Simple local scanner for vulnerable log4j instances

Overview

Simple local log4j vulnerability scanner

(Written in Go because, you know, "write once, run anywhere.")

This is a simple tool that can be used to find vulnerable instances of log4j 1.x and 2.x (CVE-2019-17571, CVE-2021-44228) in installations of Java software such as web applications. JAR and WAR archives are inspected and class files that are known to be vulnerable are flagged.

This tool currently checks for known build artifacts that have been obtained through Maven. From-source rebuilds as they are done for Linux distributions may not be recognized.

Usage

$ ./log4j-vuln-scanner /path/to/app1 /path/to/app2 …

License

GNU General Public License, version 3

Author

Hilko Bengen <[email protected]>

Issues
  • Virustotal  17 security vendors and 1 sandbox flagged this file as malicious

    Virustotal 17 security vendors and 1 sandbox flagged this file as malicious

    Virustotal indicated the .exe file 17 security vendors and 1 sandbox flagged this file as malicious. Is this false positive? https://www.virustotal.com/gui/file/9475f529d96d306d52d050cf816712894fc082da863b733cae22f9dbd3b433bd

    opened by askvpb 18
  • unable to unzip jar files

    unable to unzip jar files

    While scanning nested .jar files, the scanner exiting with an error:

    ./local-log4j-vuln-scanner  --exclude /proc  / local-log4j-vuln-scanner - a simple local log4j vulnerability scanner

    OUTPUT cant't open JAR file: /../../../FOO-1.0.0-BAR.jar (size 19165951): zip: not a valid zip file ….

    manual unzipping the file work's fine

    unzip -l /../../../FOO-1.0.0-BAR.jar Archive:  /../../../FOO-1.0.0-BAR.jar warning [ /../../../FOO-1.0.0-BAR.jar ]:  8500 extra bytes at beginning or within zipfile   (attempting to process anyway)

    opened by t0xic-coder 10
  • Scans network shares on macOS

    Scans network shares on macOS

    Because Apple is dumb, they've placed both the Data partition and network shares in /System/Volumes

    Can we add a flag to have it not scan network shares?

    opened by staze 9
  • Unable to scan network filesystems

    Unable to scan network filesystems

    We are using your scanner tool to scan user home directories which are hosted on AFS, this used to work perfectly but the latest version now seems to ignore them. For example:

    """ ./local-log4j-vuln-scanner /afs/example.org/user/bob local-log4j-vuln-scanner - a simple local log4j vulnerability scanner

    Checking for vulnerabilities: CVE-2019-17571, CVE-2021-44228, CVE-2021-45105 Skipping /afs/example.org/user/bob: pseudo or network filesystem

    Scan finished """

    I can see this affecting other sites which similarly use NFS or samba for user home directories. Could the skipping of network file please be made optional.

    Thanks,

    Stephen Quinney

    opened by sjquinney 5
  • Detection of CVE 2021-45046?

    Detection of CVE 2021-45046?

    opened by ZerhackerJagi 5
  • Flagging 1.X Versions

    Flagging 1.X Versions

    Is it intended that this utility will flag 1.X versions? It has been stated that "As log4j 1.x does NOT offer a look-up mechanism, it does NOT suffer from CVE-2021-44228". Does this mean that 1.X versions can and should be disregarded?

    Thx

    opened by theonlykernel 5
  • How to use filter.go

    How to use filter.go

    With Windows 10, running "go run main.go <filepath>" (within scanner) does well. With Windows 10, running "go run main.go -help" (within scanner) does well. With Windows 10, running "go run filter.go" fails with "package command-line-arguments is not a main package". With Windows 10, running "go run filter.go -help" fails with "package command-line-arguments is not a main package". Pardon I'm a newbie. Any hints?

