From 2dd839192a789c45cebc272a9fab2e03ede68f52 Mon Sep 17 00:00:00 2001 From: breadchris Date: Thu, 16 Dec 2021 23:27:26 -0500 Subject: [PATCH] analyzer has better semver version checking --- tools/log4shell/analyze/analyze.go | 107 +-- tools/log4shell/constants/vulnerablehashes.go | 34 +- tools/log4shell/findings.json | 708 ++++++++++++++++++ tools/log4shell/log4j-library-hashes.json | 91 +++ tools/log4shell/scan/scanfile.go | 1 + tools/log4shell/types/findings.go | 1 + tools/log4shell/types/vulnerablehashes.go | 8 + 7 files changed, 897 insertions(+), 53 deletions(-) create mode 100644 tools/log4shell/findings.json diff --git a/tools/log4shell/analyze/analyze.go b/tools/log4shell/analyze/analyze.go index fa86d72bc..cb88b53ca 100644 --- a/tools/log4shell/analyze/analyze.go +++ b/tools/log4shell/analyze/analyze.go @@ -22,34 +22,23 @@ import ( "github.com/rs/zerolog/log" "io" "path" + "regexp" "strings" ) -func isVersionALog4ShellVersion(semverVersion string) bool { - version, _ := semver.Make(semverVersion) +var alphaRegex = regexp.MustCompile("([a-z]+)") - vulnerableRange, _ := semver.ParseRange(">=2.0.0-beta9 <=2.14.1") - if vulnerableRange(version) { - return true - } - return false -} - -func isVersionACVE202145046Version(semverVersion string) bool { - version, _ := semver.Make(semverVersion) - - vulnerableRange, _ := semver.ParseRange("=2.15.0") - if vulnerableRange(version) { - return true +func versionIsInRange(fileName string, semverVersion string, semverRange semver.Range) bool { + version, err := semver.Make(semverVersion) + if err != nil { + log.Warn(). + Str("fileName", fileName). + Str("semverVersion", semverVersion). + Msg("Unable to parse semver version") + return false } - return false -} - -func isVersionACVE201917571Version(semverVersion string) bool { - version, _ := semver.Make(semverVersion) - vulnerableRange, _ := semver.ParseRange(">=1.2.0 <=1.2.17") - if vulnerableRange(version) { + if semverRange(version) { return true } return false @@ -68,39 +57,61 @@ func adjustMissingPatchVersion(semverVersion string) string { return semverVersion } +func fileNameToSemver(fileNameNoExt string) string { + fileNameParts := strings.Split(fileNameNoExt, "-") + + var tag, semverVersion string + for i := len(fileNameParts) - 1; i >= 0; i-- { + fileNamePart := fileNameParts[i] + if ( + strings.HasPrefix(fileNamePart, "1") || + strings.HasPrefix(fileNamePart, "2")) && + strings.Contains(fileNamePart, ".") { + + tagPart := alphaRegex.FindString(fileNamePart) + if tagPart != "" { + fileNamePart = strings.Replace(fileNamePart, tagPart, "", 1) + if tag == "" { + tag = tagPart + } else { + tag = tagPart + "-" + tag + } + } + + fileNamePart = adjustMissingPatchVersion(fileNamePart) + + if tag == "" { + semverVersion = fileNamePart + break + } + semverVersion = fileNamePart + "-" + tag + break + } + if tag == "" { + tag = fileNamePart + continue + } + tag = fileNamePart + "-" + tag + } + return semverVersion +} + func ProcessArchiveFile(reader io.Reader, filePath, fileName string) (finding *types.Finding) { _, file := path.Split(filePath) - version := strings.TrimSuffix(file, path.Ext(file)) + fileNameNoExt := strings.TrimSuffix(file, path.Ext(file)) // small adjustments to the version so that it can be parsed as semver - semverVersion := strings.Replace(version, "log4j-core-", "", -1) - semverVersion = strings.Replace(semverVersion, "logging-log4j-", "", -1) - semverVersion = strings.Replace(semverVersion, "jakarta-log4j-", "", -1) - semverVersion = strings.Replace(semverVersion, "log4j-", "", -1) - - semverVersion = adjustMissingPatchVersion(semverVersion) + semverVersion := fileNameToSemver(fileNameNoExt) versionCve := "" - if isVersionALog4ShellVersion(semverVersion) { - if !strings.Contains(fileName, "JndiManager.class") { - return - } - versionCve = constants.Log4ShellCve - } - - if isVersionACVE202145046Version(semverVersion) { - if !strings.Contains(fileName, "JndiManager.class") { - return - } - versionCve = constants.CtxCve - } - - if isVersionACVE201917571Version(semverVersion) { - if !strings.Contains(fileName, "SocketNode.class") { - return + for _, fileVersionCheck := range constants.FileVersionChecks { + if versionIsInRange(fileNameNoExt, semverVersion, fileVersionCheck.SemverRange) { + if !strings.Contains(fileName, fileVersionCheck.LibraryFile) { + return + } + versionCve = fileVersionCheck.Cve } - versionCve = constants.Log4j1RceCve } if versionCve == "" { @@ -126,7 +137,7 @@ func ProcessArchiveFile(reader io.Reader, filePath, fileName string) (finding *t if versionCve == "" { log.Debug(). Str("hash", fileHash). - Str("version", version). + Str("version", semverVersion). Msg("Skipping version as it is not vulnerable to any known CVE") return nil } diff --git a/tools/log4shell/constants/vulnerablehashes.go b/tools/log4shell/constants/vulnerablehashes.go