Log4j Vulnerability Scanner for Windows

Overview

THIS SCRIPT IS PROVIDED TO YOU "AS IS." TO THE EXTENT PERMITTED BY LAW, QUALYS HEREBY DISCLAIMS ALL WARRANTIES AND LIABILITY FOR THE PROVISION OR USE OF THIS SCRIPT. IN NO EVENT SHALL THESE SCRIPTS BE DEEMED TO BE CLOUD SERVICES AS PROVIDED BY QUALYS

Direct Download Link (Log4jScanner & Log4jRemediate)

https://github.com/Qualys/log4jscanwin/releases/download/2.1.2.0/Log4jScannerRemediate-2.1.2.0.zip

Log4jScanner

Description

The Log4jScanner.exe utility helps to detect CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, and CVE-2021-45105 vulnerabilities. The utility will scan the entire hard drive(s) including archives (and nested JARs) for the Java class that indicates the Java application contains a vulnerable log4j library. The utility will output its results to a console.

Qualys has added the following new QIDs that are designed to look for the results of this scan and mark the asset as vulnerable if the vulnerable log4j library was found.

  • (376160) CVE-2021-44228
  • (376193) CVE-2021-45046
  • (376195) CVE-2021-45105
  • (376210) CVE-2021-44832
  • (45515) Information Gathering that the Log4j Scan Utility was ran on the host

Qualys customers should use the following to run the tool on any asset they want to scan, from an elevated command prompt:

Log4jScanner.exe /scan /report_sig

Usage

/scan
  Scan local drives for vulnerable files used by various Java applications.
/scan_network
  Scan network drives for vulnerable files used by various Java applications.
/scan_directory "C:\Some\Path"
  Scan a specific directory for vulnerable files used by various Java applications.
/scan_file "C:\Some\Path\Some.jar"
  Scan a specific file for supported CVE(s).
/scaninclmountpoints
  Scan local drives including mount points for vulnerable files used by various Java applications.
/exclude_drive "C:\"
  Exclude a drive from the scan.
/exclude_directory "C:\Some\Path"
  Exclude a directory from a scan.
/exclude_file "C:\Some\Path\Some.jar"
  Exclude a file from a scan.
/knownTarExtension ".tar"
/knownGZipTarExtension ".tgz"
/knownBZipTarExtension ".tbz"
/knownZipExtension ".jar"
  Add additional file type extensions to the scanner.
/report
  Generate a JSON report of possible detections of supported CVE(s).
/report_pretty
  Generate a human readable JSON report of possible detections of supported CVE(s).
/report_sig
  Generate a signature report of possible detections of supported CVE(s).
/lowpriority
  Lowers the execution and I/O priority of the scanner.
/help
  Displays this help page.

Sample Usage (from an elevated command prompt) - The following command helps you scan local drives for vulnerable JAR, WAR, EAR, and ZIP.

Log4jScanner.exe /scan

Sample Usage (from an elevated command prompt) - The following command helps you scan local drives for vulnerable files and writes a signature report to C:\ProgramData\Qualys

Log4jScanner.exe /scan /report_sig

Output - The following output shows the detection

D:\Temp>Log4jScanner.exe /scan /exclude_directory C:\ /knownZipExtension .ZZZ
Qualys Log4j Vulnerability Scanner 2.1.1.0
https://www.qualys.com/
Dependencies: minizip/1.1 zlib/1.2.11, bzip2/1.0.8
Supported CVE(s): CVE-2021-4104, CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, CVE-2021-45105

Known TAR Extensions            : .tar
Known GZIP TAR Extensions       : .tgz, .tar.gz
Known BZIP TAR Extensions       : .tbz, .tbz2, .tar.bz, .tar.bz2
Known ZIP Extensions            : .zip, .jar, .war, .ear, .par, .kar, .sar, .rar, .jpi, .hpi, .apk, .ZZZ
Excluding Directories:
        C:\


