Git Product home page Git Product logo

qualys / log4jscanwin Goto Github PK

View Code? Open in Web Editor NEW
153.0 19.0 31.0 5.33 MB

Log4j Vulnerability Scanner for Windows

License: Other

C++ 20.55% Makefile 0.42% M4 0.02% C 72.27% DIGITAL Command Language 0.39% Roff 0.15% CMake 0.36% CSS 0.09% HTML 0.43% JavaScript 0.01% Shell 0.19% SAS 0.03% Ada 1.22% Assembly 1.94% Pascal 1.03% C# 0.76% Batchfile 0.06% Module Management System 0.02% Perl 0.05%
security scanner vulnerability security-tools cve cve-2021-44228 cve-2021-4104 cve-2021-44832 cve-2021-45046 cve-2021-45105

log4jscanwin's Introduction

THIS SCRIPT IS PROVIDED TO YOU "AS IS." TO THE EXTENT PERMITTED BY LAW, QUALYS HEREBY DISCLAIMS ALL WARRANTIES AND LIABILITY FOR THE PROVISION OR USE OF THIS SCRIPT. IN NO EVENT SHALL THESE SCRIPTS BE DEEMED TO BE CLOUD SERVICES AS PROVIDED BY QUALYS

Direct Download Links

https://github.com/Qualys/log4jscanwin/releases/download/2.1.3.0/Log4jScanner-2.1.3.0.zip https://github.com/Qualys/log4jscanwin/releases/download/log4j-rem-1.2.2.1/Log4jRemediate-1.2.2.1.zip

Log4jScanner

Description

The Log4jScanner.exe utility helps to detect CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, and CVE-2021-45105 vulnerabilities. The utility will scan the entire hard drive(s) including archives (and nested JARs) for the Java class that indicates the Java application contains a vulnerable log4j library. The utility will output its results to a console.

Qualys has added the following new QIDs that are designed to look for the results of this scan and mark the asset as vulnerable if the vulnerable log4j library was found.

  • (376160) CVE-2021-44228
  • (376193) CVE-2021-45046
  • (376195) CVE-2021-45105
  • (376210) CVE-2021-44832
  • (45515) Information Gathering that the Log4j Scan Utility was ran on the host

Qualys customers should use the following to run the tool on any asset they want to scan, from an elevated command prompt:

Log4jScanner.exe /scan /report_sig

Usage

/scan
  Scan local drives for vulnerable files used by various Java applications.
/scan_network
  Scan network drives for vulnerable files used by various Java applications.
/scan_directory "C:\Some\Path"
  Scan a specific directory for vulnerable files used by various Java applications.
/scan_file "C:\Some\Path\Some.jar"
  Scan a specific file for supported CVE(s).
/scaninclmountpoints
  Scan local drives including mount points for vulnerable files used by various Java applications.
/exclude_drive "C:\"
  Exclude a drive from the scan.
/exclude_directory "C:\Some\Path"
  Exclude a directory from a scan.
/exclude_file "C:\Some\Path\Some.jar"
  Exclude a file from a scan.
/knownTarExtension ".tar"
/knownGZipTarExtension ".tgz"
/knownBZipTarExtension ".tbz"
/knownZipExtension ".jar"
  Add additional file type extensions to the scanner.
/report
  Generate a JSON report of possible detections of supported CVE(s).
/report_pretty
  Generate a human readable JSON report of possible detections of supported CVE(s).
/report_sig
  Generate a signature report of possible detections of supported CVE(s).
/lowpriority
  Lowers the execution and I/O priority of the scanner.
/help
  Displays this help page.

Sample Usage (from an elevated command prompt) - The following command helps you scan local drives for vulnerable JAR, WAR, EAR, and ZIP.