index 55397f364..65603a190 100644 --- a/tools/log4shell/constants/vulnerablehashes.go +++ b/tools/log4shell/constants/vulnerablehashes.go @@ -14,10 +14,13 @@ // package constants -import "github.com/lunasec-io/lunasec/tools/log4shell/types" +import ( + "github.com/blang/semver/v4" + "github.com/lunasec-io/lunasec/tools/log4shell/types" +) -var ( - NotVulnerable = "Not Vulnerable" + +const ( Log4ShellCve = "CVE-2021-44228" CtxCve = "CVE-2021-45046" Log4j1RceCve = "CVE-2019-17571" @@ -29,9 +32,30 @@ var ( CtxCve: "3.7", Log4j1RceCve: "9.8", } -) -type Log4jVersion string + FileVersionChecks = []types.LibraryFileVersionCheck{ + { + Cve: Log4ShellCve, + SemverRange: semver.MustParseRange(">=2.0.0-beta9 <2.1.0"), + LibraryFile: "JndiLookup.class", + }, + { + Cve: Log4ShellCve, + SemverRange: semver.MustParseRange(">=2.1.0 <=2.14.1"), + LibraryFile: "JndiManager.class", + }, + { + Cve: CtxCve, + SemverRange: semver.MustParseRange("=2.15.0"), + LibraryFile: "JndiManager.class", + }, + { + Cve: Log4j1RceCve, + SemverRange: semver.MustParseRange(">=1.2.0 <=1.2.17"), + LibraryFile: "SocketNode.class", + }, + } +) const ( Log4j1x = "1" diff --git a/tools/log4shell/findings.json b/tools/log4shell/findings.json new file mode 100644 index 000000000..346b5875b --- /dev/null +++ b/tools/log4shell/findings.json @@ -0,0 +1,708 @@ +{ + "vulnerable_libraries": [ + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-1.2.15/log4j-1.2.15.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "7b996623c05f1a25a57fb5b43c519c2ec02ec2e647c2b97b3407965af928c9a4", + "version": "1.2.15", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-1.2.16/log4j-1.2.16.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "688a3dadfb1c0a08fb2a2885a356200eb74e7f0f26a197d358d74f2faf6e8f46", + "version": "1.2.16", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-1.2.17/log4j-1.2.17.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "8ef0ebdfbf28ec14b2267e6004a8eea947b4411d3c30d228a7b48fae36431d74", + "version": "1.2.17", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-beta9-bin/log4j-core-2.0-beta9.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "version": "2.0.0-beta9, 2.0.0-rc1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-beta9-osgi-bin/log4j-core-osgi-reduced-2.0-beta9.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "version": "2.0.0-beta9, 2.0.0-rc1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-bin/log4j-core-2.0.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29", + "version": "2.0.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc1-bin/log4j-core-2.0-rc1.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "version": "2.0.0-beta9, 2.0.0-rc1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc1-osgi-bin/log4j-core-osgi-reduced-2.0-rc1.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "version": "2.0.0-beta9, 2.0.0-rc1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc2-bin/log4j-core-2.0-rc2.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2", + "version": "2.0.0-rc2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", + "version": "2.0.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0.2-bin/log4j-core-2.0.2.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c", + "version": "2.0.2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.1-bin/log4j-core-2.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", + "version": "2.1.0, 2.2.0, 2.3.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.10.0-bin/log4j-core-2.10.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.11.0-bin/log4j-core-2.11.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.11.1-bin/log4j-core-2.11.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.11.2-bin/log4j-core-2.11.2.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.12.0-bin/log4j-core-2.12.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de", + "version": "2.12.0, 2.12.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.12.1-bin/log4j-core-2.12.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de", + "version": "2.12.0, 2.12.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.12.2-bin/log4j-core-2.12.2.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "b1960d63a3946f9e16e1920624f37c152b58b98932ed04df99ed5d9486732afb", + "version": "2.12.2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.0-bin/log4j-core-2.13.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", + "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.1-bin/log4j-core-2.13.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", + "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.2-bin/log4j-core-2.13.2.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", + "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.13.3-bin/log4j-core-2.13.3.