From dbc7de0aa0e64054267fc66a8114b45791e0207e Mon Sep 17 00:00:00 2001 From: xeraph Date: Mon, 14 Feb 2022 01:01:25 +0900 Subject: [PATCH] Added --report-patch option for safe version detection, Added reload4j md5 hashes. v3.0.1 --- README.md | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 5ca5359..55b37f4 100644 --- a/README.md +++ b/README.md @@ -6,16 +6,16 @@ log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerabilit You can integrate log4j2-scan with [Logpresso Watch](https://logpresso.watch) service for reporting and patch management. Visit https://logpresso.watch for details. ### Download -* [log4j2-scan 3.0.0 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.0/logpresso-log4j2-scan-3.0.0-win64.7z) -* [log4j2-scan 3.0.0 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.0/logpresso-log4j2-scan-3.0.0-win64.zip) +* [log4j2-scan 3.0.1 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.1/logpresso-log4j2-scan-3.0.1-win64.7z) +* [log4j2-scan 3.0.1 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.1/logpresso-log4j2-scan-3.0.1-win64.zip) * If you get `VCRUNTIME140.dll not found` error, install [Visual C++ Redistributable](https://docs.microsoft.com/en-US/cpp/windows/latest-supported-vc-redist?view=msvc-170). * If native executable doesn't work, use the JAR instead. 32bit is not supported. * 7zip is available from www.7zip.org, and is open source and free. -* [log4j2-scan 3.0.0 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.0/logpresso-log4j2-scan-3.0.0-linux.tar.gz) -* [log4j2-scan 3.0.0 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.0/logpresso-log4j2-scan-3.0.0-linux-aarch64.tar.gz) +* [log4j2-scan 3.0.1 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.1/logpresso-log4j2-scan-3.0.1-linux.tar.gz) +* [log4j2-scan 3.0.1 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.1/logpresso-log4j2-scan-3.0.1-linux-aarch64.tar.gz) * If native executable doesn't work, use the JAR instead. 32bit is not supported. -* [log4j2-scan 3.0.0 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.0/logpresso-log4j2-scan-3.0.0-darwin.zip) -* [log4j2-scan 3.0.0 (Any OS, 620KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.0/logpresso-log4j2-scan-3.0.0.jar) +* [log4j2-scan 3.0.1 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.1/logpresso-log4j2-scan-3.0.1-darwin.zip) +* [log4j2-scan 3.0.1 (Any OS, 620KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v3.0.1/logpresso-log4j2-scan-3.0.1.jar) ### Build * [How to build Native Image](https://github.com/logpresso/CVE-2021-44228-Scanner/wiki/FAQ#how-to-build-native-image) @@ -46,7 +46,7 @@ Just run log4j2-scan.exe or log4j2-scan with target directory path. The logpress Usage ``` -Logpresso CVE-2021-44228 Vulnerability Scanner 3.0.0 (2022-02-11) +Logpresso CVE-2021-44228 Vulnerability Scanner 3.0.1 (2022-02-13) Usage: log4j2-scan [--scan-log4j1] [--fix] target_path1 target_path2 -f [config_file_path] @@ -112,6 +112,8 @@ Usage: log4j2-scan [--scan-log4j1] [--fix] target_path1 target_path2 Generate log4j2_scan_report_yyyyMMdd_HHmmss.csv in working directory if not specified otherwise via --report-path [path] --report-json Generate log4j2_scan_report_yyyyMMdd_HHmmss.json in working directory if not specified otherwise via --report-path [path] +--report-patch + Report also patched log4j file. --report-path Specify report output path including filename. Implies --report-csv. --report-dir @@ -146,7 +148,7 @@ On Linux ``` On UNIX (AIX, Solaris, and so on) ``` -java -jar logpresso-log4j2-scan-3.0.0.jar [--fix] target_path +java -jar logpresso-log4j2-scan-3.0.1.jar [--fix] target_path ``` If you add `--fix` option, this program will copy vulnerable original JAR file to .bak file, and create new JAR file without `org/apache/logging/log4j/core/lookup/JndiLookup.class` entry. All .bak files are archived into the single zip file which is named by `log4j2_scan_backup_yyyyMMdd_HHmmss.zip`, then deleted safely. In most environments, JNDI lookup feature will not be used. However, you must use this option at your own risk. You can easily restore original vulnerable JAR files using `--restore` option.