القائمة الرئيسية

الصفحات

 

Log4-detector | CVE-2021-44228
Log4-detector | CVE-2021-44228

Log4-detector | CVE-2021-44228

Distinguishes Log4J forms on your record framework inside any application that are powerless against CVE-2021-44228 and CVE-2021-45046. It can even observe cases that are covered up a few layers profound. Deals with Linux, Windows, and Mac, and wherever else Java runs, as well 

Example Usage

java -jar log4j-detector-2021.12.20.jar [path-to-scan] > hits.txt

More Example Usage:

java -jar log4j-detector-2021.12.20.jar ./samples

-- github.com/mergebase/log4j-detector v2021.12.20 (by mergebase.com) analyzing paths (could take a while).
-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
/opt/mergebase/log4j-detector/samples/clt-1.0-SNAPSHOT.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_ :-(
/opt/mergebase/log4j-detector/samples/infinispan-embedded-query-8.2.12.Final.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_ :-(
/opt/mergebase/log4j-detector/samples/log4j-1.1.3.jar contains Log4J-1.x   <= 1.2.17 _OLD_ :-|
/opt/mergebase/log4j-detector/samples/log4j-1.2.13.jar contains Log4J-1.x   <= 1.2.17 _OLD_ :-|
/opt/mergebase/log4j-detector/samples/log4j-1.2.17.jar contains Log4J-1.x   <= 1.2.17 _OLD_ :-|
/opt/mergebase/log4j-detector/samples/log4j-core-2.0-beta2.jar contains Log4J-2.x   <= 2.0-beta8 _POTENTIALLY_SAFE_ :-| (or did you already remove JndiLookup.class?)
/opt/mergebase/log4j-detector/samples/log4j-core-2.0-beta9.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_ :-(
/opt/mergebase/log4j-detector/samples/log4j-core-2.0.2.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_ :-(
/opt/mergebase/log4j-detector/samples/log4j-core-2.0.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_ :-(
/opt/mergebase/log4j-detector/samples/log4j-core-2.10.0.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_ :-(
/opt/mergebase/log4j-detector/samples/log4j-core-2.12.2.jar contains Log4J-2.x   >= 2.12.2 _SAFE_ :-)
/opt/mergebase/log4j-detector/samples/log4j-core-2.14.1.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_ :-(
/opt/mergebase/log4j-detector/samples/log4j-core-2.15.0.jar contains Log4J-2.x   >= 2.15.0 _OKAY_ :-|
/opt/mergebase/log4j-detector/samples/log4j-core-2.16.0.jar contains Log4J-2.x   >= 2.16.0 _SAFE_ :-)
/opt/mergebase/log4j-detector/samples/log4j-core-2.4.1.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_ :-(
/opt/mergebase/log4j-detector/samples/log4j-core-2.9.1.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_ :-(

Understanding The Results

_VULNERABLE_ - > You really want to redesign or eliminate this record.

_OKAY_ - > We just report this for Log4J form 2.15.0. We prescribe moving up to 2.16.0.

_SAFE_ - > We at present just report this for Log4J adaptations 2.16.0 and 2.12.2.

_OLD_ - > You are protected from CVE-2021-44228, however should plan to update in light of the fact that Log4J 1.2.x has been EOL for a considerable length of time and has a few known-weaknesses.

_POTENTIALLY_SAFE_ - > The "JndiLookup.class" document is absent, either on the grounds that your form of Log4J is extremely old (pre 2.0-beta9), or on the grounds that somebody previously eliminated this record. Ensure it was somebody in your group or organization that eliminated "JndiLookup.class" assuming that is the situation, since assailants have been known to eliminate this document themselves to keep extra contending aggressors from accessing compromised frameworks.

Usage

java -jar log4j-detector-2021.12.20.jar

Usage: java -jar log4j-detector-2021.12.20.jar [--verbose] [paths to scan...]

Exit codes:  0 = No vulnerable Log4J versions found.
             1 = At least one legacy Log4J 1.x version found.
             2 = At least one vulnerable Log4J version found.

About - MergeBase log4j detector (version 2021.12.20)
Docs  - https://github.com/mergebase/log4j-detector
(C) Copyright 2021 Mergebase Software Inc. Licensed to you via GPLv3.

Build From Source

git clone https://github.com/mergebase/log4j-detector.git
cd log4j-detector/
mvn install
java -jar target/log4j-detector-2021.12.20.jar

Download

author-img
Shadow Hacker هي قناة تعليمية حيث أحاول تعليم المبتدئين كل ما هوا مفيد في مجال الهكر والحمايه والمعلوميات ، من خلال شرح البرامج المهمة وبعض من خدمات المواقع ، والتعريف بأفضل طرق الأختراق والحمايه الأنظمة والحسابات ... اذا كان لديك اي استفسار لا تتردد في الأتصال بي

تعليقات

التنقل السريع