Log4jScanner.exe /scan

Sample Usage (from an elevated command prompt) - The following command helps you scan local drives for vulnerable files and writes a signature report to C:\ProgramData\Qualys

Log4jScanner.exe /scan /report_sig

Output - The following output shows the detection

D:\Temp>Log4jScanner.exe /scan /exclude_directory C:\ /knownZipExtension .ZZZ
Qualys Log4j Vulnerability Scanner 2.1.1.0
https://www.qualys.com/
Dependencies: minizip/1.1 zlib/1.2.11, bzip2/1.0.8
Supported CVE(s): CVE-2021-4104, CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, CVE-2021-45105

Known TAR Extensions            : .tar
Known GZIP TAR Extensions       : .tgz, .tar.gz
Known BZIP TAR Extensions       : .tbz, .tbz2, .tar.bz, .tar.bz2
Known ZIP Extensions            : .zip, .jar, .war, .ear, .par, .kar, .sar, .rar, .jpi, .hpi, .apk, .ZZZ
Excluding Directories:
        C:\


Scanning Local Drives...
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\arara.jar' ( Manifest Vendor: Unknown, Manifest Version: 6.1.1, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.14.1, CVE Status: Potentially Vulnerable ( CVE-2021-44228: Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\arara.signed.jar' ( Manifest Vendor: Unknown, Manifest Version: 6.1.1, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.14.1, CVE Status: Potentially Vulnerable ( CVE-2021-44228: Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\bad_jar_in_jar.jar!vuln-class.jar' ( Manifest Vendor: log4j, Manifest Version: 2.14.0, JNDI Class: NOT Found, Log4j Vendor: log4j-jcl, Log4j Version: 2.14.0, CVE Status: Mitigated )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\bad_jar_in_jar_in_jar.jar!bad_jar_in_jar.jar!vuln-class.jar' ( Manifest Vendor: log4j, Manifest Version: 2.14.0, JNDI Class: NOT Found, Log4j Vendor: log4j-jcl, Log4j Version: 2.14.0, CVE Status: Mitigated )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\bad_jar_with_invalid_jar.jar!vuln-class.jar' ( Manifest Vendor: log4j, Manifest Version: 2.14.0, JNDI Class: NOT Found, Log4j Vendor: log4j-jcl, Log4j Version: 2.14.0, CVE Status: Mitigated )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\good_jar_in_jar.jar!safe1.jar' ( Manifest Vendor: log4j, Manifest Version: 2.14.0, JNDI Class: NOT Found, Log4j Vendor: log4j-jcl, Log4j Version: 2.14.0, CVE Status: Mitigated )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\good_jar_in_jar_in_jar.jar!good_jar_in_jar.jar!safe1.jar' ( Manifest Vendor: log4j, Manifest Version: 2.14.0, JNDI Class: NOT Found, Log4j Vendor: log4j-jcl, Log4j Version: 2.14.0, CVE Status: Mitigated )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\good_jar_with_invalid_jar.jar!safe1.jar' ( Manifest Vendor: log4j, Manifest Version: 2.14.0, JNDI Class: NOT Found, Log4j Vendor: log4j-jcl, Log4j Version: 2.14.0, CVE Status: Mitigated )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\log4j-core-2.1.jar' ( Manifest Vendor: org.apache, Manifest Version: 2.1, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.1, CVE Status: Potentially Vulnerable ( CVE-2021-44228: Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\log4j-core-2.12.1.jar' ( Manifest Vendor: log4j, Manifest Version: 2.12.1, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.12.1, CVE Status: Potentially Vulnerable ( CVE-2021-44228: Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\log4j-core-2.14.0.jar' ( Manifest Vendor: log4j, Manifest Version: 2.14.0, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.14.0, CVE Status: Potentially Vulnerable ( CVE-2021-44228: Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\log4j-core-2.15.0.jar' ( Manifest Vendor: log4j, Manifest Version: 2.15.0, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.15.0, CVE