Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-44228 PoC — Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Source
https://github.com/sassoftware/loguccino
Associated Vulnerability
Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)
Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Description
Scan and patch tool for CVE-2021-44228 and related log4j concerns.
Readme
<img src="images/logo-svg.svg#gh-light-mode-only" width="62%">
<img src="images/logo-svg-dark.svg#gh-dark-mode-only" width="62%">

# A Log4J2 CVE-2021-44228 Vulnerability Scanner and Patcher

Links to download the latest version:

| Linux x64 with glibc2.17+ (RHEL7+)                                                                   | Windows & all other platforms                                                                             |
|------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------|
| [Download Linux binary](https://github.com/sassoftware/loguccino/releases/latest/download/loguccino) | [Download Java .jar](https://github.com/sassoftware/loguccino/releases/latest/download/loguccino-all.jar) |  

> 🚑 Note: SAS customers looking to patch their SAS 9.4 or SAS Viya 3.x deployments should **follow the specific instructions provided in the [SAS Help Center documentation](https://go.documentation.sas.com/doc/en/log4j/1.0/p1pymcg1f06injn10rho5mkmmhe4.htm).**

## What is this

This project is an early fork of [logpresso/CVE-2021-44228-Scanner](https://github.com/logpresso/CVE-2021-44228-Scanner), initially modified to recursively inspect archives and to add support for tar/gz compression. Since the fork, the project has evolved in parallel to the original and implements many similar features, even though the majority of the code has been rewritten. While the original 'fix' functionality has been replaced with a `patch` method that supports some deep nested edge cases and is more tolerant to failure & rollback, the detection mechanism (the `scan` command) continues to work in a very similar way to the original.

## How do I get it

You can download a version of the tool from the [Releases page](https://github.com/sassoftware/loguccino/releases/latest) or by following the links at the top of this page. The [native image](https://github.com/sassoftware/loguccino/releases/latest/download/loguccino) is a standalone executable that will run on EL7 and later. The [jar file](https://github.com/sassoftware/loguccino/releases/latest/download/loguccino-all.jar) can be run with `java -jar` on JRE 1.8+. This is currently the best way to run this on other platforms and older releases of glibc (including Windows, AIX, Solaris, etc).

After downloading the native image it's necessary to `chmod +x` the file before it can be run.

## How do I use it

The command syntax is the same regardless of whether you call the .jar or the native executable. For example, this:

```
./loguccino help
```

is functionally identical to this

```
java -jar ./loguccino-all.jar help
```

The `loguccino help` command provides documentation on commands that are available.

### Scanning for vulnerable .jars

```
./loguccino scan /path/to/approot 
```

This will traverse all subdirectories in `/path/to/approot`, including recursively traversing all nested .tar.gz, .tgz, .tar, .zip, .ear, .war and .jar archives.

A .csv file by the name of `loguccino-scan-[datetime].csv` will be created in the working directory, containing the following data:

- **AffectedFile** is the full path on the filesystem to the file that was found to contain the vulnerability. Example value:
  `/opt/sas/config/Lev1/Web/Staging/sas.webreportstudio4.4.21w47AIX.ear/install/deploy/21w47SASConfig/Lev5/Web/Staging/sas.webreportstudio4.4.21w47AIX.ear`
- **NestedPath** is the path within the archived file where the vulnerability was found. For example, here the log4j-core-2.1.jar file was found in the WRS .war archive, packaged inside the .ear archive (AffectedFile above)
  `opt/sas/config/Lev1/Web/Staging/sas.webreportstudio4.4.21w47AIX.ear::sas.webreportstudio.war::WEB-INF/lib/log4j-core-2.1.jar`
- **AffectedVersion** is the version of Log4J that was found within the affected file  on the nested path.
- **Patched** signifies whether this instance of this vulnerable Log4J jar within this archive has already been patched.

More information about the scan command is available via `./loguccino help scan`.