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", + "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6", + "version": "2.14.0, 2.14.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.14.1-bin/log4j-core-2.14.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6", + "version": "2.14.0, 2.14.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.15.0-bin/log4j-core-2.15.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "db07ef1ea174e000b379732681bd835cfede648a7971bf4e9a0d31981582d69e", + "version": "2.15.0", + "cve": "CVE-2021-45046", + "severity": "3.7" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.2-bin/log4j-core-2.2.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", + "version": "2.1.0, 2.2.0, 2.3.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.3-bin/log4j-core-2.3.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", + "version": "2.1.0, 2.2.0, 2.3.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.4-bin/log4j-core-2.4.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", + "version": "2.4.0, 2.4.1, 2.5.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.4.1-bin/log4j-core-2.4.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", + "version": "2.4.0, 2.4.1, 2.5.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.5-bin/log4j-core-2.5.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", + "version": "2.4.0, 2.4.1, 2.5.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.6-bin/log4j-core-2.6.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", + "version": "2.6.0, 2.6.1, 2.6.2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.6.1-bin/log4j-core-2.6.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", + "version": "2.6.0, 2.6.1, 2.6.2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.6.2-bin/log4j-core-2.6.2.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", + "version": "2.6.0, 2.6.1, 2.6.2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.7-bin/log4j-core-2.7.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", + "version": "2.7.0, 2.8.0, 2.8.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.8-bin/log4j-core-2.8.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", + "version": "2.7.0, 2.8.0, 2.8.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.8.1-bin/log4j-core-2.8.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", + "version": "2.7.0, 2.8.0, 2.8.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.8.2-bin/log4j-core-2.8.2.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "764b06686dbe06e3d5f6d15891250ab04073a0d1c357d114b7365c70fa8a7407", + "version": "2.8.2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.9.0-bin/log4j-core-2.9.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.1/dist/lib/log4j-1.2.1.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d", + "version": "1.2.1, 1.2.2, 1.2.3, 1.2.4", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.2/dist/lib/log4j-1.2.2.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d", + "version": "1.2.1, 1.2.2, 1.2.3, 1.2.4", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.3/dist/lib/log4j-1.2.3.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d", + "version": "1.2.1, 1.2.2, 1.2.3, 1.2.4", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.4/dist/lib/log4j-1.2.4.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d", + "version": "1.2.1, 1.2.2, 1.2.3, 1.2.4", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.5/dist/lib/log4j-1.2.5.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "ed5d53deb29f737808521dd6284c2d7a873a59140e702295a80bd0f26988f53a", + "version": "1.2.5", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.6/dist/lib/log4j-1.2.6.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "3ef93e9cb937295175b75182e42ba9a0aa94f9f8e295236c9eef914348efeef0", + "version": "1.2.6, 1.2.7, 1.2.9", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.7/dist/lib/log4j-1.2.7.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "3ef93e9cb937295175b75182e42ba9a0aa94f9f8e295236c9eef914348efeef0", + "version": "1.2.6, 1.2.7, 1.2.9", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/jakarta-log4j-1.2.8/dist/lib/log4j-1.2.8.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "bee4a5a70843a981e47207b476f1e705c21fc90cb70e95c3b40d04a2191f33e9", + "version": "1.2.8", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.11/dist/lib/log4j-1.2.11.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "d778227b779f8f3a2850987e3cfe6020ca26c299037fdfa7e0ac8f81385963e6", + "version": "1.2.11", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.12/dist/lib/log4j-1.2.12.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "f3b815a2b3c74851ff1b94e414c36f576fbcdf52b82b805b2e18322b3f5fc27c", + "version": "1.2.12", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.13/dist/lib/log4j-1.2.13.