Background
Let us quickly try out another of the freely available tools for detecting the Log4J security vulnerabilities.
Lineage
- Log4j – Security Vulnerability – Detection Tools
Link - Log4j – Security Vulnerability – Detection Tool – CERT ( Community Emergency Response Team ) – PowerShell Script
Link
WhiteSource
Our Story
Here is a beautiful story:
You are inches from selling your software. All you need to do is produce an inventory report as part of due diligence for the acquiring company. You send your manually-tracked report. It gets rejected. You resort to code-scanning, which you had tried to avoid because it’s so expensive and time-consuming. You get the post-scan report and now have a huge task in front of you to rule out false positives and correct errors.
We have been there.
For the founders of WhiteSource, it was a nightmare that lasted several weeks. In the end, we were lucky that the code scan did not report any critical issues, and we were able to push through the sale of our software company, Eurekify, in 2008 to CA Technologies. But, it was a bumpy road.
We decided then and there that our next entrepreneurial mission would be to save other companies from this fate by designing a solution to automate all tasks surrounding the use of open-source components: a solution built by a software development team, for software development teams.
Welcome to WhiteSource. It’s the only all-in-one licensing, security, and reporting solution for managing open source components, and the only one that operates in real-time, by automatically and continuously scanning dozens of open source repositories, and cross-referencing this data directly against the open source components in your build. It helps you find optimal components, automatically alerts you about known security vulnerabilities, bugs, new versions, patches, and fixes in the components you’re using. It automates the creation and enforcement of your company’s licensing policies and centralizes inter-departmental communications and approval processes. It keeps detailed inventories and due diligence reports. It’s compatible with pretty much all programming languages, build tools, and development environments. And possibly the best thing about it – you just plug in and forget about it – unless there’s a problem.
It’s everything software development teams need to get the maximum out of using open source components, without the headache, so they can focus on what they should be doing – making beautifully constructed software.
log4j-detect-distribution
Background
GitHub
Thankfully, WhiteSource avails source code and compiled binaries for log4j-detection-distribution on GitHub.
The URL is https://github.com/whitesource/log4j-detect-distribution.
Vulnerabilities Detected
The following vulnerabilities are detected:-
- CVE-2021-45046
- CVE-2021-44228
- CVE-2021-4104
- CVE-2021-45105
- CVE-2021-44832
Supported Operating Systems ( OS )
- Linux
- Apple
- Mac
- Microsoft
- Windows ( Win OS )
Supported CPU
- x64
- AMD-64
- ARM-64
x86
Source Code Language
Images
Textual
- Go ( 99.4% )
- Ruby ( 0.6% )
Contributors
Images
Textual
- Noam Dolovich
- WhiteSource
- Github
- Username:- NoamDolovichWS
- GitHub Page:- Link
- Nabeel
- WhiteSource
- GitHub
- Username:- NabeelSaabna
- GitHub Page:- Link
- Anna Rozin
- WhiteSource ( Director of R & D )
- GitHub
- Username:- annarozin
- GitHub Page:- Link
Artifacts
Image
Textual
| Vendor | OS | Package Manager | Processor-Architecture – AMD | Processor-Architecture – ARM |
|---|---|---|---|---|
| Apple | Mac | N/A ( Apple Binary ) | log4j-detect-1.4.0-darwin-amd64.tar.gz Link |
log4j-detect-1.4.0-darwin-arm64.tar.gz Link |
| Linux | Linux | N/A ( Linux Binary ) | log4j-detect-1.4.0-linux-amd64.tar.gz Link |
log4j-detect-1.4.0-linux-amd64.tar.gz Link |
| Microsoft | Windows | N/A ( Windows Executable – .exe ) | log4j-detect-1.4.0-windows-amd64.zip Link |
log4j-detect-1.4.0-windows-arm64.zip Link |
| Linux | Linux | Debian | log4j-detect_1.4.0_linux_amd64.deb Link |
log4j-detect_1.4.0_linux_arm64.deb Link |
| Linux | Linux | rpm | log4j-detect_1.4.0_linux_amd64.rpm Link |
log4j-detect_1.4.0_linux_arm64.rpm Link |
Download
Please get the file.
As I am not up to looking at the source code, I will not be using git tools to download the repository.
I just need to fetch the released package.
I am on MS Windows and between amd64 and arm64, I know I have IntelAMD CPU.
Extract
Going with log4j-detect-1.4.0-windows-amd64.zip.
Extracted the compressed package and arrived at log4j-detect.exe.
Usage
Here we go analyzing our java folder.
Syntax
log4j-detect.exe scan -d <folder>
Sample
Sample – 2.14.1
Command
log4j-detect.exe scan -d c:\java\helloLog4j\v2.14.1
Output
Output – Image
Output – Text
Scanning C:\java\helloLog4J\sourceCode\v2.14.1 for vulnerabilities...
Vulnerable Files:
C:\java\helloLog4J\sourceCode\v2.14.1\lib\log4j\log4j-core-2.14.1.jar Vulnerable
One or more of your projects contain the log4j CVE-2021-44228/CVE-2021-45046/CVE-2021-45105/CVE-2021-44832 exploit.
Remediation Steps:
* Upgrade to version org.apache.logging.log4j:log4j-core:2.17.1
Learn more about the vulnerability and it's remediation:
https://www.whitesourcesoftware.com/resources/blog/log4j-vulnerability-cveFiles-2021-44228/
©WhiteSource
>
Explanation
- Vulnerable Files
- log4j-core-2.14.1.jar
- Vulnerability
- log4j CVE-2021-44228/CVE-2021-45046/CVE-2021-45105/CVE-2021-44832 exploit
- Remediation
- Upgrade to version org.apache.logging.log4j:log4j-core:2.17.1
Sample – 2.17.1
Command
log4j-detect.exe scan -d c:javahelloLog4jv2.17.1
Output
Output – Image
Output – Text
Scanning C:javahelloLog4JsourceCodev2.14.1 for vulnerabilities...</pre> No vulnerabilities were detected
Explanation
- Vulnerability
- None
- Remediation
- N/A
Summary
WhiteSource has a lot going for it.
For instance:-
- Cross-Platform
- Written in the Go Language
- Installation
- Clean Install
- No Install
Learning in the Open 