log4j
Please read the Re: log4j
HI,
I am not a java developer by a long shot but in the commons-logging.jar Filebot is using, there is at least a reference for LOG4J I think in form of a hashtable. What use does this function have if you don't mind explaining? Or is this just an underlying lib you are using? I just ran a script we wrote at work to scan jar files for any LOG4j references and it popped up. groovy.jar also seems to use log4j in some way.
The ps1 script reads in the contents in Jar files and looks for the string "log4j". Since jar files are not pure text files some characters cant be displayed correctly so some context is missing.
Kind Regards
zabymoli
I am not a java developer by a long shot but in the commons-logging.jar Filebot is using, there is at least a reference for LOG4J I think in form of a hashtable. What use does this function have if you don't mind explaining? Or is this just an underlying lib you are using? I just ran a script we wrote at work to scan jar files for any LOG4j references and it popped up. groovy.jar also seems to use log4j in some way.
The ps1 script reads in the contents in Jar files and looks for the string "log4j". Since jar files are not pure text files some characters cant be displayed correctly so some context is missing.
Kind Regards
zabymoli
Re: log4j
Presumably, commons-logging and groovy can be configured to use different logging libraries, log4j being among the options. FileBot itself uses java.util.logging, either directly, or indirectly in 3rd party libraries via the commons-logging and slf4j interfaces.
EDIT:
log4jIsAvailable is a variable name:
https://github.com/apache/commons-loggi ... e.java#L63
org.apache.log4j.Logger is a String value:
https://github.com/apache/commons-loggi ... e.java#L82
Log4jLoggingStrategy is a class name:
https://github.com/apache/groovy/blob/m ... j.java#L79
EDIT:
log4jIsAvailable is a variable name:
https://github.com/apache/commons-loggi ... e.java#L63
org.apache.log4j.Logger is a String value:
https://github.com/apache/commons-loggi ... e.java#L82
Log4jLoggingStrategy is a class name:
https://github.com/apache/groovy/blob/m ... j.java#L79
Re: log4j
Morning Zab. I am in IT for a school district, we have been scanning our system all day yesterday for Java apps. Would you be willing to share the script that searches inside the jar file? "For the kids"? HAzabymoli wrote: ↑14 Dec 2021, 07:20 HI,
I am not a java developer by a long shot but in the commons-logging.jar Filebot is using, there is at least a reference for LOG4J I think in form of a hashtable. What use does this function have if you don't mind explaining? Or is this just an underlying lib you are using? I just ran a script we wrote at work to scan jar files for any LOG4j references and it popped up. groovy.jar also seems to use log4j in some way.
The ps1 script reads in the contents in Jar files and looks for the string "log4j". Since jar files are not pure text files some characters cant be displayed correctly so some context is missing.
Kind Regards
zabymoli
Re: log4j
You'll wanna do something like this:
https://gist.github.com/Neo23x0/e4c8b03 ... re-windows
1. Find all jar archives
2. Check if any of them contain a zip entry named JndiLookup.class
https://gist.github.com/Neo23x0/e4c8b03 ... re-windows
Code: Select all
gci 'C:\' -rec -force -include *.jar -ea 0 | foreach {select-string "JndiLookup.class" $_} | select -exp Path2. Check if any of them contain a zip entry named JndiLookup.class
Re: log4j
I found that PS command yesterday, thanks. You said you had a script to search inside the jar file?
We use PDQ, they wrote a script to check against known vulnerable hashes: https://www.pdq.com/blog/log4j-vulnerab ... 021-44228/
We use PDQ, they wrote a script to check against known vulnerable hashes: https://www.pdq.com/blog/log4j-vulnerab ... 021-44228/
Re: log4j
Yes, the select-string "JndiLookup.class" $_ part does that. It'll just check the binary content for a "JndiLookup.class" character sequence, and that works since zip files don't compress zip entry headers.
Re: log4j
You can also use this on any jar files you found. From a security company, works well to double check
https://github.com/mergebase/log4j-detector
https://github.com/mergebase/log4j-detector
Re: log4j
If you're not limited to built-in PowerShell command, that a dedicated tool will work much better, and also be able to find log4j patterns within nested archives.
Re: log4j
I tried running that command on the C drive. Took 25 minutes before I stopped it. I am using a combo of the two. The Powershell command quickly finds jar files then the other one to verify. Trying to find a way to quickly find all JAR files with that command, not just read inside. I am no script genius by any means, so it's slow going.