Status: Potentially Vulnerable ( CVE-2021-44228: NOT Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\log4j-core-2.16.0.jar' ( Manifest Vendor: log4j, Manifest Version: 2.16.0, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.16.0, CVE Status: Potentially Vulnerable ( CVE-2021-44228: NOT Found CVE-2021-44832: Found CVE-2021-45046: NOT Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\safe1.jar' ( Manifest Vendor: log4j, Manifest Version: 2.14.0, JNDI Class: NOT Found, Log4j Vendor: log4j-jcl, Log4j Version: 2.14.0, CVE Status: Mitigated )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\safe1.signed.jar' ( Manifest Vendor: log4j, Manifest Version: 2.14.0, JNDI Class: NOT Found, Log4j Vendor: log4j-jcl, Log4j Version: 2.14.0, CVE Status: Mitigated )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\similarbutnotvuln.jar' ( Manifest Vendor: org.apache, Manifest Version: 2.1, JNDI Class: NOT Found, Log4j Vendor: log4j-core, Log4j Version: 2.1, CVE Status: Potentially Vulnerable ( CVE-2021-44228: NOT Found CVE-2021-44832: Found CVE-2021-45046: NOT Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\vuln-class.jar' ( Manifest Vendor: log4j, Manifest Version: 2.14.0, JNDI Class: NOT Found, Log4j Vendor: log4j-jcl, Log4j Version: 2.14.0, CVE Status: Mitigated )
Log4j Found: 'D:\Temp\log4j-1.1.3.zip!jakarta-log4j-1.1.3/dist/lib/log4j-core.jar' ( Manifest Vendor: Apache Software Foundation, Manifest Version: 1.1.3, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.1.3, CVE Status: Mitigated )
Log4j Found: 'D:\Temp\log4j-1.1.3.zip!jakarta-log4j-1.1.3/dist/lib/log4j.jar' ( Manifest Vendor: Apache Software Foundation, Manifest Version: 1.1.3, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.1.3, CVE Status: Mitigated )
Log4j Found: 'D:\Temp\log4j-1.1.3.zip' ( Manifest Vendor: , Manifest Version: , JNDI Class: NOT Found, Log4j Vendor: Unknown, Log4j Version: Unknown, CVE Status: N/A )
Log4j Found: 'D:\Temp\log4j-1.2.17.jar' ( Manifest Vendor: Apache Software Foundation, Manifest Version: 1.2.17, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.2.17, CVE Status: Potentially Vulnerable ( CVE-2021-4104: Found ) )
Log4j Found: 'D:\Temp\log4j-1.2.17.zip!apache-log4j-1.2.17/log4j-1.2.17.jar' ( Manifest Vendor: Apache Software Foundation, Manifest Version: 1.2.17, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.2.17, CVE Status: Potentially Vulnerable ( CVE-2021-4104: Found ) )
Log4j Found: 'D:\Temp\log4j-1.2.17.zip' ( Manifest Vendor: , Manifest Version: , JNDI Class: NOT Found, Log4j Vendor: Unknown, Log4j Version: Unknown, CVE Status: N/A )
Log4j Found: 'D:\Temp\log4j-1.2.9.jar' ( Manifest Vendor: Apache Software Foundation, Manifest Version: 1.2.9, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.2.9, CVE Status: Potentially Vulnerable ( CVE-2021-4104: Found ) )
Log4j Found: 'D:\Temp\log4j-1.2.9.zip!logging-log4j-1.2.9/dist/lib/log4j-1.2.9.jar' ( Manifest Vendor: Apache Software Foundation, Manifest Version: 1.2.9, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.2.9, CVE Status: Potentially Vulnerable ( CVE-2021-4104: Found ) )
Log4j Found: 'D:\Temp\log4j-1.2.9.zip' ( Manifest Vendor: , Manifest Version: , JNDI Class: NOT Found, Log4j Vendor: Unknown, Log4j Version: Unknown, CVE Status: N/A )
Log4j Found: 'D:\Temp\log4j-api-2.16.0.jar' ( Manifest Vendor: log4j, Manifest Version: 2.16.0, JNDI Class: NOT Found, Log4j Vendor: log4j-api, Log4j Version: 2.16.0, CVE Status: Mitigated )
Log4j Found: 'D:\Temp\log4j-core-2.11.1.jar' ( Manifest Vendor: log4j, Manifest Version: 2.11.1, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.11.1, CVE Status: Potentially Vulnerable ( CVE-2021-44228: Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Temp\log4j-core-2.12.4.jar' ( Manifest Vendor: log4j, Manifest Version: 2.12.4, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.12.4, CVE Status: Mitigated )
