Update README.md

juliusmusseau · web-flow · commit 8cb0604a2bcd · 2021-12-30T10:22:03.000-08:00
latest version is now aware of log4j versions 2.3.2, 2.12.4, and 2.17.1
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 <h1>Log4-detector</h1>
 
-Scanner that detects vulnerable Log4J versions to help teams assess their exposure to [CVE-2021-44228](https://mergebase.com/vulnerability/CVE-2021-44228/), [CVE-2021-45046](https://mergebase.com/vulnerability/CVE-2021-45046/) and [CVE-2021-45105](https://mergebase.com/vulnerability/CVE-2021-45105/). Can search for Log4J instances by carefully examining the complete file-system, including all installed applications. It is able to find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too!
+Scanner that detects vulnerable Log4J versions to help teams assess their exposure to **[CVE-2021-44228](https://mergebase.com/vulnerability/CVE-2021-44228/) (CRITICAL)**, [CVE-2021-45046](https://mergebase.com/vulnerability/CVE-2021-45046/), [CVE-2021-45105](https://mergebase.com/vulnerability/CVE-2021-45105/), and [CVE-2021-44832](https://mergebase.com/vulnerability/CVE-2021-44832/). Can search for Log4J instances by carefully examining the complete file-system, including all installed applications. It is able to find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too!
 
 # Table of Contents
 - [Introduction](#itemdetector)
@@ -26,7 +26,7 @@ Scanner that detects vulnerable Log4J versions to help teams assess their exposu
 
 # Introduction <a name="itemdetector"></a>
 
-Currently reports [log4j-core](https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/) versions 2.3.1, 2.12.3, and 2.17.0 as **\_SAFE\_**, 2.12.2, 2.15.0 and 2.16.0 as **\_OKAY\_** and all other versions as **\_VULNERABLE\_**
+Currently reports [log4j-core](https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/) versions 2.3.2, 2.12.4, and 2.17.1 as **\_SAFE\_**, 2.3.1, 2.12.2, 2.12.3, 2.15.0, 2.16.0, and 2.17.0 as **\_OKAY\_** and all other versions as **\_VULNERABLE\_**
 (although it does report pre-2.0-beta9 as **\_POTENTIALLY_SAFE\_**). It reports older [log4j-1.x](https://repo1.maven.org/maven2/log4j/log4j/) versions as **\_OLD\_**.
 
 Can correctly detect log4j inside executable spring-boot jars/wars, dependencies blended
@@ -35,48 +35,49 @@ exploded jar files just sitting uncompressed on the file-system (aka *.class).
 
 We currently maintain a collection of [log4j-samples](https://github.com/mergebase/log4j-samples) we use for testing.
 
