Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Simple test using sample files outputs no status #66

Open
donmontalvo opened this issue Dec 22, 2021 · 10 comments
Open

Simple test using sample files outputs no status #66

donmontalvo opened this issue Dec 22, 2021 · 10 comments

Comments

@donmontalvo
Copy link

donmontalvo commented Dec 22, 2021
edited

Testing sample files, getting strange "Not actually a zip!?! (no magic number)" line endings, instead of status.:

testuser:log4j-detector testuser$ java -jar log4j-detector-2021.12.20.jar ./test-files/
-- github.com/mergebase/log4j-detector v2021.12.20 (by mergebase.com) analyzing paths (could take a while).
-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
-- Problem: /Users/testuser/Desktop/log4j-detector/test-files/log4j-1.1.3.jar - Not actually a zip!?! (no magic number)
-- Problem: /Users/testuser/Desktop/log4j-detector/test-files/log4j-1.2.17.jar - Not actually a zip!?! (no magic number)
-- Problem: /Users/testuser/Desktop/log4j-detector/test-files/log4j-core-2.0-beta2.jar - Not actually a zip!?! (no magic number)
-- Problem: /Users/testuser/Desktop/log4j-detector/test-files/log4j-core-2.0-beta9.jar - Not actually a zip!?! (no magic number)
-- Problem: /Users/testuser/Desktop/log4j-detector/test-files/log4j-core-2.10.0.jar - Not actually a zip!?! (no magic number)
-- Problem: /Users/testuser/Desktop/log4j-detector/test-files/log4j-core-2.10.0.zip - Not actually a zip!?! (no magic number)
-- Problem: /Users/testuser/Desktop/log4j-detector/test-files/log4j-core-2.15.0.jar - Not actually a zip!?! (no magic number)
-- Problem: /Users/testuser/Desktop/log4j-detector/test-files/log4j-core-2.9.1.jar - Not actually a zip!?! (no magic number)
-- No vulnerable Log4J 2.x samples found in supplied paths: [./test-files/]
-- Congratulations, the supplied paths are not vulnerable to CVE-2021-44228 or CVE-2021-45046 ! :-)
testuser:log4j-detector testuser$
@juliusmusseau
Copy link
Contributor

juliusmusseau commented Dec 22, 2021
edited

How did you get the test-files?

I am maintaining a collection of test-files here, too, by the way: https://github.com/mergebase/log4j-samples

@donmontalvo
Copy link
Author

Downloaded from your repo. :)

@rgmz
Copy link

rgmz commented Dec 22, 2021

@donmontalvo Can you provide some more information about your setup? I can't reproduce this with either 2021.12.20 or 2021.12.22.

$ git clone https://github.com/mergebase/log4j-samples.git
$ java -jar log4j-detector-2021.12.20.jar log4j-samples/
-- github.com/mergebase/log4j-detector v2021.12.20 (by mergebase.com) analyzing paths (could take a while).
-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
/tmp/log4j-samples/false-hits/exploded/2.12.2/org/apache/logging/log4j contains Log4J-2.x   >= 2.12.2 _SAFE_
/tmp/log4j-samples/false-hits/log4j-core-2.12.2.jar contains Log4J-2.x   >= 2.12.2 _SAFE_
/tmp/log4j-samples/false-hits/log4j-core-2.16.0.jar contains Log4J-2.x   == 2.16.0 _OKAY_
/tmp/log4j-samples/old-hits/log4j-1.1.3.jar contains Log4J-1.x   <= 1.2.17 _OLD_
/tmp/log4j-samples/old-hits/log4j-1.2.17.jar contains Log4J-1.x   <= 1.2.17 _OLD_
/tmp/log4j-samples/old-hits/log4j-core-2.0-beta2.jar contains Log4J-2.x   <= 2.0-beta8 _POTENTIALLY_SAFE_ (Did you remove JndiLookup.class?)
/tmp/log4j-samples/true-hits/exploded/2.12.1/org/apache/logging/log4j contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
/tmp/log4j-samples/true-hits/log4j-core-2.0-beta9.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_
/tmp/log4j-samples/true-hits/log4j-core-2.10.0.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
/tmp/log4j-samples/true-hits/log4j-core-2.10.0.zip contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
/tmp/log4j-samples/true-hits/log4j-core-2.15.0.jar contains Log4J-2.x   == 2.15.0 _OKAY_
/tmp/log4j-samples/true-hits/log4j-core-2.9.1.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_
/tmp/log4j-samples/true-hits/shaded/clt-1.0-SNAPSHOT.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
/tmp/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.ear!/WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
/tmp/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.jar!/WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
/tmp/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.war!/WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
/tmp/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.zip!/WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
/tmp/log4j-samples/true-hits/uber/infinispan-embedded-query-8.2.12.Final.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_

@juliusmusseau
Copy link
Contributor

juliusmusseau commented Dec 22, 2021
edited

Did you click on them before downloading them?

I've noticed a problem with Github where people right-click the "file-1.2.3.jar" links like this: "https://github.com/mergebase/log4j-samples/blob/master/true-hits/log4j-core-2.10.0.jar". It seems to download as a jar file, but it's not. It's an html file.

It's important when downloading to make sure the URL has the word "/raw/" in it, like so:

https://github.com/mergebase/log4j-samples/raw/master/true-hits/log4j-core-2.15.0.jar

@rgmz
Copy link

rgmz commented Dec 22, 2021

I've noticed a problem with Github where people right-click download links like this: "https://github.com/mergebase/log4j-samples/blob/master/true-hits/log4j-core-2.10.0.jar". It seems to download as a jar file, but it's not. It's an html file.

I think you're right:

$ java -jar log4j-detector-2021.12.20.jar log4j-core-2.15.0.jar 
-- github.com/mergebase/log4j-detector v2021.12.20 (by mergebase.com) analyzing paths (could take a while).
-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
-- Problem: /tmp/log4j-core-2.15.0.jar - Not actually a zip!?! (no magic number)
-- No vulnerable Log4J 2.x samples found in supplied paths: [log4j-core-2.15.0.jar]
-- Congratulations, the supplied paths are not vulnerable to CVE-2021-44228 or CVE-2021-45046 !  :-)

@donmontalvo
Copy link
Author

I always click the URL to be taken to the downloadable jar file. No different from what I did with previous versions. Seems to be working now.

@donmontalvo
Copy link
Author

Spoke too soon. It's giving strange output on ZIP files.

image

@rgmz
Copy link

rgmz commented Dec 22, 2021
edited

Spoke too soon. It's giving strange output on ZIP files.

I think that's related to #56

@juliusmusseau
Copy link
Contributor

Try right-click downloading this: https://github.com/mergebase/log4j-samples/blob/master/true-hits/log4j-core-2.10.0.jar (it will be corrupt).

Whereas if you left-click on it, you arrive here:

jar

From there you can right-click the little [Download] button on the far right, and then it works.

Are you able to open up the corrupt files you downloaded using zip? Or "vi" (which should show html). Or hexdump ?

@donmontalvo
Copy link
Author

That's where I go to download the file, using the Download button.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@donmontalvo @rgmz @juliusmusseau