Log4j Found: 'D:\Temp\log4j-core-2.14.0.jar' ( Manifest Vendor: log4j, Manifest Version: 2.14.0, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.14.0, CVE Status: Potentially Vulnerable ( CVE-2021-44228: Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Temp\log4j-core-2.15.0.jar' ( Manifest Vendor: log4j, Manifest Version: 2.15.0, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.15.0, CVE Status: Potentially Vulnerable ( CVE-2021-44228: NOT Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Temp\log4j-core-2.15.0.ZZZ' ( Manifest Vendor: log4j, Manifest Version: 2.15.0, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.15.0, CVE Status: Potentially Vulnerable ( CVE-2021-44228: NOT Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Temp\log4j-core-2.16.0.jar' ( Manifest Vendor: log4j, Manifest Version: 2.16.0, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.16.0, CVE Status: Potentially Vulnerable ( CVE-2021-44228: NOT Found CVE-2021-44832: Found CVE-2021-45046: NOT Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Temp\log4j-core-2.17.0.jar' ( Manifest Vendor: log4j, Manifest Version: 2.17.0, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.17.0, CVE Status: Potentially Vulnerable ( CVE-2021-44228: NOT Found CVE-2021-44832: Found CVE-2021-45046: NOT Found CVE-2021-45105: NOT Found ) )
Log4j Found: 'D:\Temp\log4j-core-2.17.1.jar' ( Manifest Vendor: log4j, Manifest Version: 2.17.1, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.17.1, CVE Status: Mitigated )
Log4j Found: 'D:\Temp\log4j-core-2.3.2.jar' ( Manifest Vendor: org.apache, Manifest Version: 2.3.2, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.3.2, CVE Status: Mitigated )
Log4j Found: 'D:\Temp\log4j-core.jar' ( Manifest Vendor: Apache Software Foundation, Manifest Version: 1.1.3, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.1.3, CVE Status: Mitigated )
Log4j Found: 'D:\Temp\log4j-iostreams-2.15.0.jar' ( Manifest Vendor: log4j, Manifest Version: 2.15.0, JNDI Class: NOT Found, Log4j Vendor: log4j-iostreams, Log4j Version: 2.15.0, CVE Status: Mitigated )
Log4j Found: 'D:\Temp\log4j.jar' ( Manifest Vendor: Apache Software Foundation, Manifest Version: 1.1.3, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.1.3, CVE Status: Mitigated )
Log4j Found: 'D:\Temp\org.apache.log4j_1.2.15.v201012070815.jar' ( Manifest Vendor: %PLUGIN_PROVIDER, Manifest Version: 1.2.15.v201012070815, JNDI Class: NOT Found, Log4j Vendor: Unknown, Log4j Version: Unknown, CVE Status: N/A )
Log4j Found: 'D:\Temp\Sample3.zip!Sample1.jar' ( Manifest Vendor: Unknown, Manifest Version: 7.5.2, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.11.1, CVE Status: Potentially Vulnerable ( CVE-2021-44228: Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Temp\Sample3.zip!Sample2.jar' ( Manifest Vendor: Unknown, Manifest Version: 7.5.2, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.11.1, CVE Status: Potentially Vulnerable ( CVE-2021-44228: Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Temp\昆虫\log4j-core-2.11.1.jar' ( Manifest Vendor: log4j, Manifest Version: 2.11.1, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.11.1, CVE Status: Potentially Vulnerable ( CVE-2021-44228: Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Temp\昆虫\log4j-core-2.14.0.jar' ( Manifest Vendor: log4j, Manifest Version: 2.14.0, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.14.0, CVE Status: Potentially Vulnerable ( CVE-2021-44228: Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )

