log4j

All your suggestions, requests and ideas for future development
Post Reply
User avatar
esullivan
Posts: 48
Joined: 13 Jun 2014, 16:05

log4j

Post by esullivan »

Does Filebot use log4j and if so, do you have an updating coming for it?
User avatar
rednoah
The Source
Posts: 22923
Joined: 16 Nov 2011, 08:59
Location: Taipei
Contact:

Re: log4j

Post by rednoah »

FileBot doesn't use log4j.
:idea: Please read the FAQ and How to Request Help.
User avatar
esullivan
Posts: 48
Joined: 13 Jun 2014, 16:05

Re: log4j

Post by esullivan »

Cool thanks.
zabymoli
Posts: 1
Joined: 14 Dec 2021, 07:07

Re: log4j

Post by zabymoli »

HI,

I am not a java developer by a long shot but in the commons-logging.jar Filebot is using, there is at least a reference for LOG4J I think in form of a hashtable. What use does this function have if you don't mind explaining? Or is this just an underlying lib you are using? I just ran a script we wrote at work to scan jar files for any LOG4j references and it popped up. groovy.jar also seems to use log4j in some way.

The ps1 script reads in the contents in Jar files and looks for the string "log4j". Since jar files are not pure text files some characters cant be displayed correctly so some context is missing.

Image


Kind Regards

zabymoli
User avatar
rednoah
The Source
Posts: 22923
Joined: 16 Nov 2011, 08:59
Location: Taipei
Contact:

Re: log4j

Post by rednoah »

Presumably, commons-logging and groovy can be configured to use different logging libraries, log4j being among the options. FileBot itself uses java.util.logging, either directly, or indirectly in 3rd party libraries via the commons-logging and slf4j interfaces.


EDIT:

log4jIsAvailable is a variable name:
https://github.com/apache/commons-loggi ... e.java#L63

org.apache.log4j.Logger is a String value:
https://github.com/apache/commons-loggi ... e.java#L82

Log4jLoggingStrategy is a class name:
https://github.com/apache/groovy/blob/m ... j.java#L79
:idea: Please read the FAQ and How to Request Help.
User avatar
esullivan
Posts: 48
Joined: 13 Jun 2014, 16:05

Re: log4j

Post by esullivan »

@rednoah thanks for looking into that a little more. My entire yesterday and my entire today was and will be spent scanning my 800 computers for the java programs and log4j. It just popped into my head that Filebot uses Java.
User avatar
esullivan
Posts: 48
Joined: 13 Jun 2014, 16:05

Re: log4j

Post by esullivan »

zabymoli wrote: 14 Dec 2021, 07:20 HI,

I am not a java developer by a long shot but in the commons-logging.jar Filebot is using, there is at least a reference for LOG4J I think in form of a hashtable. What use does this function have if you don't mind explaining? Or is this just an underlying lib you are using? I just ran a script we wrote at work to scan jar files for any LOG4j references and it popped up. groovy.jar also seems to use log4j in some way.

The ps1 script reads in the contents in Jar files and looks for the string "log4j". Since jar files are not pure text files some characters cant be displayed correctly so some context is missing.

Image


Kind Regards

zabymoli
Morning Zab. I am in IT for a school district, we have been scanning our system all day yesterday for Java apps. Would you be willing to share the script that searches inside the jar file? "For the kids"? HA
User avatar
rednoah
The Source
Posts: 22923
Joined: 16 Nov 2011, 08:59
Location: Taipei
Contact:

Re: log4j

Post by rednoah »

You'll wanna do something like this:
https://gist.github.com/Neo23x0/e4c8b03 ... re-windows

Code: Select all

gci 'C:\' -rec -force -include *.jar -ea 0 | foreach {select-string "JndiLookup.class" $_} | select -exp Path
1. Find all jar archives
2. Check if any of them contain a zip entry named JndiLookup.class
:idea: Please read the FAQ and How to Request Help.
User avatar
esullivan
Posts: 48
Joined: 13 Jun 2014, 16:05

Re: log4j

Post by esullivan »

I found that PS command yesterday, thanks. You said you had a script to search inside the jar file?

We use PDQ, they wrote a script to check against known vulnerable hashes: https://www.pdq.com/blog/log4j-vulnerab ... 021-44228/
User avatar
rednoah
The Source
Posts: 22923
Joined: 16 Nov 2011, 08:59
Location: Taipei
Contact:

Re: log4j

Post by rednoah »

esullivan wrote: 14 Dec 2021, 14:17 I found that PS command yesterday, thanks. You said you had a script to search inside the jar file?
Yes, the select-string "JndiLookup.class" $_ part does that. It'll just check the binary content for a "JndiLookup.class" character sequence, and that works since zip files don't compress zip entry headers.
:idea: Please read the FAQ and How to Request Help.
User avatar
esullivan
Posts: 48
Joined: 13 Jun 2014, 16:05

Re: log4j

Post by esullivan »

rednoah wrote: 14 Dec 2021, 14:29
esullivan wrote: 14 Dec 2021, 14:17 I found that PS command yesterday, thanks. You said you had a script to search inside the jar file?
Yes, the select-string "JndiLookup.class" $_ part does that. It'll just check the binary content for a "JndiLookup.class" character sequence, and that works since zip files don't compress zip entry headers.
Gotcha! Thanks!
User avatar
esullivan
Posts: 48
Joined: 13 Jun 2014, 16:05

Re: log4j

Post by esullivan »

You can also use this on any jar files you found. From a security company, works well to double check

https://github.com/mergebase/log4j-detector
User avatar
rednoah
The Source
Posts: 22923
Joined: 16 Nov 2011, 08:59
Location: Taipei
Contact:

Re: log4j

Post by rednoah »

If you're not limited to built-in PowerShell command, that a dedicated tool will work much better, and also be able to find log4j patterns within nested archives.
:idea: Please read the FAQ and How to Request Help.
User avatar
esullivan
Posts: 48
Joined: 13 Jun 2014, 16:05

Re: log4j

Post by esullivan »

rednoah wrote: 14 Dec 2021, 15:46 If you're not limited to built-in PowerShell command, that a dedicated tool will work much better, and also be able to find log4j patterns within nested archives.
I tried running that command on the C drive. Took 25 minutes before I stopped it. I am using a combo of the two. The Powershell command quickly finds jar files then the other one to verify. Trying to find a way to quickly find all JAR files with that command, not just read inside. I am no script genius by any means, so it's slow going.
Post Reply