    opened by natschel 4
  • CVE-2021-45105 should mark 2.16 as vulnerable

    CVE-2021-45105 should mark 2.16 as vulnerable

    see https://logging.apache.org/log4j/2.x/security.html#Fixed_in_Log4j_2.17.0_.28Java_8.29 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105

    opened by damoon 4
  • Scanner cannot find vulnerabilites when class is esclazz

    Scanner cannot find vulnerabilites when class is esclazz

    There is at least one library which shades log4j, packaging the class as .esclazz. I have no idea why.

    https://github.com/elastic/apm-agent-java

    Can we add scanning support for these files?

    opened by ccoltx 3
  • installation with go install

    installation with go install

    Could you please add a feature to install the scanner using "go install" ?

    eg: go install github.com/hillu/[email protected]

    opened by vitikyalapatii 2
  • Add 2.16.0 (CVE-2021-45105) and 2.17.0 (CVE-2021-44832) as vulnerable

    Add 2.16.0 (CVE-2021-45105) and 2.17.0 (CVE-2021-44832) as vulnerable

    This adds the CVE-2021-45105 vulnerability (log4j-core-2.16.0) and the CVE-2021-44832 vulnerability (log4j-core-2.17.0) to the scanner.

    The changes from @L0u15 out of #43 are already part of this PR. README was also updated.

    I tested this on my local Win10 machine as well as on a WinServer 2016 and it worked there.

    opened by ghost 2
  • Add config for CVE_2022_23307 , apache chainsaw vulnerability

    Add config for CVE_2022_23307 , apache chainsaw vulnerability

    We have been using this code to check for log shell CVE and wanted to also have it find the new chainsaw cve, so a small update to the config in Filter.

    opened by andrewdriver123 0
  • x86 support?

    x86 support?

    Sorry, really new to Go. I can't seem to get this to work on windows x86 machines. I repeatedly get a message, This executable is not compatible with the version of windows you are running. It is only happening on win7 x86 intel machines. Am I just missing something obvious?

    opened by EmissaryVX 3
  • Detection flags jar files with JndiLookup.class removed (but JndiManager.class present)

    Detection flags jar files with JndiLookup.class removed (but JndiManager.class present)

    Thanks for the great tool! I understand that the detection is done by checking for presence of the JndiManager.class in versions 2.1 and up.

    However my understanding is that removing JndiLookup.class should be sufficient to mitigate the issue. I know that there is some conflicting information regarding this out there (whether to remove both the lookup and the manager class or only the lookup), but based on the official communication by apache removing the JndiLookup.class should be sufficient:

    Otherwise, in any release other than 2.16.0, you may remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

    https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046

    Is there any concrete information out there that JndiManager.class really needs to be removed too? If not it could make sense to change the detection to be based on the Lookup's class presence for accurate results

    opened by leepfrog-ger 8
  • command line option for jar file matching

    command line option for jar file matching

    In the scanner, the file name extensions are hard-coded to jar/war/ear; at least rar (resource adapter archive) is missing. It would be a great improvement to configure the file names to match on the command line, e.g., log4j-vuln-scanner --jarfiles jar,war,ear,rar

    opened by danielgrahl 7
Releases(v0.13)
Owner
Hilko Bengen
Proud 1x developer, dev AND ops / golang (also cgo), C, Shell, Perl, Python / Linux, Debian, Ubuntu / Security, DFIR, YARA. Cyber!
Hilko Bengen
Scan all AWS EC2 instances in a region for potentially vulnerable log4j versions

ec2-log4j-scan Scan all AWS EC2 instances in a region for potentially vulnerable log4j versions. This is a clumsy but effective tool which takes outpu

null 2 Dec 28, 2021
Look for JAR files that vulnerable to Log4j RCE (CVE‐2021‐44228)

Look4jar Look for JAR files that vulnerable to Log4j RCE (CVE‐2021‐44228) Objectives It differs from some other tools that scan for vulnerable remote

Dwi Siswanto 34 Jun 15, 2022
Application trying to detect processes vulnerable to log4j JNDI exploit

Log4j JNDI Jar Detector Purpose This application is able to detect jars used by

Criteo 4 Jan 25, 2022
Find vulnerable versions of Log4j on Linux

log4jtool Find vulnerable versions of Log4j on Linux This tool does not change a

null 7 Jan 14, 2022
Log4j detector and reporting server for scalable detection of vulnerable running processes.