Scan Summary:
        Scan Date:                       2022-01-10T10:05:18-0800
        Scan Duration:                   9 Seconds
        Scan Error Count:                1
        Scan Status:                     Partially Successful
        Files Scanned:                   184889
        Directories Scanned:             30159
        Compressed File(s) Scanned:      96
        JAR(s) Scanned:                  50
        WAR(s) Scanned:                  0
        EAR(s) Scanned:                  0
        TAR(s) Scanned:                  2
        Vulnerabilities Found:           22

Log4jRemediate

Description

The Log4jRemediate.exe utility helps in mitigating CVE-2021-44228 and CVE-2021-45046 vulnerabilities. The utility will remove the JndiLookup.class from vulnerable log4j core libraries (including archives and nested JARs). The utility will output its results to a console.

Users should use the following to run the tool on any asset they want to mitigate the vulnerability, from an elevated command prompt:

Log4jRemediate.exe /remediate_sig

Prerequisites

  1. Log4jRemediate.exe mitigates vulnerabilities in the report file created by the Log4jScanner.exe utility. Therefore, Log4jScanner.exe has to be executed with the following from an elevated command prompt before running the remediation utility:

    Log4jScanner.exe /scan /report_sig

  2. It is necessary to shut down running JVM processes before running the utility. JVM processes can be started again after the utility completes execution.
  3. If required, users should backup copies of vulnerable libraries reported by Log4jScanner.exe in %ProgramData%\Qualys\log4j_findings.out.

Usage

/remediate_sig
  Remove JndiLookup.class from JAR, WAR, EAR, ZIP files detected by scanner utility.
/report
  Generate a JSON for mitigations of supported CVE(s).
/report_pretty
  Generate a pretty JSON for mitigations of supported CVE(s).

Sample Usage (from an elevated command prompt) - The following command helps you mitigate vulnerable JAR, WAR, EAR, and ZIP files detected by the scanner utility.

Log4jRemediate.exe /remediate_sig

Output - The following output shows remediation

Remediation start time : 2022-01-03T11:04:52+0530
Processing file: C:\log4j-core-2.15.0\log4j-core-2.15.0.jar
Copied fixed file: C:\log4j-core-2.15.0\log4j-core-2.15.0.jar
Fixed file: C:\log4j-core-2.15.0\log4j-core-2.15.0.jar
Remediation end time : 2022-01-03T11:04:54+0530

Run status : Success
Result file location : C:\ProgramData\Qualys\log4j_remediate.out

log4jscanwin's People

Contributors

nagten avatar papike avatar rickyhoots avatar romw avatar surbo avatar vivekputhiyedath avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

fjimenez77 vilasevic tomyang9 konugautham sneak71 jgnosolored skewel wpressly mrvn2018 rickyhoots oi2996814 ruqayahassan loochao nagten papike bdarkn infosec4fun yanickviel surbo asdlei99 bbrk364 gugas1nwork nrosado jonootto 00mjk utsingh01 saiduzzamanlisancse hjtamaral devkw rob-cypha n1cks0n

log4jscanwin's Issues

Unix Version

Do you have a script that can be used on the Linux / Unix platforms?

Issue with a false positive on log4j-1.2-api-2.17.1.jar files

Would it be possible to exclude the file log4j-1.2-api-2.17.1.jar as vulnerable to CVE-2021-4104?
I believe it is being flagged because "log4j-1.2" but this file is in the latest version of Log4j,

Here is the output message:
Log4j Found: 'C:\Program Files (x86)*\log4j-1.2-api-2.17.1.jar' ( Manifest Vendor: log4j, Manifest Version: 2.17.1, JNDI Class: NOT Found, Log4j Vendor: log4j-1.2-api, Log4j Version: 2.17.1, CVE Status: Potentially Vulnerable ( CVE-2021-4104: Found ) )

Thanks!,

How can I get a report?

I use the /scan /report and /report_pretty parameters and Im not sure where a report of the CVE's go? its not in the programdata directory.

Rescan Function

Could a command switch be added to rescan the results of log4j_findings.out?

Example: (/rescan)
Log4jScanner.exe /rescan /report_sig

This would only extract the paths from the original Log4jScanner data from c:\ProgramData\Qualys\log4j_findings.out
and check those files.

This would save time in not having the tool scan the entire host again and provide updated results back to c:\ProgramData\Qualys\log4j_findings.out and have the Qualys Agent pick up the new data.

Thoughts?

Add ISO support

Hello,

How about adding support for checking inside ISO files?
I understand that verification in this case may take longer.
You can add ISO verification as a separate option.

Thank you.

No Summary after Errors

Hi Rom,

thank you for your Script.

