From e46eda2639ba5a436db2a78040476e98b3ec70ab Mon Sep 17 00:00:00 2001
From: xeraph <xeraph@logpresso.com>
Date: Sun, 26 Dec 2021 23:35:34 +0900
Subject: [PATCH] Do not detect log4j 2.3.1 and 2.12.3 as vulnerable, v2.6.3

---
 README.md                                       |  16 ++++++++--------
 pom.xml                                         |   2 +-
 .../java/com/logpresso/scanner/Detector.java    |   9 +++++++++
 .../com/logpresso/scanner/Log4j2Scanner.java    |   4 ++--
 .../com/logpresso/scanner/Log4jScannerTest.java |  10 +++-------
 .../{log4j2 => log4j2-ok}/log4j-core.2.12.3.jar | Bin
 6 files changed, 23 insertions(+), 18 deletions(-)
 rename src/test/resources/{log4j2 => log4j2-ok}/log4j-core.2.12.3.jar (100%)

diff --git a/README.md b/README.md
index fe4ac34..719df4b 100644
--- a/README.md
+++ b/README.md
@@ -3,16 +3,16 @@
 log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch. It also supports nested JAR file scanning and patch. It also detects CVE-2021-45046 (log4j 2.15.0), CVE-2021-45105 (log4j 2.16.0), CVE-2021-4104 (log4j 1.x), and CVE-2021-42550 (logback 0.9-1.2.7) vulnerabilities.
 
 ### Download
-* [log4j2-scan 2.6.2 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.2/logpresso-log4j2-scan-2.6.2-win64.7z)
-* [log4j2-scan 2.6.2 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.2/logpresso-log4j2-scan-2.6.2-win64.zip)
+* [log4j2-scan 2.6.3 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.3/logpresso-log4j2-scan-2.6.3-win64.7z)
+* [log4j2-scan 2.6.3 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.3/logpresso-log4j2-scan-2.6.3-win64.zip)
   * If you get `VCRUNTIME140.dll not found` error, install [Visual C++ Redistributable](https://docs.microsoft.com/en-US/cpp/windows/latest-supported-vc-redist?view=msvc-170).
   * If native executable doesn't work, use the JAR instead. 32bit is not supported.  
   * 7zip is available from www.7zip.org, and is open source and free.
-* [log4j2-scan 2.6.2 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.2/logpresso-log4j2-scan-2.6.2-linux.tar.gz)
-* [log4j2-scan 2.6.2 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.2/logpresso-log4j2-scan-2.6.2-linux-aarch64.tar.gz)
+* [log4j2-scan 2.6.3 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.3/logpresso-log4j2-scan-2.6.3-linux.tar.gz)
+* [log4j2-scan 2.6.3 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.3/logpresso-log4j2-scan-2.6.3-linux-aarch64.tar.gz)
   * If native executable doesn't work, use the JAR instead. 32bit is not supported.
-* [log4j2-scan 2.6.2 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.2/logpresso-log4j2-scan-2.6.2-darwin.zip)
-* [log4j2-scan 2.6.2 (Any OS, 620KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.2/logpresso-log4j2-scan-2.6.2.jar)
+* [log4j2-scan 2.6.3 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.3/logpresso-log4j2-scan-2.6.3-darwin.zip)
+* [log4j2-scan 2.6.3 (Any OS, 620KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.3/logpresso-log4j2-scan-2.6.3.jar)
 
 ### Build
 * [How to build Native Image](https://github.com/logpresso/CVE-2021-44228-Scanner/wiki/FAQ#how-to-build-native-image)
@@ -22,7 +22,7 @@ Just run log4j2-scan.exe or log4j2-scan with target directory path. The logpress
 
 Usage
 ```
-Logpresso CVE-2021-44228 Vulnerability Scanner 2.6.2 (2021-12-26)
+Logpresso CVE-2021-44228 Vulnerability Scanner 2.6.3 (2021-12-27)
 Usage: log4j2-scan [--scan-log4j1] [--fix] target_path1 target_path2
 
 -f [config_file_path]
@@ -104,7 +104,7 @@ On Linux
 ```
 On UNIX (AIX, Solaris, and so on)
 ```
-java -jar logpresso-log4j2-scan-2.6.2.jar [--fix] target_path
+java -jar logpresso-log4j2-scan-2.6.3.jar [--fix] target_path
 ```
 
 If you add `--fix` option, this program will copy vulnerable original JAR file to .bak file, and create new JAR file without `org/apache/logging/log4j/core/lookup/JndiLookup.class` entry. All .bak files are archived into the single zip file which is named by `log4j2_scan_backup_yyyyMMdd_HHmmss.zip`, then deleted safely. In most environments, JNDI lookup feature will not be used. However, you must use this option at your own risk. You can easily restore original vulnerable JAR files using `--restore` option.
diff --git a/pom.xml b/pom.xml
index cbca773..7261a80 100644
--- a/pom.xml
+++ b/pom.xml
@@ -6,7 +6,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.logpresso</groupId>
 	<artifactId>log4j2-scanner</artifactId>
-	<version>2.6.2</version>
+	<version>2.6.3</version>
 	<packaging>jar</packaging>
 	<name>Logpresso Log4j2 Scanner</name>
 
diff --git a/src/main/java/com/logpresso/scanner/Detector.java b/src/main/java/com/logpresso/scanner/Detector.java
index 625073b..3a7aaca 100644
--- a/src/main/java/com/logpresso/scanner/Detector.java
+++ b/src/main/java/com/logpresso/scanner/Detector.java
@@ -387,6 +387,15 @@ private String loadLogbackVersion(InputStream is) throws IOException {
 	}
 