Scanning Local Drives...
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\arara.jar' ( Manifest Vendor: Unknown, Manifest Version: 6.1.1, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.14.1, CVE Status: Potentially Vulnerable ( CVE-2021-44228: Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\arara.signed.jar' ( Manifest Vendor: Unknown, Manifest Version: 6.1.1, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.14.1, CVE Status: Potentially Vulnerable ( CVE-2021-44228: Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\bad_jar_in_jar.jar!vuln-class.jar' ( Manifest Vendor: log4j, Manifest Version: 2.14.0, JNDI Class: NOT Found, Log4j Vendor: log4j-jcl, Log4j Version: 2.14.0, CVE Status: Mitigated )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\bad_jar_in_jar_in_jar.jar!bad_jar_in_jar.jar!vuln-class.jar' ( Manifest Vendor: log4j, Manifest Version: 2.14.0, JNDI Class: NOT Found, Log4j Vendor: log4j-jcl, Log4j Version: 2.14.0, CVE Status: Mitigated )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\bad_jar_with_invalid_jar.jar!vuln-class.jar' ( Manifest Vendor: log4j, Manifest Version: 2.14.0, JNDI Class: NOT Found, Log4j Vendor: log4j-jcl, Log4j Version: 2.14.0, CVE Status: Mitigated )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\good_jar_in_jar.jar!safe1.jar' ( Manifest Vendor: log4j, Manifest Version: 2.14.0, JNDI Class: NOT Found, Log4j Vendor: log4j-jcl, Log4j Version: 2.14.0, CVE Status: Mitigated )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\good_jar_in_jar_in_jar.jar!good_jar_in_jar.jar!safe1.jar' ( Manifest Vendor: log4j, Manifest Version: 2.14.0, JNDI Class: NOT Found, Log4j Vendor: log4j-jcl, Log4j Version: 2.14.0, CVE Status: Mitigated )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\good_jar_with_invalid_jar.jar!safe1.jar' ( Manifest Vendor: log4j, Manifest Version: 2.14.0, JNDI Class: NOT Found, Log4j Vendor: log4j-jcl, Log4j Version: 2.14.0, CVE Status: Mitigated )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\log4j-core-2.1.jar' ( Manifest Vendor: org.apache, Manifest Version: 2.1, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.1, CVE Status: Potentially Vulnerable ( CVE-2021-44228: Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\log4j-core-2.12.1.jar' ( Manifest Vendor: log4j, Manifest Version: 2.12.1, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.12.1, CVE Status: Potentially Vulnerable ( CVE-2021-44228: Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\log4j-core-2.14.0.jar' ( Manifest Vendor: log4j, Manifest Version: 2.14.0, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.14.0, CVE Status: Potentially Vulnerable ( CVE-2021-44228: Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\log4j-core-2.15.0.jar' ( Manifest Vendor: log4j, Manifest Version: 2.15.0, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.15.0, CVE Status: Potentially Vulnerable ( CVE-2021-44228: NOT Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\log4j-core-2.16.0.jar' ( Manifest Vendor: log4j, Manifest Version: 2.16.0, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.16.0, CVE Status: Potentially Vulnerable ( CVE-2021-44228: NOT Found CVE-2021-44832: Found CVE-2021-45046: NOT Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\safe1.jar' ( Manifest Vendor: log4j, Manifest Version: 2.14.0, JNDI Class: NOT Found, Log4j Vendor: log4j-jcl, Log4j Version: 2.14.0, CVE Status: Mitigated )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\safe1.signed.jar' ( Manifest Vendor: log4j, Manifest Version: 2.14.0, JNDI Class: NOT Found, Log4j Vendor: log4j-jcl, Log4j Version: 2.14.0, CVE Status: Mitigated )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\similarbutnotvuln.jar' ( Manifest Vendor: org.apache, Manifest Version: 2.1, JNDI Class: NOT Found, Log4j Vendor: log4j-core, Log4j Version: 2.1, CVE Status: Potentially Vulnerable ( CVE-2021-44228: NOT Found CVE-2021-44832: Found CVE-2021-45046: NOT Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Src\Projects\log4jscanner\jar\testdata\vuln-class.jar' ( Manifest Vendor: log4j, Manifest Version: 2.14.0, JNDI Class: NOT Found, Log4j Vendor: log4j-jcl, Log4j Version: 2.14.0, CVE Status: Mitigated )
Log4j Found: 'D:\Temp\log4j-1.1.3.zip!jakarta-log4j-1.1.3/dist/lib/log4j-core.jar' ( Manifest Vendor: Apache Software Foundation, Manifest Version: 1.1.3, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.1.3, CVE Status: Mitigated )
Log4j Found: 'D:\Temp\log4j-1.1.3.zip!jakarta-log4j-1.1.3/dist/lib/log4j.jar' ( Manifest Vendor: Apache Software Foundation, Manifest Version: 1.1.3, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.1.3, CVE Status: Mitigated )
Log4j Found: 'D:\Temp\log4j-1.1.3.zip' ( Manifest Vendor: , Manifest Version: , JNDI Class: NOT Found, Log4j Vendor: Unknown, Log4j Version: Unknown, CVE Status: N/A )
Log4j Found: 'D:\Temp\log4j-1.2.17.jar' ( Manifest Vendor: Apache Software Foundation, Manifest Version: 1.2.17, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.2.17, CVE Status: Potentially Vulnerable ( CVE-2021-4104: Found ) )
Log4j Found: 'D:\Temp\log4j-1.2.17.zip!apache-log4j-1.2.17/log4j-1.2.17.jar' ( Manifest Vendor: Apache Software Foundation, Manifest Version: 1.2.17, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.2.17, CVE Status: Potentially Vulnerable ( CVE-2021-4104: Found ) )
Log4j Found: 'D:\Temp\log4j-1.2.17.zip' ( Manifest Vendor: , Manifest Version: , JNDI Class: NOT Found, Log4j Vendor: Unknown, Log4j Version: Unknown, CVE Status: N/A )
Log4j Found: 'D:\Temp\log4j-1.2.9.jar' ( Manifest Vendor: Apache Software Foundation, Manifest Version: 1.2.9, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.2.9, CVE Status: Potentially Vulnerable ( CVE-2021-4104: Found ) )
Log4j Found: 'D:\Temp\log4j-1.2.9.zip!logging-log4j-1.2.9/dist/lib/log4j-1.2.9.jar' ( Manifest Vendor: Apache Software Foundation, Manifest Version: 1.2.9, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.2.9, CVE Status: Potentially Vulnerable ( CVE-2021-4104: Found ) )
Log4j Found: 'D:\Temp\log4j-1.2.9.zip' ( Manifest Vendor: , Manifest Version: , JNDI Class: NOT Found, Log4j Vendor: Unknown, Log4j Version: Unknown, CVE Status: N/A )
Log4j Found: 'D:\Temp\log4j-api-2.16.0.jar' ( Manifest Vendor: log4j, Manifest Version: 2.16.0, JNDI Class: NOT Found, Log4j Vendor: log4j-api, Log4j Version: 2.16.0, CVE Status: Mitigated )
Log4j Found: 'D:\Temp\log4j-core-2.11.1.jar' ( Manifest Vendor: log4j, Manifest Version: 2.11.1, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.11.1, CVE Status: Potentially Vulnerable ( CVE-2021-44228: Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Temp\log4j-core-2.12.4.jar' ( Manifest Vendor: log4j, Manifest Version: 2.12.4, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.12.4, CVE Status: Mitigated )
Log4j Found: 'D:\Temp\log4j-core-2.14.0.jar' ( Manifest Vendor: log4j, Manifest Version: 2.14.0, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.14.0, CVE Status: Potentially Vulnerable ( CVE-2021-44228: Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Temp\log4j-core-2.15.0.jar' ( Manifest Vendor: log4j, Manifest Version: 2.15.0, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.15.0, CVE Status: Potentially Vulnerable ( CVE-2021-44228: NOT Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Temp\log4j-core-2.15.0.ZZZ' ( Manifest Vendor: log4j, Manifest Version: 2.15.0, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.15.0, CVE Status: Potentially Vulnerable ( CVE-2021-44228: NOT Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Temp\log4j-core-2.16.0.jar' ( Manifest Vendor: log4j, Manifest Version: 2.16.0, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.16.0, CVE Status: Potentially Vulnerable ( CVE-2021-44228: NOT Found CVE-2021-44832: Found CVE-2021-45046: NOT Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Temp\log4j-core-2.17.0.jar' ( Manifest Vendor: log4j, Manifest Version: 2.17.0, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.17.0, CVE Status: Potentially Vulnerable ( CVE-2021-44228: NOT Found CVE-2021-44832: Found CVE-2021-45046: NOT Found CVE-2021-45105: NOT Found ) )
Log4j Found: 'D:\Temp\log4j-core-2.17.1.jar' ( Manifest Vendor: log4j, Manifest Version: 2.17.1, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.17.1, CVE Status: Mitigated )
Log4j Found: 'D:\Temp\log4j-core-2.3.2.jar' ( Manifest Vendor: org.apache, Manifest Version: 2.3.2, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.3.2, CVE Status: Mitigated )
Log4j Found: 'D:\Temp\log4j-core.jar' ( Manifest Vendor: Apache Software Foundation, Manifest Version: 1.1.3, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.1.3, CVE Status: Mitigated )
Log4j Found: 'D:\Temp\log4j-iostreams-2.15.0.jar' ( Manifest Vendor: log4j, Manifest Version: 2.15.0, JNDI Class: NOT Found, Log4j Vendor: log4j-iostreams, Log4j Version: 2.15.0, CVE Status: Mitigated )
Log4j Found: 'D:\Temp\log4j.jar' ( Manifest Vendor: Apache Software Foundation, Manifest Version: 1.1.3, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.1.3, CVE Status: Mitigated )
Log4j Found: 'D:\Temp\org.apache.log4j_1.2.15.v201012070815.jar' ( Manifest Vendor: %PLUGIN_PROVIDER, Manifest Version: 1.2.15.v201012070815, JNDI Class: NOT Found, Log4j Vendor: Unknown, Log4j Version: Unknown, CVE Status: N/A )
Log4j Found: 'D:\Temp\Sample3.zip!Sample1.jar' ( Manifest Vendor: Unknown, Manifest Version: 7.5.2, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.11.1, CVE Status: Potentially Vulnerable ( CVE-2021-44228: Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Temp\Sample3.zip!Sample2.jar' ( Manifest Vendor: Unknown, Manifest Version: 7.5.2, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.11.1, CVE Status: Potentially Vulnerable ( CVE-2021-44228: Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Temp\昆虫\log4j-core-2.11.1.jar' ( Manifest Vendor: log4j, Manifest Version: 2.11.1, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.11.1, CVE Status: Potentially Vulnerable ( CVE-2021-44228: Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )
Log4j Found: 'D:\Temp\昆虫\log4j-core-2.14.0.jar' ( Manifest Vendor: log4j, Manifest Version: 2.14.0, JNDI Class: Found, Log4j Vendor: log4j-core, Log4j Version: 2.14.0, CVE Status: Potentially Vulnerable ( CVE-2021-44228: Found CVE-2021-44832: Found CVE-2021-45046: Found CVE-2021-45105: Found ) )