My issue is:

I start the Log4jscanner.exe in an elevated Powershell .\log4jscanner.exe /scan /report_sig

My output is:

S c a n s t a r t t i m e : 2 0 2 1 - 1 2 - 2 2 T 1 1 : 2 2 : 0 7 + 0 1 0 0

S c a n e n d t i m e : 2 0 2 1 - 1 2 - 2 2 T 1 1 : 2 2 : 1 2 + 0 1 0 0

R u n s t a t u s : P a r t i a l l y S u c c e s s f u l

R e s u l t f i l e l o c a t i o n : C : \ P r o g r a m D a t a \ Q u a l y s \ l
o g 4 j _ f i n d i n g s . o u t

E r r o r s :

F a i l e d t o p r o c e s s d i r e c t o r y ' C : \ P r o g r a m F i l e s
W i n d o w s D e f e n d e r A d v a n c e d T h r e a t P r o t e c t i o n \ C l
a s s i f i c a t i o n \ C o n f i g u r a t i o n \ ' ( r v : 5 )

...

But no summary at the end. Errors are ok for protected folders. When I run without /report_sig, then its ok for me with:

Q u a l y s L o g 4 j V u l n e r a b i l i t y S c a n n e r 1 . 2 . 1 8 . 0

h t t p s : / / w w w . q u a l y s . c o m /

S u p p o r t e d C V E ( s ) : C V E - 2 0 2 1 - 4 1 0 4 , C V E - 2 0 2 1 - 4 4 2 2
8 , C V E - 2 0 2 1 - 4 5 0 4 6 , C V E - 2 0 2 1 - 4 5 1 0 5

S c a n n i n g L o c a l D r i v e s . . .

S c a n S u m m a r y :

 S c a n   D a t e : 	 	   2 0 2 1 - 1 2 - 2 2 T 1 1 : 2 2 : 4 5 + 0 1 0 0 

 S c a n   D u r a t i o n : 	 	   4   S e c o n d s 

 F i l e s   S c a n n e d : 	 	   2 7 6 7 0 8 

 D i r e c t o r i e s   S c a n n e d : 	   6 2 9 4 3 

 J A R ( s )   S c a n n e d : 	 	   2 

 W A R ( s )   S c a n n e d : 	 	   0 

 E A R ( s )   S c a n n e d : 	 	   0 

 Z I P ( s )   S c a n n e d : 	 	   6 6 

 V u l n e r a b i l i t i e s   F o u n d : 	   0

In your example it looks like that there has to be a detailed list for vulnerabilities and signatures and at the end the summary. That would be helpful, because all the informations from the screen are written into our RMM database, where we can process it further.

Thank you in advance.

Kind Regards,

Udo

Question: encoding problem when GenerateJSONReport function is used

I would have question regarding GenerateJSONReport function. You are using RapidJson module for your project where we observed that many of filepaths in json reports generated by scanner are not showing special characters properly.

Lets take this string as an example: APPLICAÇÕES

When I use RapidJson module alone and I feed string buffer directly, results are shown as expected.

But when whole scanner is used and this string is in filepath, report will provide different set of characters instead of Ç and Õ.

Is this intended?

Scan finds issue - remediate finds none

Please help me see why:

Scan finds vulnerabilities, but remediate shows nothing.

Log4jScanner.exe /scan /report_sig
scanEngine: 2.1.2.0
scanHostname: Lenovo056.domain.com
scanDate: 2022-01-11T17:26:42-0500
scanDurationSeconds: 101
scanErrorCount: 47
scanStatus: Partially Successful
scanFiles: 539795
scannedDirectories: 187017
scannedCompressed: 1332
scannedJARS: 530
scannedWARS: 0
scannedEARS: 0
scannedTARS: 1
.........
vulnerabilitiesFound: 7

REMEDIATE Command results in empty log4j_remediate.out and not reported mediated files. Please help me see why I'm not able to remediate found vulnerable files.

Log4jRemediate.exe /remediate_sig
Remediation start time : 2022-01-11T17:34:17-0500
Remediation end time : 2022-01-11T17:34:17-0500
Run status : Success
Result file location : C:\ProgramData\Qualys\log4j_remediate.out

Getting errors when running with /report_sig

C:\Users\Administrator\Downloads\Log4jScanner-1.2.18\Log4jScanner\x64>Log4jScanner.exe /scan /report_sig
Scan start time : 2021-12-31T01:45:20-0800

