diff --git a/README.md b/README.md index b55b196..d8dc33d 100644 --- a/README.md +++ b/README.md @@ -2,17 +2,20 @@ log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch. It also supports nested JAR file scanning and patch. It also detects CVE-2021-45046 (log4j 2.15.0), CVE-2021-45105 (log4j 2.16.0), CVE-2021-44832 (log4j 2.17.0), CVE-2021-4104, CVE-2019-17571, CVE-2017-5645, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307 (log4j 1.x), and CVE-2021-42550 (logback 0.9-1.2.7) vulnerabilities. +### Log4j Risk Management +You can integrate log4j2-scan with [Logpresso Watch](https://logpresso.watch) service for reporting and patch management. Visit https://logpresso.watch for details. + ### Download -* [log4j2-scan 2.9.2 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.9.2/logpresso-log4j2-scan-2.9.2-win64.7z) -* [log4j2-scan 2.9.2 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.9.2/logpresso-log4j2-scan-2.9.2-win64.zip) +* [log4j2-scan 3.0.0 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.0/logpresso-log4j2-scan-3.0.0-win64.7z) +* [log4j2-scan 3.0.0 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.0/logpresso-log4j2-scan-3.0.0-win64.zip) * If you get `VCRUNTIME140.dll not found` error, install [Visual C++ Redistributable](https://docs.microsoft.com/en-US/cpp/windows/latest-supported-vc-redist?view=msvc-170). * If native executable doesn't work, use the JAR instead. 32bit is not supported. * 7zip is available from www.7zip.org, and is open source and free. -* [log4j2-scan 2.9.2 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.9.2/logpresso-log4j2-scan-2.9.2-linux.tar.gz) -* [log4j2-scan 2.9.2 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.9.2/logpresso-log4j2-scan-2.9.2-linux-aarch64.tar.gz) +* [log4j2-scan 3.0.0 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.0/logpresso-log4j2-scan-3.0.0-linux.tar.gz) +* [log4j2-scan 3.0.0 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.0/logpresso-log4j2-scan-3.0.0-linux-aarch64.tar.gz) * If native executable doesn't work, use the JAR instead. 32bit is not supported. -* [log4j2-scan 2.9.2 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.9.2/logpresso-log4j2-scan-2.9.2-darwin.zip) -* [log4j2-scan 2.9.2 (Any OS, 620KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.9.2/logpresso-log4j2-scan-2.9.2.jar) +* [log4j2-scan 3.0.0 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.0/logpresso-log4j2-scan-3.0.0-darwin.zip) +* [log4j2-scan 3.0.0 (Any OS, 620KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.0/logpresso-log4j2-scan-3.0.0.jar) ### Build * [How to build Native Image](https://github.com/logpresso/CVE-2021-44228-Scanner/wiki/FAQ#how-to-build-native-image) @@ -39,7 +42,7 @@ Just run log4j2-scan.exe or log4j2-scan with target directory path. The logpress Usage ``` -Logpresso CVE-2021-44228 Vulnerability Scanner 2.9.2 (2022-02-02) +Logpresso CVE-2021-44228 Vulnerability Scanner 3.0.0 (2022-02-11) Usage: log4j2-scan [--scan-log4j1] [--fix] target_path1 target_path2 -f [config_file_path] @@ -83,7 +86,12 @@ Usage: log4j2-scan [--scan-log4j1] [--fix] target_path1 target_path2 --exclude-file-config [config_file_path] Specify exclude file path list in text file. Paths should be separated by new line. Prepend # for comment. --exclude-fs nfs,tmpfs - Exclude paths by file system type. nfs, nfs3, nfs4, afs, cifs, autofs, tmpfs, devtmpfs, fuse.sshfs and iso9660 is ignored by default. + Exclude paths by file system type. nfs, nfs3, nfs4, afs, cifs, autofs, + tmpfs, devtmpfs, fuse.sshfs, smbfs and iso9660 is ignored by default. +--api-key [key] + Send reports to Logpresso Watch service. +--http-proxy [addr:port] + Send reports via specified HTTP proxy server. --syslog-udp [host:port] Send reports to remote syslog host. Send vulnerable, potentially vulnerable, and mitigated reports by default. @@ -134,7 +142,7 @@ On Linux ``` On UNIX (AIX, Solaris, and so on) ``` -java -jar logpresso-log4j2-scan-2.9.2.jar [--fix] target_path +java -jar logpresso-log4j2-scan-3.0.0.jar [--fix] target_path ``` If you add `--fix` option, this program will copy vulnerable original JAR file to .bak file, and create new JAR file without `org/apache/logging/log4j/core/lookup/JndiLookup.class` entry. All .bak files are archived into the single zip file which is named by `log4j2_scan_backup_yyyyMMdd_HHmmss.zip`, then deleted safely. In most environments, JNDI lookup feature will not be used. However, you must use this option at your own risk. You can easily restore original vulnerable JAR files using `--restore` option. @@ -189,11 +197,6 @@ Run in 5 steps: * [Checkmk](https://checkmk.com/blog/automatically-detecting-log4j-vulnerabilities-in-your-it) * See also [checkmk CVE-log4j agent plugin](https://github.com/thl-cmk/CVE-log4j-check_mk-plugin) -### Reporting -If you need centralized logging and reporting, contact sales@logpresso.com for more information. - -![Logpresso Scanner Report](report.png) - ### Contact If you have any question or issue, create an issue in this repository. diff --git a/src/main/java/com/logpresso/scanner/Log4j2Scanner.java b/src/main/java/com/logpresso/scanner/Log4j2Scanner.java index 5c4c891..8f7bbf0 100644 --- a/src/main/java/com/logpresso/scanner/Log4j2Scanner.java +++ b/src/main/java/com/logpresso/scanner/Log4j2Scanner.java @@ -30,7 +30,7 @@ public class Log4j2Scanner { public static final String VERSION = "3.0.0"; - public static final String RELEASE_DATE = "2022-02-07"; + public static final String RELEASE_DATE = "2022-02-11"; public static final String BANNER = "Logpresso CVE-2021-44228 Vulnerability Scanner " + VERSION + " (" + RELEASE_DATE + ")"; private static final boolean isWindows = File.separatorChar == '\\';