Scan Summary:
        Scan Date:                       2022-01-10T10:05:18-0800
        Scan Duration:                   9 Seconds
        Scan Error Count:                1
        Scan Status:                     Partially Successful
        Files Scanned:                   184889
        Directories Scanned:             30159
        Compressed File(s) Scanned:      96
        JAR(s) Scanned:                  50
        WAR(s) Scanned:                  0
        EAR(s) Scanned:                  0
        TAR(s) Scanned:                  2
        Vulnerabilities Found:           22

Log4jRemediate

Description

The Log4jRemediate.exe utility helps in mitigating CVE-2021-44228 and CVE-2021-45046 vulnerabilities. The utility will remove the JndiLookup.class from vulnerable log4j core libraries (including archives and nested JARs). The utility will output its results to a console.

Users should use the following to run the tool on any asset they want to mitigate the vulnerability, from an elevated command prompt:

Log4jRemediate.exe /remediate_sig

Prerequisites

  1. Log4jRemediate.exe mitigates vulnerabilities in the report file created by the Log4jScanner.exe utility. Therefore, Log4jScanner.exe has to be executed with the following from an elevated command prompt before running the remediation utility:

    Log4jScanner.exe /scan /report_sig

  2. It is necessary to shut down running JVM processes before running the utility. JVM processes can be started again after the utility completes execution.
  3. If required, users should backup copies of vulnerable libraries reported by Log4jScanner.exe in %ProgramData%\Qualys\log4j_findings.out.

Usage

/remediate_sig
  Remove JndiLookup.class from JAR, WAR, EAR, ZIP files detected by scanner utility.
/report
  Generate a JSON for mitigations of supported CVE(s).
/report_pretty
  Generate a pretty JSON for mitigations of supported CVE(s).

Sample Usage (from an elevated command prompt) - The following command helps you mitigate vulnerable JAR, WAR, EAR, and ZIP files detected by the scanner utility.

Log4jRemediate.exe /remediate_sig

Output - The following output shows remediation

Remediation start time : 2022-01-03T11:04:52+0530
Processing file: C:\log4j-core-2.15.0\log4j-core-2.15.0.jar
Copied fixed file: C:\log4j-core-2.15.0\log4j-core-2.15.0.jar
Fixed file: C:\log4j-core-2.15.0\log4j-core-2.15.0.jar
Remediation end time : 2022-01-03T11:04:54+0530

Run status : Success
Result file location : C:\ProgramData\Qualys\log4j_remediate.out
Issues
  • QID 376160, QID 376195, and QID 376193 still not be being picked up by the Qualys Agent

    QID 376160, QID 376195, and QID 376193 still not be being picked up by the Qualys Agent

    Can we get an up on the Agent picking up QID 376160, QID 376195, and QID 376193?

    We just ran another scan and Qualys did not pick up the stand-alone scanner output from the host.

    Thank you.

    opened by surbo 12
  • QID 376160 not logged in Qualys console

    QID 376160 not logged in Qualys console

    Hello Qualys team,

    We performed some Log4jScanner.exe /scan /report_sig with LOG4J vulnerable detections but after running Qualys agent scans, in the console, i do not have QID376160 listed despite detections from the utility.

    Any recommandations?

    Thank you

    opened by ufxl070 11
  • MS Defender blocks 'Serious threat' when running log4jscanwin

    MS Defender blocks 'Serious threat' when running log4jscanwin

    Hello, Your tool is triggering AV's. I tried looking through your code but could not find anything suspicious at a glance, therefor this submit. What it finds is the following: bild It says: Serious threat, blocked and removed.

    Hope it helps.

    opened by hitem 9
  • Out Of Memory (C++ Exception)

    Out Of Memory (C++ Exception)

    I have multiple PCs that are throwing this. I had been using 1.2.19.0. I tried with 2.0.2.4 and get the same results. I've run it both with and without /lowpriority. I restarted the PC before running. No .OUT file is created. I've saved the minidump file, if it is needed.

