Skip to content

Commit

Permalink
Changed release link for CVE-2022-23302, CVE-2022-23305 and CVE-2022-…
Browse files Browse the repository at this point in the history
  • Loading branch information
xeraph committed Jan 27, 2022
1 parent 8112f84 commit d5d8a3a
Showing 1 changed file with 10 additions and 9 deletions.
19 changes: 10 additions & 9 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,16 +3,16 @@
log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch. It also supports nested JAR file scanning and patch. It also detects CVE-2021-45046 (log4j 2.15.0), CVE-2021-45105 (log4j 2.16.0), CVE-2021-44832 (log4j 2.17.0), CVE-2021-4104 (log4j 1.x), and CVE-2021-42550 (logback 0.9-1.2.7) vulnerabilities.

### Download
* [log4j2-scan 2.7.2 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.7.2/logpresso-log4j2-scan-2.7.2-win64.7z)
* [log4j2-scan 2.7.2 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.7.2/logpresso-log4j2-scan-2.7.2-win64.zip)
* [log4j2-scan 2.8.0 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.8.0/logpresso-log4j2-scan-2.8.0-win64.7z)
* [log4j2-scan 2.8.0 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.8.0/logpresso-log4j2-scan-2.8.0-win64.zip)
* If you get `VCRUNTIME140.dll not found` error, install [Visual C++ Redistributable](https://docs.microsoft.com/en-US/cpp/windows/latest-supported-vc-redist?view=msvc-170).
* If native executable doesn't work, use the JAR instead. 32bit is not supported.
* 7zip is available from www.7zip.org, and is open source and free.
* [log4j2-scan 2.7.2 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.7.2/logpresso-log4j2-scan-2.7.2-linux.tar.gz)
* [log4j2-scan 2.7.2 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.7.2/logpresso-log4j2-scan-2.7.2-linux-aarch64.tar.gz)
* [log4j2-scan 2.8.0 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.8.0/logpresso-log4j2-scan-2.8.0-linux.tar.gz)
* [log4j2-scan 2.8.0 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.8.0/logpresso-log4j2-scan-2.8.0-linux-aarch64.tar.gz)
* If native executable doesn't work, use the JAR instead. 32bit is not supported.
* [log4j2-scan 2.7.2 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.7.2/logpresso-log4j2-scan-2.7.2-darwin.zip)
* [log4j2-scan 2.7.2 (Any OS, 620KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.7.2/logpresso-log4j2-scan-2.7.2.jar)
* [log4j2-scan 2.8.0 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.8.0/logpresso-log4j2-scan-2.8.0-darwin.zip)
* [log4j2-scan 2.8.0 (Any OS, 620KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.8.0/logpresso-log4j2-scan-2.8.0.jar)

### Build
* [How to build Native Image](https://github.com/logpresso/CVE-2021-44228-Scanner/wiki/FAQ#how-to-build-native-image)
Expand All @@ -30,7 +30,7 @@ Just run log4j2-scan.exe or log4j2-scan with target directory path. The logpress

Usage
```
Logpresso CVE-2021-44228 Vulnerability Scanner 2.7.2 (2022-01-02)
Logpresso CVE-2021-44228 Vulnerability Scanner 2.8.0 (2022-01-27)
Usage: log4j2-scan [--scan-log4j1] [--fix] target_path1 target_path2
-f [config_file_path]
Expand All @@ -46,7 +46,8 @@ Usage: log4j2-scan [--scan-log4j1] [--fix] target_path1 target_path2
Specify an alternate zip encoding other than utf-8. System default charset is used if not specified.
--fix
Backup original file and remove JndiLookup.class from JAR recursively.
With --scan-log4j1 option, it also removes JMSAppender.class, SocketServer.class, SMTPAppender.class, SMTPAppender$1.class
With --scan-log4j1 option, it also removes JMSAppender.class, SocketServer.class, SMTPAppender.class, SMTPAppender$1.class,
JMSSink.class, JDBCAppender.class, and all classes of org.apache.log4j.chainsaw package
--force-fix
Do not prompt confirmation. Don't use this option unless you know what you are doing.
--restore [backup_file_path]
Expand Down Expand Up @@ -122,7 +123,7 @@ On Linux
```
On UNIX (AIX, Solaris, and so on)
```
java -jar logpresso-log4j2-scan-2.7.2.jar [--fix] target_path
java -jar logpresso-log4j2-scan-2.8.0.jar [--fix] target_path
```

If you add `--fix` option, this program will copy vulnerable original JAR file to .bak file, and create new JAR file without `org/apache/logging/log4j/core/lookup/JndiLookup.class` entry. All .bak files are archived into the single zip file which is named by `log4j2_scan_backup_yyyyMMdd_HHmmss.zip`, then deleted safely. In most environments, JNDI lookup feature will not be used. However, you must use this option at your own risk. You can easily restore original vulnerable JAR files using `--restore` option.
Expand Down

0 comments on commit d5d8a3a

Please sign in to comment.