-# Example Usage: <a name="itemexample"></a>
-
-java -jar log4j-detector-2021.12.29.jar [path-to-scan] > hits.txt
-
-![Terminal output from running java -jar log4j-detector.jar in a terminal](./images/log4j-detector.png)
-
-# More Example Usage: <a name="itemmore"></a>
+# Example Usage: <a name="itemmore"></a>
 
 ```
 java -jar log4j-detector-2021.12.29.jar ./samples 
 
 -- github.com/mergebase/log4j-detector v2021.12.29 (by mergebase.com) analyzing paths (could take a while).
 -- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
-/opt/mergebase/log4j-detector/samples/clt-1.0-SNAPSHOT.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
-/opt/mergebase/log4j-detector/samples/infinispan-embedded-query-8.2.12.Final.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_
-/opt/mergebase/log4j-detector/samples/log4j-1.1.3.jar contains Log4J-1.x   <= 1.2.17 _OLD_
-/opt/mergebase/log4j-detector/samples/log4j-1.2.13.jar contains Log4J-1.x   <= 1.2.17 _OLD_
-/opt/mergebase/log4j-detector/samples/log4j-1.2.17.jar contains Log4J-1.x   <= 1.2.17 _OLD_
-/opt/mergebase/log4j-detector/samples/log4j-core-2.0-beta2.jar contains Log4J-2.x   <= 2.0-beta8 _POTENTIALLY_SAFE_ (or did you already remove JndiLookup.class?) 
-/opt/mergebase/log4j-detector/samples/log4j-core-2.0-beta9.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_
-/opt/mergebase/log4j-detector/samples/log4j-core-2.0.2.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_
-/opt/mergebase/log4j-detector/samples/log4j-core-2.0.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_
-/opt/mergebase/log4j-detector/samples/log4j-core-2.10.0.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
-/opt/mergebase/log4j-detector/samples/log4j-core-2.12.1.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
-/opt/mergebase/log4j-detector/samples/log4j-core-2.12.2.jar contains Log4J-2.x   == 2.12.2 _OKAY_
-/opt/mergebase/log4j-detector/samples/log4j-core-2.12.3.jar contains Log4J-2.x   >= 2.12.3 _SAFE_
-/opt/mergebase/log4j-detector/samples/log4j-core-2.14.1.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
-/opt/mergebase/log4j-detector/samples/log4j-core-2.15.0.jar contains Log4J-2.x   == 2.15.0 _OKAY_
-/opt/mergebase/log4j-detector/samples/log4j-core-2.16.0.jar contains Log4J-2.x   == 2.16.0 _OKAY_
-/opt/mergebase/log4j-detector/samples/log4j-core-2.17.0.jar contains Log4J-2.x   >= 2.17.0 _SAFE_
-/opt/mergebase/log4j-detector/samples/log4j-core-2.3.1.jar contains Log4J-2.x   == 2.3.1 _SAFE_
-/opt/mergebase/log4j-detector/samples/log4j-core-2.4.1.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_
-/opt/mergebase/log4j-detector/samples/log4j-core-2.9.1.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_
+false-hits/log4j-core-2.12.2.jar contains Log4J-2.x   == 2.12.2 _OKAY_
+false-hits/log4j-core-2.12.3.jar contains Log4J-2.x   == 2.12.3 _OKAY_
+false-hits/log4j-core-2.12.4.jar contains Log4J-2.x   == 2.12.4 _SAFE_
+false-hits/log4j-core-2.15.0.jar contains Log4J-2.x   == 2.15.0 _OKAY_
+false-hits/log4j-core-2.16.0.jar contains Log4J-2.x   == 2.16.0 _OKAY_
+false-hits/log4j-core-2.17.0.jar contains Log4J-2.x   == 2.17.0 _OKAY_
+false-hits/log4j-core-2.17.1.jar contains Log4J-2.x   >= 2.17.1 _SAFE_
+false-hits/log4j-core-2.3.1.jar contains Log4J-2.x   == 2.3.1 _OKAY_
+false-hits/log4j-core-2.3.2.jar contains Log4J-2.x   == 2.3.2 _SAFE_
+true-hits/log4j-core-2.0-beta9.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_
+true-hits/log4j-core-2.10.0.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
+true-hits/log4j-core-2.10.0.zip contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
+true-hits/log4j-core-2.11.0.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
+true-hits/log4j-core-2.11.1.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
+true-hits/log4j-core-2.11.2.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
+true-hits/log4j-core-2.12.0.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
+true-hits/log4j-core-2.12.1.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
+true-hits/log4j-core-2.14.0.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
+true-hits/log4j-core-2.14.1.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
+true-hits/log4j-core-2.2.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_
+true-hits/log4j-core-2.3.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_
+true-hits/log4j-core-2.4.1.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_
+true-hits/log4j-core-2.4.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_
+true-hits/log4j-core-2.9.1.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_
+old-hits/log4j-1.1.3.jar contains Log4J-1.x   <= 1.2.17 _OLD_
+old-hits/log4j-1.2.17.jar contains Log4J-1.x   <= 1.2.17 _OLD_
+old-hits/log4j-core-2.0-beta2.jar contains Log4J-2.x   <= 2.0-beta8 _POTENTIALLY_SAFE_ (Did you remove JndiLookup.class?)
 ```
 
 # Understanding The Results <a name="itemresults"></a>
 
 **\_VULNERABLE\_** -> You need to upgrade or remove this file.
 
-**\_OKAY\_** -> We only report this for Log4J versions 2.12.2, 2.15.0, and 2.16.0. We recommend upgrading to 2.17.0.
+**\_OKAY\_** -> We report this for Log4J versions 2.3.1, 2.12.2, 2.12.3, 2.15.0, 2.16.0, and 2.17.0. We recommend upgrading to 2.17.1.
 
