Catching log4j 1.x also ?

[tjyang]

Hi
I found following string not reported by log4j-finder.

... /xxx/lib/log4j-1.2.15.jar

please consider to catch log4j 1.x jar also.

Thanks

[yunzheng]

Hi, i'll check if it doesn't bloat the tool too much with hashes and i'll consider it. The tool is mainly focussed on finding log4shell issues and log4j 1.x is not vulnerable to log4shell, but it is to other vulnerabilities :)

[tjyang]

• Thanks for the consideration.
  with this RFE added then I don't have to use following shell script for finding all versions of log4j-core*.jar on a system.

• Not sure who wrote this shell script originally. quite smart to just scan the /proc/*/fd/ dir. I just added the hostname variable.

#/bin/sh
HOSTNAME=`hostname`
log4j_result=`ls -la /proc/*/fd/ 2>/dev/null|grep -E "log4j-core"|cut -d '>' -f2|sort -u|grep -v rc2.jar` 2>/dev/null
<snipped>
fi

[yunzheng]

Adding hostname is a good idea, will add that to the script regardless.

[KrisJanssen]

I have started collecting hashes from samples of 1.x JMSAppender.class

"45857e7767d0af0ee2773ce69a9b77fb": "log4j 1.2.12",
"6df11afef01bbc20b1862977da8dd0e3": "log4j 1.2.13",
"6df11afef01bbc20b1862977da8dd0e3": "log4j 1.2.14",
"057abb2f43d712e8b2c519f1f5684a94": "log4j 1.2.15",
"abbf972ad55b21cb813ffb82c65c4239": "log4j 1.2.16",
"aa189ba43b50b4cd95f60473929b3009": "log4j 1.2.17",

Could you review these? I would be keen on adding 1.x support

[yunzheng]

I have started collecting hashes from samples of 1.x JMSAppender.class

"45857e7767d0af0ee2773ce69a9b77fb": "log4j 1.2.12", "6df11afef01bbc20b1862977da8dd0e3": "log4j 1.2.13", "6df11afef01bbc20b1862977da8dd0e3": "log4j 1.2.14", "057abb2f43d712e8b2c519f1f5684a94": "log4j 1.2.15", "abbf972ad55b21cb813ffb82c65c4239": "log4j 1.2.16", "aa189ba43b50b4cd95f60473929b3009": "log4j 1.2.17",

Could you review these? I would be keen on adding 1.x support

I added JMSAppender.class to log4j-finder to parse a mirror of: https://repo1.maven.org/maven2/log4j/log4j/

These are the MD5 hashes, and they match what you already had:

log4j/1.1.3/org/apache/log4j/net/JMSAppender.class [17979e492cc6afe32119e12ef0990076: Unknown MD5]
log4j/1.2.11/org/apache/log4j/net/JMSAppender.class [685284cd73dabe660e6ab92835c902f4: Unknown MD5]
log4j/1.2.12/org/apache/log4j/net/JMSAppender.class [45857e7767d0af0ee2773ce69a9b77fb: Unknown MD5]
log4j/1.2.13/org/apache/log4j/net/JMSAppender.class [6df11afef01bbc20b1862977da8dd0e3: Unknown MD5]
log4j/1.2.14/org/apache/log4j/net/JMSAppender.class [6df11afef01bbc20b1862977da8dd0e3: Unknown MD5]
log4j/1.2.15/org/apache/log4j/net/JMSAppender.class [057abb2f43d712e8b2c519f1f5684a94: Unknown MD5]
log4j/1.2.16/org/apache/log4j/net/JMSAppender.class [abbf972ad55b21cb813ffb82c65c4239: Unknown MD5]
log4j/1.2.17/org/apache/log4j/net/JMSAppender.class [aa189ba43b50b4cd95f60473929b3009: Unknown MD5]
log4j/1.2.4/org/apache/log4j/net/JMSAppender.class [e816a3aef55c711f9118c4310812f0b4: Unknown MD5]
log4j/1.2.5/org/apache/log4j/net/JMSAppender.class [e816a3aef55c711f9118c4310812f0b4: Unknown MD5]
log4j/1.2.6/org/apache/log4j/net/JMSAppender.class [b249ccaf49cc542d30a8ba58d9168dd6: Unknown MD5]
log4j/1.2.7/org/apache/log4j/net/JMSAppender.class [b249ccaf49cc542d30a8ba58d9168dd6: Unknown MD5]
log4j/1.2.8/org/apache/log4j/net/JMSAppender.class [905cbcf34cb8bcbff41d49850825d44b: Unknown MD5]
log4j/1.2.9/org/apache/log4j/net/JMSAppender.class [b249ccaf49cc542d30a8ba58d9168dd6: Unknown MD5]

If have not looked into the log4j 1.x further yet, is there any reason why you chose JMSAppender.class?

[tjyang]

Quick Googling on XMSappender.class log4j CVE bring this page up. https://www.kb.cert.org/vuls/id/930724

[yunzheng]

I have done a bit of hashing of log4j and log4j-core, we mainly use md5 hashes to identify the log4j version. I found that these .class files are more unique between versions (first colum is how many unique hashes):

For log4j (v1.x)

10 JMSAppender.class
10 LogManager.class
10 MDC.class
10 NTEventLogAppender.class
10 PropertyConfigurator.class
10 RollingFileAppender.class
10 SocketServer.class
10 TTCCLayout.class
10 XMLLayout.class
10 XMLWatchdog.class
11 AsyncAppender.class
11 Category.class
11 DOMConfigurator.class
11 Loader.class
11 LoggingEvent.class
11 NDC.class
11 OptionConverter.class
11 PatternParser.class
11 PropertyPrinter.class
11 RollingCalendar.class
11 SimpleSocketServer.class
11 SocketAppender$Connector.class
11 SocketAppender.class
11 SocketNode.class
11 SyslogAppender.class

For log4j-core (v2.x)

27 ResolverUtil.class
28 AsyncLogger.class
28 Interpolator.class
28 Log4jLogEvent.class
30 ConfigurationFactory.class
31 ConfigurationFactory$Factory.class
31 PatternLayout.class
32 ConsoleAppender.class
32 LoggerConfig.class
32 RollingFileManager.class
34 LoggerContext.class

Ofcourse we also need to consider how unique the class name is between other Java projects.

[kkplein]

This would be good, also in the light of CVE-2021-4104