Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive detection for CVE-2021-44228 #280

Open
greg-michael opened this issue Feb 17, 2022 · 1 comment
Open

False positive detection for CVE-2021-44228 #280

greg-michael opened this issue Feb 17, 2022 · 1 comment
Assignees
@xeraph
Labels
discussion question or suggestion

Comments

@greg-michael
Copy link

A vendor-provided JAR file - which has been patched by the vendor - is being scanned and is reporting vulnerable to CVE-2021-44228.

Can you provide the exact criteria that would trigger the scanner to report CVE-2021-44228 vulnerabilities in a JAR? I'd like to pass this along to the vendor so that they can confirm the false positive. Since it's a vendor-provided file, I don't know that I can provide it to you for testing without written permission from the vendor.
@xeraph xeraph self-assigned this Feb 17, 2022
@xeraph xeraph added the discussion question or suggestion label Feb 17, 2022
@xeraph
Copy link
Contributor

xeraph commented Feb 17, 2022
edited
Loading

@greg-michael

TL;DR - If scanner detects Log4j version, it is very unlikely to return a false positive.

  1. First of all, scanner tries to detect if log4j exists.
    • If META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties exists, scanner can read exact log4j 2 version from that manifest file.
    • If org/apache/logging/log4j/core/lookup/JndiLookup.class found, then JAR contains log4j 2 library even if pom.properties does not exist.
    • Some applications doesn't embed log4j 2 as is. For example, newrelic renamed package name from org.apache.logging.log4j.core to com.newrelic.agent.deps.org.apache.logging.log4j.core. It is called 'shaded library'. To detect shaded libary, scanner tries to find zip entry which ends with /log4j/core/lookup/JndiLookup.class.
    • Scanning is performed recursively. A JAR file can contain JAR files, and those also can contain JAR files.
  2. Detect log4j version.
    • As I said above, scanner can read exact log4j version from pom.properties.
    • If JAR doesn't contain pom.properties, then scanner tries to determine log4j version using MD5 hashes.
  3. Report vulnerable Log4j
    • Safe versions are 2.17.1 (for jdk8+) or 2.12.4 (for jdk7) or 2.3.2 (for jdk6)
    • If scanner detects Log4j version, then it is very unlikely to return a false positive.
    • If scanner cannot detect Log4j version, it report CVE-2021-44228 with potentially vulnerable mark (starts with [?])

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xeraph xeraph

Labels
discussion question or suggestion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xeraph @greg-michael