Log4j – Security Vulnerability – Detection Tool – WhiteSource – Windows Binary

Background

Let us quickly try out another of the freely available tools for detecting the Log4J security vulnerabilities.

 

Lineage

  1. Log4j – Security Vulnerability – Detection Tools
    Link
  2. Log4j – Security Vulnerability – Detection Tool – CERT ( Community Emergency Response Team ) – PowerShell Script
    Link

WhiteSource

Our Story

Here is a beautiful story:

Link

You are inches from selling your software. All you need to do is produce an inventory report as part of due diligence for the acquiring company. You send your manually-­tracked report. It gets rejected. You resort to code-­scanning, which you had tried to avoid because it’s so expensive and time-­consuming. You get the post-­scan report and now have a huge task in front of you to rule out false positives and correct errors.

We have been there.

For the founders of WhiteSource, it was a nightmare that lasted several weeks. In the end, we were lucky that the code scan did not report any critical issues, and we were able to push through the sale of our software company, Eurekify, in 2008 to CA Technologies. But, it was a bumpy road.

We decided then and there that our next entrepreneurial mission would be to save other companies from this fate by designing a solution to automate all tasks surrounding the use of open-source components: a solution built by a software development team, for software development teams.

Welcome to WhiteSource. It’s the only all-­in-one licensing, security, and reporting solution for managing open source components, and the only one that operates in real-­time, by automatically and continuously scanning dozens of open source repositories, and cross-­referencing this data directly against the open source components in your build. It helps you find optimal components, automatically alerts you about known security vulnerabilities, bugs, new versions, patches, and fixes in the components you’re using. It automates the creation and enforcement of your company’s licensing policies and centralizes inter-­departmental communications and approval processes. It keeps detailed inventories and due diligence reports. It’s compatible with pretty much all programming languages, build tools, and development environments. And possibly the best thing about it – you just plug in and forget about it – unless there’s a problem.

It’s everything software development teams need to get the maximum out of using open source components, without the headache, so they can focus on what they should be doing – making beautifully constructed software.

log4j-detect-distribution

Background

GitHub

Thankfully, WhiteSource avails source code and compiled binaries for log4j-detection-distribution on GitHub.

The URL is https://github.com/whitesource/log4j-detect-distribution.

Vulnerabilities Detected

The following vulnerabilities are detected:-

  1. CVE-2021-45046
  2. CVE-2021-44228
  3. CVE-2021-4104
  4. CVE-2021-45105
  5. CVE-2021-44832

Supported Operating Systems ( OS )

  1. Linux
  2. Apple
    • Mac
  3. Microsoft
    • Windows ( Win OS )

Supported CPU

  1. x64
    • AMD-64
    • ARM-64
  2. x86

Source Code Language

Images

Textual

  1. Go ( 99.4% )
  2. Ruby ( 0.6% )

 

Contributors

Images

Textual

  1. Noam Dolovich
    • WhiteSource
    • Github
      • Username:- NoamDolovichWS
      • GitHub Page:- Link
  2. Nabeel
    • WhiteSource
    • GitHub
      • Username:- NabeelSaabna
      • GitHub Page:- Link
  3. Anna Rozin
    • WhiteSource ( Director of R & D )
    • GitHub
      • Username:- annarozin
      • GitHub Page:- Link

 

Artifacts

Image

Textual

Vendor OS Package Manager Processor-Architecture – AMD Processor-Architecture – ARM
Apple Mac N/A ( Apple Binary ) log4j-detect-1.4.0-darwin-amd64.tar.gz
Link
log4j-detect-1.4.0-darwin-arm64.tar.gz
Link
Linux Linux N/A ( Linux Binary ) log4j-detect-1.4.0-linux-amd64.tar.gz
Link
log4j-detect-1.4.0-linux-amd64.tar.gz
Link
Microsoft Windows N/A ( Windows Executable – .exe ) log4j-detect-1.4.0-windows-amd64.zip
Link
log4j-detect-1.4.0-windows-arm64.zip
Link
Linux Linux Debian log4j-detect_1.4.0_linux_amd64.deb
Link
log4j-detect_1.4.0_linux_arm64.deb
Link
Linux Linux rpm log4j-detect_1.4.0_linux_amd64.rpm
Link
log4j-detect_1.4.0_linux_arm64.rpm
Link

 

Download

Please get the file.

As I am not up to looking at the source code, I will not be using git tools to download the repository.

I just need to fetch the released package.

I am on MS Windows and between amd64 and arm64, I know I have IntelAMD CPU.

Extract

Going with log4j-detect-1.4.0-windows-amd64.zip.

Extracted the compressed package and arrived at log4j-detect.exe.

 

Usage

Here we go analyzing our java folder.

Syntax


log4j-detect.exe  scan -d <folder>

Sample

Sample – 2.14.1

Command


log4j-detect.exe scan -d c:\java\helloLog4j\v2.14.1

Output

Output – Image

Output – Text
 

Scanning C:\java\helloLog4J\sourceCode\v2.14.1 for vulnerabilities...

Vulnerable Files:
        C:\java\helloLog4J\sourceCode\v2.14.1\lib\log4j\log4j-core-2.14.1.jar Vulnerable

One or more of your projects contain the log4j CVE-2021-44228/CVE-2021-45046/CVE-2021-45105/CVE-2021-44832 exploit.

Remediation Steps:
        * Upgrade to version org.apache.logging.log4j:log4j-core:2.17.1

Learn more about the vulnerability and it's remediation:
https://www.whitesourcesoftware.com/resources/blog/log4j-vulnerability-cveFiles-2021-44228/

©WhiteSource

>

Explanation

  1. Vulnerable Files
    • log4j-core-2.14.1.jar
  2. Vulnerability
    • log4j CVE-2021-44228/CVE-2021-45046/CVE-2021-45105/CVE-2021-44832 exploit
  3. Remediation
    • Upgrade to version org.apache.logging.log4j:log4j-core:2.17.1

 

Sample – 2.17.1

Command


log4j-detect.exe scan -d c:javahelloLog4jv2.17.1

Output

Output – Image

Output – Text
 

Scanning C:javahelloLog4JsourceCodev2.14.1 for vulnerabilities...</pre>
No vulnerabilities were detected

Explanation

  1. Vulnerability
    • None
  2. Remediation
    • N/A

Summary

WhiteSource has a lot going for it.

For instance:-

  1. Cross-Platform
    • Written in the Go Language
  2. Installation
    • Clean Install
    • No Install

 

References

  1. WhiteSource
    • Corporate
    • GitHub
      • Repository:- log4j-detect-distribution
        Link
  2. TechRepublic
    • Jack Wallen
      • Check for Log4j vulnerabilities with this simple-to-use script
        Link

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s