diff --git a/README.md b/README.md
index 846fc93..ad8d01b 100644
--- a/README.md
+++ b/README.md
@@ -3,28 +3,30 @@
log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch. It also supports nested JAR file scanning and patch.
### Download
-* [log4j2-scan 1.2.2 (Windows x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v1.2.2/logpresso-log4j2-scan-1.2.2-win64.7z)
-* [log4j2-scan 1.2.2 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v1.2.2/logpresso-log4j2-scan-1.2.2-linux.tar.gz)
-* [log4j2-scan 1.2.2 (Any OS, 10KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v1.2.2/logpresso-log4j2-scan-1.2.2.jar)
+* [log4j2-scan 1.2.3 (Windows x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v1.2.3/logpresso-log4j2-scan-1.2.3-win64.7z)
+* [log4j2-scan 1.2.3 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v1.2.3/logpresso-log4j2-scan-1.2.3-linux.tar.gz)
+* [log4j2-scan 1.2.3 (Any OS, 10KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v1.2.3/logpresso-log4j2-scan-1.2.3.jar)
### How to use
Just run log4j2-scan.exe or log4j2-scan with target directory path.
On Windows
```
-log4j2-scan [--fix] target_path
+log4j2-scan [--fix] [--trace] target_path
```
On Linux
```
-./log4j2-scan [--fix] target_path
+./log4j2-scan [--fix] [--trace] target_path
```
On UNIX (AIX, Solaris, and so on)
```
-java -jar logpresso-log4j2-scan-1.2.2.jar [--fix] [--trace] target_path
+java -jar logpresso-log4j2-scan-1.2.3.jar [--fix] [--trace] target_path
```
If you add `--fix` option, this program will copy vulnerable original JAR file to .bak file, and create new JAR file without `org/apache/logging/log4j/core/lookup/JndiLookup.class` entry. In most environments, JNDI lookup feature will not be used. However, you must use this option at your own risk. It is necessary to shutdown any running JVM process before applying patch. Start affected JVM process after fix.
+If you want to automate patch job, use `--force-fix` option. With this option, this program will no longer prompt for confirmation.
+
`(mitigated)` tag will be displayed if `org/apache/logging/log4j/core/lookup/JndiLookup.class` entry is removed from JAR file.
If you add `--trace` option, this program will print all visited directories and files. Use this option only for debugging.
@@ -49,7 +51,7 @@ Completed in 0.42 seconds
### How it works
Run in 5 steps:
-1. Find all .jar files recursively.
+1. Find all .jar, .war, .ear files recursively.
2. Find `META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties` entry from JAR file.
3. Read groupId, artifactId, and version.
4. Compare log4j2 version and print vulnerable version.
diff --git a/pom.xml b/pom.xml
index ce8ef81..dd22854 100644
--- a/pom.xml
+++ b/pom.xml
@@ -6,7 +6,7 @@
4.0.0
com.logpresso
log4j2-scanner
- 1.2.2
+ 1.2.3
jar
Logpresso Log4j2 Scanner
diff --git a/src/main/java/com/logpresso/scanner/Log4j2Scanner.java b/src/main/java/com/logpresso/scanner/Log4j2Scanner.java
index 70e31bf..2daa426 100644
--- a/src/main/java/com/logpresso/scanner/Log4j2Scanner.java
+++ b/src/main/java/com/logpresso/scanner/Log4j2Scanner.java
@@ -26,22 +26,28 @@ public enum Status {
private long scanDirCount = 0;
private long scanFileCount = 0;
private long vulnerableFileCount = 0;
+ private long fixedFileCount = 0;
private Set vulnerableFiles = new LinkedHashSet();
public static void main(String[] args) {
if (args.length < 1) {
- System.out.println("Logpresso CVE-2021-44228 Vulnerability Scanner 1.2.2 (2021-12-13)");
- System.out.println("Usage: log4j2-scan [--fix] [--trace] target_path");
+ System.out.println("Logpresso CVE-2021-44228 Vulnerability Scanner 1.2.3 (2021-12-14)");
+ System.out.println("Usage: log4j2-scan [--fix] [--force-fix] [--trace] target_path");
+ System.out.println(" Do not use --force-fix unless you know what you are doing");
return;
}
boolean trace = false;
boolean fix = false;
+ boolean force = false;
for (int i = 0; i < args.length - 1; i++) {
if (args[i].equals("--fix")) {
fix = true;
+ } else if (args[i].equals("--force-fix")) {
+ fix = true;
+ force = true;
} else if (args[i].equals("--trace")) {
trace = true;
} else {
@@ -52,7 +58,7 @@ public static void main(String[] args) {
String path = args[args.length - 1];
- if (fix) {
+ if (fix && !force) {
try {
System.out.print("This command will remove JndiLookup.class from log4j2-core binaries. Are you sure [y/N]? ");
BufferedReader br = new BufferedReader(new InputStreamReader(System.in));
@@ -83,20 +89,28 @@ public void run(File f, boolean fix, boolean trace) {
System.out.println("Scanned " + scanDirCount + " directories and " + scanFileCount + " files");
System.out.println("Found " + vulnerableFileCount + " vulnerable files");
if (fix)
- System.out.println("Fixed " + vulnerableFiles.size() + " vulnerable files");
+ System.out.println("Fixed " + fixedFileCount + " vulnerable files");
System.out.printf("Completed in %.2f seconds\n", elapsed / 1000.0);
}
}
private void fix(boolean trace) {
+ if (!vulnerableFiles.isEmpty())
+ System.out.println("");
+
for (File f : vulnerableFiles) {
if (trace)
System.out.println("Patching " + f.getAbsolutePath());
File backupFile = new File(f.getAbsolutePath() + ".bak");
- if (f.renameTo(backupFile))
+ if (f.renameTo(backupFile)) {
copyExceptJndiLookup(backupFile, f);
+ fixedFileCount++;
+ System.out.println("Fixed: " + f.getAbsolutePath());
+ } else {
+ System.out.println("Error: Cannot patch locked file " + f.getAbsolutePath());
+ }
}
}
@@ -359,7 +373,7 @@ private String loadVulnerableLog4jVersion(InputStream is) throws IOException {
private boolean isScanTarget(String name) {
String loweredName = name.toLowerCase();
- return loweredName.endsWith(".jar") || loweredName.endsWith(".war");
+ return loweredName.endsWith(".jar") || loweredName.endsWith(".war") || loweredName.endsWith(".ear");
}
private boolean isVulnerable(int major, int minor, int patch) {