Skip to content

Tools for remediating the recent log4j2 RCE vulnerability (CVE-2021-44228)

License

Notifications You must be signed in to change notification settings

stripe/log4j-remediation-tools

Repository files navigation

log4j-remediation-tools

Tools for finding and reproducing the CVE-2021-44228 log4j2 vulnerability

Tools

Usage

Both of these tools scan all running JVM processes on a machine, and produce a CSV report about which processes may be / are vulnerable.

Check out the corresponding READMEs for find-vulnerabilities/ and confirm-vulnerabilities/ for usage details.

Which tool should I use?

Here are a few tradeoffs to help you determine which tool is right for your use case:

find-vulnerabilities is low-risk to run, but has the possibility of missing:

  • Cases where a system property is not set on the CLI, e.g. at runtime
  • Cases where the JVM has closed the file descriptor for the jar
  • Non-standard / patched releases of log4j2

confirm-vulnerabilities uses the JVM Attach API which:

  • May not work if an application explicitly disables this API
  • May crash the running JVM due to JVM bugs
  • May briefly slow down the running JVM while waiting for JVM pause

Contributing

This project welcomes feedback and contributions; however, we might be slow to respond to or triage your requests. We appreciate your patience.

License

This project uses the MIT license.

Code of conduct

This project has adopted the Stripe Code of conduct.

About

Tools for remediating the recent log4j2 RCE vulnerability (CVE-2021-44228)

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published