artifactory as a backend
CSS
6
star
94

jfrog-pipelines-jenkins-example

Go
5
star
95

jfrog-cli-security

Go module that encompasses the security commands of JFrog CLI
Go
5
star
96

fan4idea

Java
4
star
97

live-logs

Go
4
star
98

gocmd

Go
4
star
99

jfrog-pipelines-docker-sample

Shell
4
star
100

SwampUp2023

HCL
4
star