### Patching vulnerable .jars

If vulnerabilities are found, the `loguccino-scan-[datetime].csv` is used as an input to the patch command:

```
./loguccino patch ./loguccino-scan-23122021003311.csv
```

This removes each vulnerability that was found, and creates a `loguccino-patch-[timestamp]` directory containing a backup of each file that was patched. Where a file was patched for multiple vulnerabilities (such as a larger backup archive containing multiple tools or software releases), multiple versions of the patched file are backed up at each stage of the process to enable staged rollback in case of failure.

> **Note**:  
> Patching a file on disk does not patch the version of the program already running on the host. Remember that you must stop the relevant services / applications before patching and restart them after the patch for the changes to take effect.

More information about the patch command is available via `./loguccino help patch`.

### Demo

<img src="images/ux.svg" width="100%">


## Known issues

### Traversal of corrupted archives

When scanning for vulnerabilities, some archives may be reported as corrupted (this also happens with nested archives where compression methods don't match the extension of the archive). The scan command will print the path to these in the `logpresso-scan-[datetime].log`. If they're deemed significant, these archives should be decompressed and inspected (or scanned) manually to confirm that they are in fact corrupted.


## Unknown issues

If you encounter any bugs or unexpected behavior, please [open an issue](https://github.com/sassoftware/loguccino/issues/new) and attach any steps to reproduce the bug alongside other background information.

Pull requests and updates to the code are welcome and encouraged.
File Snapshot

 [4.0K]  /data/pocs/c31680ee41d9aea3642b25d6d02f9dfacc6507f4
├── [1.5K]  build.gradle
├── [ 820]  build.sh
├── [ 299]  Dockerfile
├── [4.0K]  gradle
│   └── [4.0K]  wrapper
│       ├── [ 58K]  gradle-wrapper.jar
│       └── [ 202]  gradle-wrapper.properties
├── [7.9K]  gradlew
├── [2.7K]  gradlew.bat
├── [4.0K]  images
│   ├── [ 47K]  hyperic-error.png
│   ├── [ 16K]  logo-svg-dark.svg
│   ├── [ 15K]  logo-svg.svg
│   └── [394K]  ux.svg
├── [ 11K]  LICENSE
├── [5.8K]  README.md
├── [ 262]  settings.gradle
└── [4.0K]  src
    └── [4.0K]  main
        ├── [4.0K]  java
        │   └── [4.0K]  com
        │       └── [4.0K]  sas
        │           └── [4.0K]  vulnerabilities
        │               ├── [ 745]  BaseSubcommand.java
        │               ├── [5.7K]  LoggingMixin.java
        │               ├── [1.8K]  Loguccino.java
        │               ├── [4.0K]  model
        │               │   ├── [1.5K]  PatchedVulnerability.java
        │               │   ├── [1.5K]  Version.java
        │               │   └── [2.9K]  VulnerableArchive.java
        │               ├── [4.2K]  PatchCommand.java
        │               ├── [4.0K]  patcher
        │               │   ├── [ 227]  AbstractPatcher.java
        │               │   ├── [5.7K]  SequentialPatcherInventoryService.java
        │               │   ├── [3.6K]  SequentialPatcherInventoryTask.java
        │               │   └── [4.2K]  SequentialPatcher.java
        │               ├── [2.4K]  ScanCommand.java
        │               ├── [4.0K]  scanner
        │               │   ├── [1.2K]  AbstractScanner.java
        │               │   └── [6.9K]  Scanner.java
        │               └── [4.0K]  utils
        │                   ├── [4.4K]  ArchiveCompressUtils.java
        │                   ├── [6.5K]  ArchiveStreamUtils.java
        │                   ├── [ 657]  Constants.java
        │                   ├── [1.8K]  ManifestVersionProvider.java
        │                   ├── [ 873]  OSValidator.java
        │                   ├── [1.2K]  ShortErrorMessageHandler.java
        │                   └── [6.7K]  Utils.java
        └── [4.0K]  resources
            └── [4.0K]  META-INF
                └── [4.0K]  native-image
                    └── [4.0K]  com.sas.vulnerabilities
                        └── [4.0K]  loguccino
                            ├── [ 174]  native-image.properties
                            ├── [6.6K]  reflect-config.json
                            └── [ 106]  resource-config.json

18 directories, 38 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →