Failing to detect nested log4j 2.12.1 in scanner versions >= 2.3.0

[adammike]

One of my users came to me after they discovered that a recent version of the scanner no longer detected a vulnerable file with a nested log4j 2.12.1

I took the time to write a test suite, and ran it against all of the releases in this repo. Versions up to release 2.2.2 correctly identify this jar as vulnerable, versions 2.3.0 and higher do not catch it.

Release 2.5.3:

» java -jar scanner/v2.5.3/jar/logpresso-log4j2-scan-2.5.3.jar --trace --debug ./nested-log4j-2.12.1-ingoperations
Logpresso CVE-2021-44228 Vulnerability Scanner 2.5.3 (2021-12-22)
Scanning directory: ./nested-log4j-2.12.1-ingoperations
Scanning directory: /Users/mike.adams/code/cve-2021-44228-scanner-tests/test_artifacts/./nested-log4j-2.12.1-ingoperations
Scanning file: /Users/mike.adams/code/cve-2021-44228-scanner-tests/test_artifacts/./nested-log4j-2.12.1-ingoperations/ingoperations.jar

Scanned 1 directories and 1 files
Found 0 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 0.01 seconds

Release: 2.2.2:

» java -jar scanner/v2.2.2/jar/logpresso-log4j2-scan-2.2.2.jar --trace --debug ./nested-log4j-2.12.1-ingoperations
Logpresso CVE-2021-44228 Vulnerability Scanner 2.2.2 (2021-12-18)
Scanning directory: ./nested-log4j-2.12.1-ingoperations
Scanning directory: /Users/mike.adams/code/cve-2021-44228-scanner-tests/test_artifacts/./nested-log4j-2.12.1-ingoperations
Scanning file: /Users/mike.adams/code/cve-2021-44228-scanner-tests/test_artifacts/./nested-log4j-2.12.1-ingoperations/ingoperations.jar
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /Users/mike.adams/code/cve-2021-44228-scanner-tests/test_artifacts/./nested-log4j-2.12.1-ingoperations/ingoperations.jar (BOOT-INF/lib/log4j-core-2.12.1.jar), log4j 2.12.1

Scanned 1 directories and 1 files
Found 1 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 0.55 seconds

Here's the relevant bit from jar tvf:

» jar tvf ingoperations.jar | grep -i log4j
   406 Thu Jun 11 12:39:42 PDT 2020 BOOT-INF/lib/spring-boot-starter-log4j2-2.2.8.RELEASE.jar
 23518 Tue Aug 06 20:47:38 PDT 2019 BOOT-INF/lib/log4j-slf4j-impl-2.12.1.jar
276771 Tue Aug 06 20:43:52 PDT 2019 BOOT-INF/lib/log4j-api-2.12.1.jar
1674433 Tue Aug 06 20:45:42 PDT 2019 BOOT-INF/lib/log4j-core-2.12.1.jar

If I expand the jar file, log4j gets detected:

Release 2.5.3:

» java -jar scanner/v2.5.3/jar/logpresso-log4j2-scan-2.5.3.jar ./nested-log4j-2.12.1-ingoperations/expanded                             130 ↵
Logpresso CVE-2021-44228 Vulnerability Scanner 2.5.3 (2021-12-22)
Scanning directory: ./nested-log4j-2.12.1-ingoperations/expanded
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /Users/mike.adams/code/cve-2021-44228-scanner-tests/test_artifacts/./nested-log4j-2.12.1-ingoperations/expanded/BOOT-INF/lib/log4j-core-2.12.1.jar, log4j 2.12.1

Scanned 20 directories and 136 files
Found 1 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 0.52 seconds

Release 2.2.2:

» java -jar scanner/v2.2.2/jar/logpresso-log4j2-scan-2.2.2.jar ./nested-log4j-2.12.1-ingoperations/expanded                               1 ↵
Logpresso CVE-2021-44228 Vulnerability Scanner 2.2.2 (2021-12-18)
Scanning directory: ./nested-log4j-2.12.1-ingoperations/expanded
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in /Users/mike.adams/code/cve-2021-44228-scanner-tests/test_artifacts/./nested-log4j-2.12.1-ingoperations/expanded/BOOT-INF/lib/log4j-core-2.12.1.jar, log4j 2.12.1

Scanned 20 directories and 136 files
Found 1 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 0.08 seconds

[xeraph]

@adammike Thank you for detail regression and your effort. Would you compress ingoperations.jar file with password protection, upload zip (i.e. zipped JAR) here, and send a password to me? (since my gmail doesn't allow executable binary)
xeraph (at) logpresso.com

My test output:

D:\github\CVE-2021-44228-Scanner>log4j2-scan --scan-zip D:\tmp\n
Logpresso CVE-2021-44228 Vulnerability Scanner 2.5.3 (2021-12-22)
Scanning directory: D:\tmp\n
[*] Found CVE-2021-45046 (log4j 2.x) vulnerability in D:\tmp\n\apache-log4j-2.15.0-bin-2depth.zip (apache-log4j-2.15.0-bin-1depth.zip > apache-log4j-2.15.0-bin/log4j-core-2.15.0.jar), log4j 2.15.0
[*] Found CVE-2021-45046 (log4j 2.x) vulnerability in D:\tmp\n\apache-log4j-2.15.0-bin-2depth.zip (apache-log4j-2.15.0-bin-1depth.zip > apache-log4j-2.15.0-bin/log4j-core-2.15.0-sources.jar), log4j 2.15.0 (mitigated)
[*] Found CVE-2021-45046 (log4j 2.x) vulnerability in D:\tmp\n\apache-log4j-2.15.0-bin-2depth.zip (apache-log4j-2.15.0-bin-1depth.zip > apache-log4j-2.15.0-bin/log4j-core-2.15.0-tests.jar), log4j 2.15.0 (mitigated)
[?] Found CVE-2021-44228 (log4j 2.x) vulnerability in D:\tmp\n\log4j-core-2.14.1-2depth.zip (log4j-core-2.14.1-1depth.zip > log4j-core-2.14.1.jar), log4j N/A

[xeraph]

@adammike It was JDK problem. https://stackoverflow.com/questions/15521966/zipinputstream-getnextentry-returns-null-on-some-zip-files
I'll workaround this.

[adammike]

Ah, that's great news. Thanks, @xeraph

[xeraph]

@adammike Fixed in v2.6.0 release. Would you test it?

[kleinski]

The log4j-scanner binary files and the .jar have now become way more larger than before. Is there way to get them smaller again?

And thank you btw for your really good work, @xeraph !

[adammike]

Ran my test suite against this version and it passed every single test. Bravo!

[xeraph]

@adammike Thank you for file sharing again. The file was crucial for debugging. :D