 	private boolean isVulnerableLog4j2(Version v) {
+		// according to 2021-12-22 update
+		// Upgrade to Log4j 2.12.3 for Java 7
+		if (v.getMajor() == 2 && v.getMinor() == 12 && v.getPatch() >= 3)
+			return false;
+
+		// Upgrade to Log4j 2.3.1 for Java 6
+		if (v.getMajor() == 2 && v.getMinor() == 3 && v.getPatch() >= 1)
+			return false;
+
 		// 2.12.2 has CVE-2021-45105
 		return v.getMajor() == 2 && v.getMinor() < 17;
 	}
diff --git a/src/main/java/com/logpresso/scanner/Log4j2Scanner.java b/src/main/java/com/logpresso/scanner/Log4j2Scanner.java
index b068b2f..ae278b0 100644
--- a/src/main/java/com/logpresso/scanner/Log4j2Scanner.java
+++ b/src/main/java/com/logpresso/scanner/Log4j2Scanner.java
@@ -23,8 +23,8 @@
 import com.logpresso.scanner.utils.ZipUtils;
 
 public class Log4j2Scanner {
-	public static final String VERSION = "2.6.2";
-	public static final String RELEASE_DATE = "2021-12-26";
+	public static final String VERSION = "2.6.3";
+	public static final String RELEASE_DATE = "2021-12-27";
 	public static final String BANNER = "Logpresso CVE-2021-44228 Vulnerability Scanner " + VERSION + " (" + RELEASE_DATE + ")";
 
 	private static final boolean isWindows = File.separatorChar == '\\';
diff --git a/src/test/java/com/logpresso/scanner/Log4jScannerTest.java b/src/test/java/com/logpresso/scanner/Log4jScannerTest.java
index a07f832..6b09446 100644
--- a/src/test/java/com/logpresso/scanner/Log4jScannerTest.java
+++ b/src/test/java/com/logpresso/scanner/Log4jScannerTest.java
@@ -27,8 +27,8 @@ public void scanVariousVersions_log4j2() throws Exception {
 
 		assertEquals(1, returnCode);
 		String log = systemOutRule.getLog();
-		assertTrue(log.contains("Scanned 1 directories and 9 files"));
-		assertTrue(log.contains("Found 7 vulnerable files"));
+		assertTrue(log.contains("Scanned 1 directories and 8 files"));
+		assertTrue(log.contains("Found 6 vulnerable files"));
 		assertTrue(log.contains("Found 1 potentially vulnerable files"));
 		assertTrue(log.contains("Found 0 mitigated files"));
 
@@ -41,8 +41,6 @@ public void scanVariousVersions_log4j2() throws Exception {
 		assertTrue(pattern.matcher(log).find());
 		pattern = getPattern_log4j2("CVE-2021-44228", "loggingBuddies.war (log4j-core-2.12.1.jar)", "2.12.1", false);
 		assertTrue(pattern.matcher(log).find());
-		pattern = getPattern_log4j2("CVE-2021-44228", "loggingBuddies.war (log4j-core.2.12.3.jar)", "2.12.3", false);
-		assertTrue(pattern.matcher(log).find());
 		pattern = getPattern_log4j2("CVE-2021-44228", "loggingBuddies.war (log4j-core.2.14.0.jar)", "2.14.0", false);
 		assertTrue(pattern.matcher(log).find());
 		pattern = getPattern_log4j2("CVE-2021-45046", "loggingBuddies.war (log4j-core.2.15.0.jar)", "2.15.0", false);
@@ -51,8 +49,6 @@ public void scanVariousVersions_log4j2() throws Exception {
 		assertTrue(pattern.matcher(log).find());
 		pattern = getPattern_log4j2("CVE-2021-44228", "log4j-core-2.15.0_potentially.jar", "N/A", true);
 		assertTrue(pattern.matcher(log).find());
-		pattern = getPattern_log4j2("CVE-2021-44228", "log4j-core.2.12.3.jar", "2.12.3", false);
-		assertTrue(pattern.matcher(log).find());
 		pattern = getPattern_log4j2("CVE-2021-44228", "log4j-core.2.14.0.jar", "2.14.0", false);
 		assertTrue(pattern.matcher(log).find());
 		pattern = getPattern_log4j2("CVE-2021-45105", "log4j-core.2.16.0.jar", "2.16.0", false);
@@ -65,7 +61,7 @@ public void scanSafeVersion_log4j2() throws Exception {
 		int returnCode = scanner.run(new String[] { getTestFiles("log4j2-ok") });
 		assertEquals(0, returnCode);
 		String log = systemOutRule.getLog();
-		assertTrue(log.contains("Scanned 1 directories and 1 files"));
+		assertTrue(log.contains("Scanned 1 directories and 2 files"));
 		assertTrue(log.contains("Found 0 vulnerable files"));
 		assertTrue(log.contains("Found 0 potentially vulnerable files"));
 		assertTrue(log.contains("Found 0 mitigated files"));
diff --git a/src/test/resources/log4j2/log4j-core.2.12.3.jar b/src/test/resources/log4j2-ok/log4j-core.2.12.3.jar
similarity index 100%
rename from src/test/resources/log4j2/log4j-core.2.12.3.jar
rename to src/test/resources/log4j2-ok/log4j-core.2.12.3.jar