Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update wording in blog to be more clear that the cli is not an archive #386

Merged
merged 2 commits into from
Dec 27, 2021
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 19 additions & 11 deletions docs/blog/2021-12-12-log4j-zero-day-mitigation-guide.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -67,21 +67,29 @@ It works by scanning for hashes of [known vulnerable log4j classes](https://gith
If you have a vulnerable version of a log4j in your built Java project, the hash will match a one
of the hashes in the list.

**[Download from GitHub](https://github.com/lunasec-io/lunasec/releases/)**
**Download from [GitHub](https://github.com/lunasec-io/lunasec/releases/)** or from the command line:

_Make sure you download the right version for your Operating System and CPU architecture._ Once downloaded, you can extract
it and run the `log4shell` command in your terminal. The tool can scan individual files or whole directories.
```shell title="Download Linux CLI"
curl -OL https://github.com/lunasec-io/lunasec/releases/download/v1.4.1-log4shell/log4shell_1.4.1-log4shell_Linux_x86_64
```

```shell title="Download OSX CLI"
curl -OL https://github.com/lunasec-io/lunasec/releases/download/v1.4.1-log4shell/log4shell_1.4.1-log4shell_Darwin_x86_64
breadchris marked this conversation as resolved.
Show resolved Hide resolved
```

_Make sure you download the right version for your Operating System and CPU architecture._ Once downloaded, run the `log4shell`
command in your terminal. The tool can scan individual files or whole directories.

**Linux**
```shell title="Example Linux Command"
```shell title="Install Linux CLI"
cp log4shell_1.4.1-log4shell_Linux_x86_64 /usr/local/bin/log4shell
chmod +x /usr/local/bin/log4shell
log4shell scan your-project-dir/
```

**OSX**
```shell title="Example OSX Commands"
# Replace `<PATH_ON_YOUR_MACHINE>` with your path, eg: `~/Downloads`
```shell title="Install OSX CLI"
# Replace `<PATH_ON_YOUR_MACHINE>` with your path, eg: `~/Downloads`, if you have downloaded it by visiting the Releases page
cp <PATH_ON_YOUR_MACHINE>/log4shell_1.4.1-log4shell_Darwin_x86_64 /usr/local/bin/log4shell
chmod +x /usr/local/bin/log4shell
log4shell scan your-project-dir
Expand All @@ -91,6 +99,7 @@ log4shell scan your-project-dir
```shell title="Example Windows Command"
log4shell.exe scan your-project-dir/
```

Because the tool contains exploit strings needed for the `livepatch` command, it might be falsely recognized as malware by some
virus scanners on Windows. Please add an exception for it.

Expand Down Expand Up @@ -253,13 +262,12 @@ default and removes the message lookup feature.

We recommend you upgrade, if possible. For most people, this is the final and correct solution to the issue.

:::caution Version 2.15.0 still may be vulnerable
Log4j version `2.15.0` which was previously thought to be secure has been found to still have a [limited vulnerability](https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f),
that could result in a DOS (but not RCE), users must update to `>= 2.16.0`.
:::

:::caution Version 2.16.0 vulnerable to DOS
~~Log4j version `2.15.0` which was previously thought to be secure has been found to still have a [limited vulnerability](https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f),
that could result in a DOS (but not RCE), users must update to `>= 2.16.0`.~~
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lets just say update to 2.17.0? It's confusing to say "update to 16....okay now update to 17"

I think having a cohesive and clear message is way more valuable than having a changelog of whats happened to our blog post.


If you have updated Log4j to version `2.16.0`, a Denial of Service (DOS) attack is still present in [certain logging circumstances](https://logging.apache.org/log4j/2.x/security.html).
Please update to `>=2.17.0`
:::

### Option 2: Enable `formatMsgNoLookups`
Expand Down
2 changes: 1 addition & 1 deletion tools/log4shell/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ WORKDIR /build
COPY . /build
COPY --from=java-build /build/hotpatch-payload/target/classes/Log4ShellHotpatch.class /build

RUN go build -o log4shell .
RUN CGO_ENABLED=0 go build -o log4shell .

FROM alpine

Expand Down