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "fbda3cfc5853ab4744b853398f2b3580505f5a7d67bfb200716ef6ae5be3c8b7", + "version": "1.2.13, 1.2.14", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.14/dist/lib/log4j-1.2.14.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "fbda3cfc5853ab4744b853398f2b3580505f5a7d67bfb200716ef6ae5be3c8b7", + "version": "1.2.13, 1.2.14", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/logging-log4j-1.2.9/dist/lib/log4j-1.2.9.jar", + "file_name": "org/apache/log4j/net/SocketNode.class", + "hash": "3ef93e9cb937295175b75182e42ba9a0aa94f9f8e295236c9eef914348efeef0", + "version": "1.2.6, 1.2.7, 1.2.9", + "cve": "CVE-2019-17571", + "severity": "9.8" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", + "version": "2.0.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0-rc1.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "version": "2.0.0-beta9, 2.0.0-rc1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0-rc2.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2", + "version": "2.0.0-rc2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.1.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", + "version": "2.0.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.2.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c", + "version": "2.0.2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29", + "version": "2.0.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", + "version": "2.1.0, 2.2.0, 2.3.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.10.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.11.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.11.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.11.2.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.12.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de", + "version": "2.12.0, 2.12.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.12.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de", + "version": "2.12.0, 2.12.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.12.2.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "b1960d63a3946f9e16e1920624f37c152b58b98932ed04df99ed5d9486732afb", + "version": "2.12.2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", + "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", + "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.2.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", + "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.13.3.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078", + "version": "2.13.0, 2.13.1, 2.13.2, 2.13.3", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.14.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6", + "version": "2.14.0, 2.14.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.14.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6", + "version": "2.14.0, 2.14.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.15.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "db07ef1ea174e000b379732681bd835cfede648a7971bf4e9a0d31981582d69e", + "version": "2.15.0", + "cve": "CVE-2021-45046", + "severity": "3.7" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.2.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", + "version": "2.1.0, 2.2.0, 2.3.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.3.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c", + "version": "2.1.0, 2.2.0, 2.3.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.4.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", + "version": "2.4.0, 2.4.1, 2.5.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.4.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", + "version": "2.4.0, 2.4.1, 2.5.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.5.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7", + "version": "2.4.0, 2.4.1, 2.5.0", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.6.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", + "version": "2.6.0, 2.6.1, 2.6.2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.6.2.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", + "version": "2.6.0, 2.6.1, 2.6.2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.6.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246", + "version": "2.6.0, 2.6.1, 2.6.2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.7.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", + "version": "2.7.0, 2.8.0, 2.8.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.8.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", + "version": "2.7.0, 2.8.0, 2.8.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.8.2.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "764b06686dbe06e3d5f6d15891250ab04073a0d1c357d114b7365c70fa8a7407", + "version": "2.8.2", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.8.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32", + "version": "2.7.0, 2.8.0, 2.8.