Scan end time : 2021-12-31T01:45:45-0800
Run status : Partially Successful
Result file location : C:\ProgramData\Qualys\log4j_findings.out
Errors :
Failed to process directory 'C:\ProgramData\Microsoft\Diagnosis\FeedbackHub' (rv: 5)
Failed to process directory 'C:\ProgramData\Microsoft\Diagnosis\TimeTravelDebuggingStorage' (rv: 5)
Failed to process directory 'C:\ProgramData\Microsoft\Windows\SystemData' (rv: 5)
Failed to process directory 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cache' (rv: 5)
Failed to process directory 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber' (rv: 5)
Failed to process directory 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Trace' (rv: 5)
Failed to process directory 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection' (rv: 5)
Failed to process directory 'C:\System Volume Information' (rv: 5)
Failed to process directory 'C:\Windows\System32\LogFiles\WMI\RtBackup' (rv: 5)

exclude multiple directories from scan

Excluding a single directory from the scan works fine with below command:

Log4jScanner.exe /scan /exclude_directory "C:\$Recycle.Bin\"

However when I try to exclude multiple directories from the scan, it fails:

Log4jScanner.exe /scan /exclude_directory "C:\$Recycle.Bin\" /exclude_directory "C:\Users\"

In the latter case, the C:$Recycle.Bin\ directory is being scanned again as well as the C:\Users\ directory.
It would be very helpful to exclude multiple directories from the scan as the recycle bin from different volumes would need to be excluded as well as the users home directories.

Thanks in advance!

Allow run of /report and /report_sig together

Hello,

Right now, if we want JSON data and also data for Qualys agent, we would need to run same scan 2 times. Can you please allow us to run one scan, which will return JSON data, but also will create signature file for Qualys agent?

Thank you

Log4JScanner does not scan mountpoints

I noticed the scanner is skipping NTFS mount points.

Added function to scan drives including mountpoints see pull request code was tested on Windows 2008/2012/2016/2019 servers I did not include a check to check if partition is NTFS (C++ skills are rusty after 10+ years not coding anything in C++ ;)).

Feature Request

Would it be possible to include the host name in the output of log4j_findings.out?

Thanks.

Scan Results Not getting saved

When we run this scanner locally, its automatically getting closed after completion. Therefore, we are not able to view/save results. can someone confirm where these results are stored?

report_pretty switch shows nothing regardless of the scan results

Hello,
Great scanner, but I have noticed that /report_pretty switch shows nothing regardless of the scan results in Log4jScanner version 2.1.3.0.
Log4jScanner.exe /scan /report
works as expected and shows report in JSON.
Log4jScanner.exe /scan /report_pretty
shows nothing.

CVE-2021-4104 QID

Hello, are we able to get a new QID that will pick up CVE-2021-4104 when using the out of band scanner?

From the example readme file:
Log4j Found: 'D:\Temp\log4j-1.2.17.jar' ( Manifest Vendor: Apache Software Foundation, Manifest Version: 1.2.17, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.2.17, CVE Status: Potentially Vulnerable ( CVE-2021-4104: Found ) )
Log4j Found: 'D:\Temp\log4j-1.2.17.zip!apache-log4j-1.2.17/log4j-1.2.17.jar' ( Manifest Vendor: Apache Software Foundation, Manifest Version: 1.2.17, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.2.17, CVE Status: Potentially Vulnerable ( CVE-2021-4104: Found ) )

When the out of band scanner runs and the Qualys agent picks up the out of band scan data from the host, CVE-2021-4104 is being listed under QIDs 376193, 376160, 376195 ,376210 which have a different CVE associated with them.

Example:

Can we get a new QID created specifically for CVE-2021-4104 utilizing the out of band scanner?

Thank you

Commit https://github.com/Qualys/log4jscanwin/commit/d7b27613f717027e244498892cc530f754560c0c breaks the /lowpriority switch on 64-bit systems.

Commit d7b2761 breaks the /lowpriority switch on 64-bit systems.

With versions 2.0.2.4 the Log4jscanner process is running under below normal CPU priority which is fine but I/O priority is normal (you can check easily with Sysinternals Process Explorer) on 64-bit systems. Before this change CPU was running with low priority and I/O with very low on 64-bit systems.

I see this change was made to support 32-bit systems. Currently every 32-bit Windows Server operating system is out of support but Win7 and 32-bit Windows 10 is still supported. Pull request #37 fixes this.

