[HN Gopher] Log4jscanner
___________________________________________________________________
Log4jscanner
Author : ithkuil
Score : 65 points
Date : 2022-01-01 19:39 UTC (3 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| whirlwin wrote:
| For Java projects, we use OWASP dependency check as a Maven
| plugin, which fails the build if compromised log4j2 deps exist:
| https://owasp.org/www-project-dependency-check/
| beorno wrote:
| Didn't know log4js needed a canner? (Ok, couldn't help it)
| hvasilev wrote:
| The essence is:
| https://github.com/google/log4jscanner/blob/main/jar/jar.go
|
| this is the decision logic:
|
| func (c *checker) bad() bool {
|
| return (c.hasLookupClass && c.hasOldJndiManagerConstructor) ||
| (c.hasLookupClass && c.seenJndiManagerClass &&
| !c.isAtLeastTwoDotSixteen)
|
| }
| Riverheart wrote:
| It's odd to me that there isn't some general purpose utility that
| can be tweaked to search for X files and apply Y logic to it.
| Find on Linux kind of meets that goal kludgy as it is.
| lilyball wrote:
| I feel like this is a missed opportunity to use a name like
| scan4log4j
| smnrchrds wrote:
| Loggy McLogface
|
| Like the other Google project, Bloaty McBloatface.
|
| https://github.com/google/bloaty
| yosito wrote:
| logsk&
| koolba wrote:
| It'd be hilarious if it uses log4j to output the scan results
| too.
| yosito wrote:
| As someone who hasn't touched Java since a programming class 20
| years ago, and mostly lives in the Node world now, with sprinkles
| of Python, is it enough to simply scan jar files? Do I need to
| worry about a Linux VPS running a Node app that might install
| some kind of Java dependency somewhere?
| needusername wrote:
| No. The JAR could be inside a WAR inside an EAR.
| ddworken wrote:
| This tool will recursively unpack wars and ears.
| throwanem wrote:
| Not to MAR the point you're making, but isn't that scenario
| pretty FAR from real-world PAR? I'm sure you find JARs in
| RARs and TARs too, especially from shady VARs, but at some
| point we're planning out SAR for when a meteor hits our CAR.
| ddworken wrote:
| One of the benefits of this tool is that you can run it across
| a folder or even an entire disk to check all jars on the disk.
| So if a Node app does somehow pull in java, by scanning the
| entire disk this tool should be able to detect if the pulled in
| java code contains log4j.
| cmeacham98 wrote:
| A Node or Python program could indirectly use a java library
| but it would be very unusual, and this library should catch it
| assuming any amount of sanity in how the dependency is
| installed.
|
| Theoretically, some particularly insane application could
| download and run a jar purely in memory without it ever
| touching the disk. That's so close to malware-like behavior
| that only the most insane legit programs would ever do that.
| xorcist wrote:
| It wouldn't be safe against an someone who actively tries to
| hide code, but the classloader requires the class files to be
| appropriately named, so if unzip -l doesn't show any suspect
| class names that should be enough in practice.
|
| A Linux VPS running a Node app is unlikely to even have Java
| installed. It's a pretty big dependency and you couldn't miss
| it.
| yosito wrote:
| It seems like it would be easy to miss if it's in a docker
| container. Would auditing my docker containers be a good
| idea?
|
| Also, is there a good command to run to reliably check if
| Java is installed on a system?
| edoceo wrote:
| > Would auditing my docker containers be a good idea
|
| Yes! I frequently review any containers from the cloud I
| run. Load on isolated VM, start, cursory inspection at
| least. Then with images I'm happy with we keep them
| internally, until we need the upgrade.
| downrightmike wrote:
| Anyone know about issues with the log4net.dll? Last major version
| was 2.0.14, so it wouldn't have the fixes.
| AndrewDucker wrote:
| Entirely different software. Doesn't share this issue.
___________________________________________________________________
(page generated 2022-01-01 23:00 UTC)