[HN Gopher] Log4jscanner ___________________________________________________________________ Log4jscanner Author : ithkuil Score : 65 points Date : 2022-01-01 19:39 UTC (3 hours ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | whirlwin wrote: | For Java projects, we use OWASP dependency check as a Maven | plugin, which fails the build if compromised log4j2 deps exist: | https://owasp.org/www-project-dependency-check/ | beorno wrote: | Didn't know log4js needed a canner? (Ok, couldn't help it) | hvasilev wrote: | The essence is: | https://github.com/google/log4jscanner/blob/main/jar/jar.go | | this is the decision logic: | | func (c *checker) bad() bool { | | return (c.hasLookupClass && c.hasOldJndiManagerConstructor) || | (c.hasLookupClass && c.seenJndiManagerClass && | !c.isAtLeastTwoDotSixteen) | | } | Riverheart wrote: | It's odd to me that there isn't some general purpose utility that | can be tweaked to search for X files and apply Y logic to it. | Find on Linux kind of meets that goal kludgy as it is. | lilyball wrote: | I feel like this is a missed opportunity to use a name like | scan4log4j | smnrchrds wrote: | Loggy McLogface | | Like the other Google project, Bloaty McBloatface. | | https://github.com/google/bloaty | yosito wrote: | logsk& | koolba wrote: | It'd be hilarious if it uses log4j to output the scan results | too. | yosito wrote: | As someone who hasn't touched Java since a programming class 20 | years ago, and mostly lives in the Node world now, with sprinkles | of Python, is it enough to simply scan jar files? Do I need to | worry about a Linux VPS running a Node app that might install | some kind of Java dependency somewhere? | needusername wrote: | No. The JAR could be inside a WAR inside an EAR. | ddworken wrote: | This tool will recursively unpack wars and ears. | throwanem wrote: | Not to MAR the point you're making, but isn't that scenario | pretty FAR from real-world PAR? I'm sure you find JARs in | RARs and TARs too, especially from shady VARs, but at some | point we're planning out SAR for when a meteor hits our CAR. | ddworken wrote: | One of the benefits of this tool is that you can run it across | a folder or even an entire disk to check all jars on the disk. | So if a Node app does somehow pull in java, by scanning the | entire disk this tool should be able to detect if the pulled in | java code contains log4j. | cmeacham98 wrote: | A Node or Python program could indirectly use a java library | but it would be very unusual, and this library should catch it | assuming any amount of sanity in how the dependency is | installed. | | Theoretically, some particularly insane application could | download and run a jar purely in memory without it ever | touching the disk. That's so close to malware-like behavior | that only the most insane legit programs would ever do that. | xorcist wrote: | It wouldn't be safe against an someone who actively tries to | hide code, but the classloader requires the class files to be | appropriately named, so if unzip -l doesn't show any suspect | class names that should be enough in practice. | | A Linux VPS running a Node app is unlikely to even have Java | installed. It's a pretty big dependency and you couldn't miss | it. | yosito wrote: | It seems like it would be easy to miss if it's in a docker | container. Would auditing my docker containers be a good | idea? | | Also, is there a good command to run to reliably check if | Java is installed on a system? | edoceo wrote: | > Would auditing my docker containers be a good idea | | Yes! I frequently review any containers from the cloud I | run. Load on isolated VM, start, cursory inspection at | least. Then with images I'm happy with we keep them | internally, until we need the upgrade. | downrightmike wrote: | Anyone know about issues with the log4net.dll? Last major version | was 2.0.14, so it wouldn't have the fixes. | AndrewDucker wrote: | Entirely different software. Doesn't share this issue. ___________________________________________________________________ (page generated 2022-01-01 23:00 UTC)