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.9.0.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.9.1.jar", + "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", + "hash": "293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6", + "version": "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1", + "cve": "CVE-2021-44228", + "severity": "10.0" + } + ] +} \ No newline at end of file diff --git a/tools/log4shell/log4j-library-hashes.json b/tools/log4shell/log4j-library-hashes.json index 7ecf979f4..bfc6d6ec9 100644 --- a/tools/log4shell/log4j-library-hashes.json +++ b/tools/log4shell/log4j-library-hashes.json @@ -21,6 +21,62 @@ "version": "1.2.17", "cve": "CVE-2019-17571" }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-beta9-bin/log4j-core-2.0-beta9.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "version": "2.0.0-beta9", + "cve": "CVE-2021-44228" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-beta9-osgi-bin/log4j-core-osgi-reduced-2.0-beta9.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "version": "2.0.0-beta9", + "cve": "CVE-2021-44228" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-bin/log4j-core-2.0.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29", + "version": "2.0.0", + "cve": "CVE-2021-44228" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc1-bin/log4j-core-2.0-rc1.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "version": "2.0.0-rc1", + "cve": "CVE-2021-44228" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc1-osgi-bin/log4j-core-osgi-reduced-2.0-rc1.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "version": "2.0.0-rc1", + "cve": "CVE-2021-44228" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0-rc2-bin/log4j-core-2.0-rc2.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2", + "version": "2.0.0-rc2", + "cve": "CVE-2021-44228" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", + "version": "2.0.1", + "cve": "CVE-2021-44228" + }, + { + "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.0.2-bin/log4j-core-2.0.2.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c", + "version": "2.0.2", + "cve": "CVE-2021-44228" + }, { "path": "test/vulnerable-log4j2-versions/apache/apache-log4j-2.1-bin/log4j-core-2.1.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", @@ -315,6 +371,41 @@ "version": "1.2.9", "cve": "CVE-2019-17571" }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0-rc1.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8", + "version": "2.0.0-rc1", + "cve": "CVE-2021-44228" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0-rc2.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2", + "version": "2.0.0-rc2", + "cve": "CVE-2021-44228" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.1.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e", + "version": "2.0.1", + "cve": "CVE-2021-44228" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.2.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c", + "version": "2.0.2", + "cve": "CVE-2021-44228" + }, + { + "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.0.jar", + "file_name": "org/apache/logging/log4j/core/lookup/JndiLookup.class", + "hash": "fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29", + "version": "2.0.0", + "cve": "CVE-2021-44228" + }, { "path": "test/vulnerable-log4j2-versions/target/dependency/log4j-core-2.1.jar", "file_name": "org/apache/logging/log4j/core/net/JndiManager.class", diff --git a/tools/log4shell/scan/scanfile.go b/tools/log4shell/scan/scanfile.go index 159aacbf8..0843736f9 100644 --- a/tools/log4shell/scan/scanfile.go +++ b/tools/log4shell/scan/scanfile.go @@ -72,6 +72,7 @@ func identifyPotentiallyVulnerableFile(reader io.Reader, path, fileName string, Hash: fileHash, Version: vulnerableFile.Version, CVE: vulnerableFile.CVE, + Severity: severity, } return } diff --git a/tools/log4shell/types/findings.go b/tools/log4shell/types/findings.go index bc81a5a77..82e9ccbe3 100644 --- a/tools/log4shell/types/findings.go +++ b/tools/log4shell/types/findings.go @@ -24,6 +24,7 @@ type Finding struct { Hash string `json:"hash"` Version string `json:"version"` CVE string `json:"cve"` + Severity string `json:"severity"` } type FindingsOutput struct { diff --git a/tools/log4shell/types/vulnerablehashes.go b/tools/log4shell/types/vulnerablehashes.go index df43bee26..3f17d9a64 100644 --- a/tools/log4shell/types/vulnerablehashes.go +++ b/tools/log4shell/types/vulnerablehashes.go @@ -14,6 +14,8 @@ // package types +import "github.com/blang/semver/v4" + type VulnerableHash struct { Name string `json:"name"` Version string `json:"version"` @@ -21,3 +23,9 @@ type VulnerableHash struct { } type VulnerableHashLookup map[string]VulnerableHash + +type LibraryFileVersionCheck struct { + Cve string + SemverRange semver.Range + LibraryFile string +}