    PC Info per WMIC:

    Model TotalPhysicalMemory Precision 3650 Tower 34067255296

    DeviceID DriveType FreeSpace ProviderName Size VolumeName C: 3 885631496192 1021365448704 OS

    STATUS.TXT

    Scan Start: 2022-01-06T04:53:57-0500 Run status : Failed

    Unhandled Exception Detected - Reason: Out Of Memory (C++ Exception) (0xe06d7363) at address 0x00007FF9C24B4F69

    Creating minidump file C:\ITSTemp\01062022501400153.mdmp with crash details.

    opened by JKFischer 8
  • Ran New Scan Still No Detections For QID 376160

    Ran New Scan Still No Detections For QID 376160

    Hello,

    this is the same as the previous issue. we ran the new version of the scan and we still see no detections on QID 376160 despite output files being present listing vulnerable log4j.

    opened by MilesinCSAA 6
  • Scan Results Not getting saved

    Scan Results Not getting saved

    When we run this scanner locally, its automatically getting closed after completion. Therefore, we are not able to view/save results. can someone confirm where these results are stored?

    opened by varunc85 5
  • Add detection for CVE-2021-4104?

    Add detection for CVE-2021-4104?

    Can coverage for CVE-2021-4104 be added to this script? That would force a detection for old 1.x log4j versions which weren't vulnerable to the previous CVEs I suppose there should technically be a different QID issued for that too, but one hasn't yet been announced...

    opened by johnmccash 4
  • log4jscanwin utility is not compatible with 64 bit

    log4jscanwin utility is not compatible with 64 bit

    Hi Qualys Team,

    The log4jscanwin utility is not compatible with Win 64 bit. I ran on W10 64 bit

    C:<>\log4jscanwin-master\log4jscanwin-master>Log4jScanner.exe /scan /report_sig This version of C:\Rajesh\log4jscanwin-master\log4jscanwin-master\Log4jScanner.exe is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisher.

    Thanks,

    opened by Rajeshbhard84 4
  • Scan finds issue - remediate finds none

    Scan finds issue - remediate finds none

    Please help me see why:

    Scan finds vulnerabilities, but remediate shows nothing.

    Log4jScanner.exe /scan /report_sig scanEngine: 2.1.2.0 scanHostname: Lenovo056.domain.com scanDate: 2022-01-11T17:26:42-0500 scanDurationSeconds: 101 scanErrorCount: 47 scanStatus: Partially Successful scanFiles: 539795 scannedDirectories: 187017 scannedCompressed: 1332 scannedJARS: 530 scannedWARS: 0 scannedEARS: 0 scannedTARS: 1 ......... vulnerabilitiesFound: 7


    REMEDIATE Command results in empty log4j_remediate.out and not reported mediated files. Please help me see why I'm not able to remediate found vulnerable files.

    Log4jRemediate.exe /remediate_sig Remediation start time : 2022-01-11T17:34:17-0500 Remediation end time : 2022-01-11T17:34:17-0500 Run status : Success Result file location : C:\ProgramData\Qualys\log4j_remediate.out

    opened by danfoxley 3
  • Commit https://github.com/Qualys/log4jscanwin/commit/d7b27613f717027e244498892cc530f754560c0c breaks the /lowpriority switch on 64-bit systems.

    Commit https://github.com/Qualys/log4jscanwin/commit/d7b27613f717027e244498892cc530f754560c0c breaks the /lowpriority switch on 64-bit systems.

    Commit https://github.com/Qualys/log4jscanwin/commit/d7b27613f717027e244498892cc530f754560c0c breaks the /lowpriority switch on 64-bit systems.

    With versions 2.0.2.4 the Log4jscanner process is running under below normal CPU priority which is fine but I/O priority is normal (you can check easily with Sysinternals Process Explorer) on 64-bit systems. Before this change CPU was running with low priority and I/O with very low on 64-bit systems.

    I see this change was made to support 32-bit systems. Currently every 32-bit Windows Server operating system is out of support but Win7 and 32-bit Windows 10 is still supported. Pull request #37 fixes this.