-**\_SAFE\_** -> We currently only report this for Log4J versions 2.3.1, 2.12.3, and 2.17.0 (and greater).
+**\_SAFE\_** -> We currently only report this for Log4J versions 2.3.2, 2.12.4, and 2.17.1 (and greater).
 
 **\_OLD\_** -> You are safe from CVE-2021-44228, but should plan to upgrade because Log4J 1.2.x has been EOL for 7 years and has several known-vulnerabilities.
 
@@ -110,7 +111,7 @@ Docs  - https://github.com/mergebase/log4j-detector
 git clone https://github.com/mergebase/log4j-detector.git
 cd log4j-detector/
 mvn install
-java -jar target/log4j-detector-2021.12.29.jar
+java -jar target/log4j-detector-latest.jar
 ```
 # Testing: <a name="itemtesting"></a>
 
@@ -130,6 +131,9 @@ on your file-system, it then examines that file for this String: "Invalid JNDI U
 literal is only present in the patched version of Log4J (version 2.15.0). Any versions of Log4J without that String are
 vulnerable.
 
+This same technique of examining *.class files for String literals is further extended to accurately detect safe
+versions 2.3.2, 2.12.4, and 2.17.1.
+
 ## This Scanner Only Reports Hits Against The `log4j-core` Library. What About `log4j-api`? <a name="itemapi"></a>
 
 Many scanners (including GitHub's own [Dependabot](https://github.com/dependabot)) currently report both "`log4j-core`" and "`log4j-api`" libraries as vulnerable.  These scanners are incorrect. There is currently no existing version of the "`log4j-api`" library that can be exploited by any of these vulnerabilities.
@@ -145,8 +149,8 @@ Version 2.12.2 is important because it's a Java 7 compatible version of Log4J th
 
 Versions 2.15.0 and 2.16.0 are important because these are the first versions where Log4J's default out-of-the-box configuration is not vulnerable to CVE-2021-44228.
 
-And versions 2.3.1, 2.12.3, and 2.17.0 are important because they are not vulnerable to more recently discovered CVEs such as CVE-2021-45046 and CVE-2021-45105.
-Despite these being much less serious vulnerabilities, we anticipate everyone will want to patch to one of 2.3.1, 2.12.3, or 2.17.0.
+And versions 2.3.2, 2.12.4, and 2.17.1 are important because they are not vulnerable to more recently discovered CVEs such as CVE-2021-45046 and CVE-2021-45105.
+Despite these being much less serious vulnerabilities, we anticipate everyone will want to patch to one of 2.3.2, 2.12.4, or 2.17.1.
 
 ## What are those "file1.war!/path/to/file2.zip!/path/to/file3.jar!/path/to/log4j.jar" results about? <a name="itemwar"></a>
 
@@ -168,7 +172,7 @@ Only versions of Log4J 2.x (from 2.0-beta9 to 2.14.1) are vulnerable to CVE-2021
 
 ## How Can I Be Sure This Isn't A Trojan Pretending To Be A Log4J Detector? <a name="itemtrojan"></a>
 
-Great question! Since we include the complete source code here in Github (all 2200 lines of Java), as well as the steps
+Great question! Since we include the complete source code here in Github (all 2500 lines of Java), as well as the steps
 to build it, and since this tool has zero dependencies, it shouldn't take too long to carefully study the code to your
 satisfaction. If you don't trust Maven you can go directly into the "src/main/java/com/mergebase/log4j" directory and
 type "javac \*.java". That works, too!