I'm also sure reports won't be written on some 32-bit operating systems (Windows 2003 and WinXP) because system variable %PROGRAMDATA% is not supported/available on these operating systems

log4jscanwin/Utils.h

Line 15 in 1b48c17

constexpr wchar_t* qualys_program_data_location = L"%ProgramData%\\Qualys";

Feature-Request: Throttling

Hey,

Understand this team probably has a lot to work on and I am not sure how hard this would be to do but is there any kind of throttle we can pull? seeing some of our systems having slowness issues while this is running.

Thank you

log4jscanwin utility is not compatible with 64 bit

Hi Qualys Team,

The log4jscanwin utility is not compatible with Win 64 bit. I ran on W10 64 bit

C:<>\log4jscanwin-master\log4jscanwin-master>Log4jScanner.exe /scan /report_sig
This version of C:\Rajesh\log4jscanwin-master\log4jscanwin-master\Log4jScanner.exe is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisher.

Thanks,

network_scan option does not find any network drives

I ran into this issue on Windows 10 Pro x64, but also on a few different Windows Server OSes.

If you pass the /scan_network parameter to Log4JScanner-2.1.2.0, it simply returns the following:

Log4jScanner.exe /scan_network /verbose
Qualys Log4j Vulnerability Scanner 2.1.2.0
https://www.qualys.com/
Dependencies: minizip/1.1 zlib/1.2.11, bzip2/1.0.8
Supported CVE(s): CVE-2021-4104, CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, CVE-2021-45105

Known TAR Extensions : .tar
Known GZIP TAR Extensions : .tgz, .tar.gz
Known BZIP TAR Extensions : .tbz, .tbz2, .tar.bz, .tar.bz2
Known ZIP Extensions : .zip, .jar, .war, .ear, .par, .kar, .sar, .rar, .jpi, .hpi, .apk

Scanning Network Drives...

Scan Summary:
Scan Date: 2022-01-28T08:36:29-0800
Scan Duration: 0 Seconds
Scan Error Count: 0
Scan Status: Success
Files Scanned: 0
Directories Scanned: 0
Compressed File(s) Scanned: 0
JAR(s) Scanned: 0
WAR(s) Scanned: 0
EAR(s) Scanned: 0
TAR(s) Scanned: 0
Vulnerabilities Found: 0

Looking through the code, it looks like the ScanNetworkDrives method on line 634 of Scanner.cpp is using the same logic to get the drive type as ScanLocalDrives is, but it is only returning local drives.

Add detection for CVE-2021-4104?

Can coverage for CVE-2021-4104 be added to this script? That would force a detection for old 1.x log4j versions which weren't vulnerable to the previous CVEs I suppose there should technically be a different QID issued for that too, but one hasn't yet been announced...

Out Of Memory (C++ Exception)

I have multiple PCs that are throwing this. I had been using 1.2.19.0. I tried with 2.0.2.4 and get the same results. I've run it both with and without /lowpriority. I restarted the PC before running. No .OUT file is created. I've saved the minidump file, if it is needed.

PC Info per WMIC:

Model TotalPhysicalMemory
Precision 3650 Tower 34067255296

DeviceID DriveType FreeSpace ProviderName Size VolumeName
C: 3 885631496192 1021365448704 OS

STATUS.TXT

Scan Start: 2022-01-06T04:53:57-0500
Run status : Failed

Unhandled Exception Detected - Reason: Out Of Memory (C++ Exception) (0xe06d7363) at address 0x00007FF9C24B4F69

Creating minidump file C:\ITSTemp\01062022501400153.mdmp with crash details.

Exclude from scan parameter

Discussed in #41

Originally posted by toracigno January 7, 2022
Would it possible to add a parameter to exclude certain disks\folders\file from scan? This could allow to avoid scan on huge data folders.

Thanks!

QID 376160 not logged in Qualys console

Hello Qualys team,

We performed some Log4jScanner.exe /scan /report_sig with LOG4J vulnerable detections but after running Qualys agent scans, in the console, i do not have QID376160 listed despite detections from the utility.

Any recommandations?

Thank you

Ran New Scan Still No Detections For QID 376160

Hello,

this is the same as the previous issue. we ran the new version of the scan and we still see no detections on QID 376160 despite output files being present listing vulnerable log4j.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.