.jar Files not being fixed with --fix parameter

[latency0ms]

Using the --fix parameter is not working for the .jar file below:

C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars\log4j-1.2.17.jar 1.2.17 POTENTIALLY_VULNERABLE

The output of log4j2-scan.exe (Ver. 2.2.0) looks like this:

C:\Temp\Logpresso\logpresso-log4j2-scan-2.2.0-win64>log4j2-scan.exe --fix "C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars\log4j-1.2.17.jar"
Logpresso CVE-2021-44228 Vulnerability Scanner 2.2.0 (2021-12-18)
This command will remove JndiLookup.class from log4j2-core binaries. Are you sure [y/N]? y
Scanning directory: C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars\log4j-1.2.17.jar

Scanned 0 directories and 1 files
Found 0 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Fixed 0 vulnerable files
Completed in 0.00 seconds

Every hint is highly appreciated.

Thank you.

[xeraph]

@latency0ms --fix option does not support log4j1 and logback fix yet. (only for log4j2) It will be addressed soon..

[latency0ms]

Got that @xeraph, thanks for your feedback! Can you approximate the time horizon of the release?

[xeraph]

@latency0ms Implementation itself does not take time. Just I can't ensure it is safe to remove JMSAppender and SocketServer.. Anyway, I will release in 4 hours.

[latency0ms]

Just I can't ensure it is safe to remove JMSAppender and SocketServer

What does that mean?

[xeraph]

@latency0ms Try v2.2.2 release. Make sure your application doesn't use JMS (Java Message Service) or Socket logging feature.

[latency0ms]

Logpresso CVE-2021-44228 Vulnerability Scanner 2.2.2 (2021-12-18)
This command will remove JndiLookup.class from log4j2-core binaries. Are you sure [y/N]? y
Scanning directory: C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars\log4j-1.2.17.jar
[?] Found CVE-2021-4104  (log4j 1.2) vulnerability in C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars\log4j-1.2.17.jar, log4j 1.2.17

Fixed: C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars\log4j-1.2.17.jar

Scanned 0 directories and 1 files
Found 0 vulnerable files
Found 1 potentially vulnerable files
Found 0 mitigated files
Fixed 1 vulnerable log4j2 files and potentially vulnerable log4j1 files
Completed in 0.64 seconds

This worked, could this lead to side effects? What exactly is being performed with --scan-log4j1 --fix?

[xeraph]

@latency0ms If SQL server uses JMS or socket logging feature, it can be damaged. In most cases, JMS or socket server feature is not used. However you should use this option at your own risk. I can't figure out all the software configurations in the world.

[latency0ms]

After --fix has been applied, a new scan shows no mitigation note (mitigated)

Logpresso CVE-2021-44228 Vulnerability Scanner 2.2.2 (2021-12-18)
Scanning drives: C:\


Scanned 75461 directories and 312990 files
Found 0 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 98.31 seconds

[xeraph]

@latency0ms Would you test v2.3.0 release?

[latency0ms]

Now I can see amount of mitigated files in the summary:

Scanned 82579 directories and 430063 files
Found 0 vulnerable files
Found 0 potentially vulnerable files
Found 8 mitigated files

But not in the file itself:

[?] Found CVE-2021-4104 (log4j 1.2) vulnerability in C:\Program Files (x86)\DocFetcher\lib\log4j-1.2.17.jar, log4j 1.2.17
vs.
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in C:\Program Files (x86)\sqldeveloper-18.3.0.277.2354-x64\sqldeveloper\sqldeveloper\lib\log4j-core.jar, log4j 2.9.1 (mitigated)

[xeraph]

@latency0ms Oh.. thank you for reporting. I will fix it too..

[xeraph]

@latency0ms I feel sorry for repeated request. Would you test v2.3.1?

[latency0ms]

@latency0ms I feel sorry for repeated request. Would you test v2.3.1?

Sure thing, thanks for providing this great scanner, it really helps me a lot, now writing an automation to scan our entire server farm.

Output looks good:

[?] Found CVE-2021-4104 (log4j 1.2) vulnerability in C:\Program Files (x86)\DocFetcher\lib\log4j-1.2.17.jar, log4j 1.2.17 (mitigated)

[ama1975]

Dear @xeraph after reading this thread I installed the latest 2.3.1 version and tried to patch my log4j-1.2.15.jar inside tomcat8, however it result without fixing/changing anything. What did I wrong?

~/log4j-scanner# ./log4j2-scan --fix /
Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.1 (2021-12-19)
...
Found 0 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Fixed 0 vulnerable log4j2 files and potentially vulnerable log4j1 files
Completed in 4.19 seconds

[latency0ms]

Use: ./log4j2-scan --scan-log4j1 --fix