Log4j Detector A client and reporting server to identify systems vulnerable to Log4j at scale. This work is based on Stripe's Remediation Tools, but w

Praetorian 8 Apr 8, 2022
Just simple log4j scanner With Golang

Summary Yesterdy which is Decemeber 12, 2021. One of my friend send me a message on twitter that he want me to write a script that brute force list of

Chan Nyein Wai 9 Apr 16, 2022
Divd 2021 00038 log4j scanner

divd-2021-00038--log4j-scanner This scanner will recursively scan paths including archives for vulnerable log4j versions and org/apache/logging/log4j/

null 51 Apr 29, 2022
Log4j 2 (CVE-2021-44228) vulnerability scanner for Windows OS

log4j-scanner Log4j 2 (CVE-2021-44228) vulnerability scanner for Windows OS. Example Usage Usage .\log4j-scanner.exe Terminal is used to output resul

null 0 Dec 13, 2021
Scanner to send specially crafted requests and catch callbacks of systems that are impacted by Log4J Log4Shell vulnerability (CVE-2021-44228)

scan4log4shell Scanner to send specially crafted requests and catch callbacks of systems that are impacted by Log4J Log4Shell vulnerability CVE-2021-4

Frank Hübner 11 Feb 27, 2022
Yet another log4j vulnerability scanner

k-amon-k - Yet another log4j scanner Quick-n-Dirty installation Assuming you hav

Athanasios Kostopoulos 3 Dec 19, 2021
Log4j-scanner tools - Support for multiple scan method

Log4j-scanner URL mode (fuzzing url with header, payload) go run . url -h Usage

BREAK TEAM - Hacking Team 1 Jan 4, 2022
A Smart Log4Shell/Log4j/CVE-2021-44228 Scanner

Log4Shell Sentinel - A Smart CVE-2021-44228 Scanner Introduction While there have some excellent tools released to help organizations scan their envir

oelnaggar 13 Jan 15, 2022
Gbu-scanner - Go Blog Updates (Scanner service)

Go Blog Updates - Scanner This service scans go blog (go.dev) and publishes new posts to message broker (rabbitmq). It uses mongodb as a storage for a

null 1 Jan 10, 2022
GONET-Scanner - Golang network scanner with arp discovery and own parser

GO/NET Scanner ScreenShots Install chmod +x install.sh ./install.sh [as root] U

Luis Javier 55 Jun 16, 2022
A vulnerable graphQL application, for testing purposes

Vulnerable-GoQL Vulnerable-GoQL is an web API which implements main security breach.

Escape 3 Jul 31, 2021
Scans files for .jars potentially vulnerable to Log4Shell (CVE-2021-44228) by inspecting the class paths inside the .jar.

log4shelldetect Scans a file or folder recursively for jar files that may be vulnerable to Log4Shell (CVE-2021-44228) by inspecting the class paths in

Jason Chu 43 May 19, 2022
Finds an identifiable hash value for each version of GitLab vulnerable to CVE-2021-22205

Finds an identifiable hash value for each version of GitLab vulnerable to CVE-2021-22205

GitLab Red Team 1 Apr 30, 2022
Scans and catches callbacks of systems that are impacted by Log4J Log4Shell vulnerability across specific headers.

Log4ShellScanner Scans and catches callbacks of systems that are impacted by Log4J Log4Shell vulnerability across specific headers. Very Beta Warning!

null 56 Jun 17, 2022
Tool to check whether one of your applications is affected by a vulnerability in log4j: CVE-2021-44228

log4shell.tools log4shell.tools is a tool allows you to run a test to check whether one of your applications is affected by a vulnerability in log4j:

Alexander Bakker 57 May 26, 2022