    I'm also sure reports won't be written on some 32-bit operating systems (Windows 2003 and WinXP) because system variable %PROGRAMDATA% is not supported/available on these operating systems https://github.com/Qualys/log4jscanwin/blob/1b48c17773d23220df6928c2c405bf358c1c4009/Utils.h#L15

    opened by nagten 2
  • Getting errors when running with /report_sig

    Getting errors when running with /report_sig

    C:\Users\Administrator\Downloads\Log4jScanner-1.2.18\Log4jScanner\x64>Log4jScanner.exe /scan /report_sig Scan start time : 2021-12-31T01:45:20-0800

    Scan end time : 2021-12-31T01:45:45-0800 Run status : Partially Successful Result file location : C:\ProgramData\Qualys\log4j_findings.out Errors : Failed to process directory 'C:\ProgramData\Microsoft\Diagnosis\FeedbackHub' (rv: 5) Failed to process directory 'C:\ProgramData\Microsoft\Diagnosis\TimeTravelDebuggingStorage' (rv: 5) Failed to process directory 'C:\ProgramData\Microsoft\Windows\SystemData' (rv: 5) Failed to process directory 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cache' (rv: 5) Failed to process directory 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber' (rv: 5) Failed to process directory 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Trace' (rv: 5) Failed to process directory 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection' (rv: 5) Failed to process directory 'C:\System Volume Information' (rv: 5) Failed to process directory 'C:\Windows\System32\LogFiles\WMI\RtBackup' (rv: 5)

    opened by uday952 2
  • Unable to parse signature report C:\ProgramData\Qualys\log4j_findings.out: The data is invalid.

    Unable to parse signature report C:\ProgramData\Qualys\log4j_findings.out: The data is invalid.

    No matter how I generate the report, I keep getting this "data is invalid" when using the remediation tool. I'm not sure what I could be doing wrong?

    Report generation is log4jscanner.exe /scan /report_sig

    opened by t-domanski-sp 0
  • report_pretty switch shows nothing regardless of the scan results

    report_pretty switch shows nothing regardless of the scan results

    Hello, Great scanner, but I have noticed that /report_pretty switch shows nothing regardless of the scan results in Log4jScanner version 2.1.3.0. Log4jScanner.exe /scan /report works as expected and shows report in JSON. Log4jScanner.exe /scan /report_pretty shows nothing.

    opened by markfi76 0
  • exclude multiple directories from scan

    exclude multiple directories from scan

    Excluding a single directory from the scan works fine with below command:

    Log4jScanner.exe /scan /exclude_directory "C:\$Recycle.Bin\"

    However when I try to exclude multiple directories from the scan, it fails:

    Log4jScanner.exe /scan /exclude_directory "C:\$Recycle.Bin\" /exclude_directory "C:\Users\"

    In the latter case, the C:$Recycle.Bin\ directory is being scanned again as well as the C:\Users\ directory. It would be very helpful to exclude multiple directories from the scan as the recycle bin from different volumes would need to be excluded as well as the users home directories.

    Thanks in advance!

    opened by stefanw138 0
  • Agent not picking up log4j_findings.out

    Agent not picking up log4j_findings.out

    For the last 3 days the Qualys agent has not been picking up the .out file the log4jscanwin scan produces. I also noticed this started as soon as Qualys added a new enhanced feature. Any changes made to the code or anything else to cause this issue? https://notifications.qualys.com/product/2022/01/14/upcoming-enhancements-to-log4j-qids

    opened by jonpull 1
  • Issue with a false positive on log4j-1.2-api-2.17.1.jar files

    Issue with a false positive on log4j-1.2-api-2.17.1.jar files

    Would it be possible to exclude the file log4j-1.2-api-2.17.1.jar as vulnerable to CVE-2021-4104? I believe it is being flagged because "log4j-1.2" but this file is in the latest version of Log4j,

    Here is the output message: Log4j Found: 'C:\Program Files (x86)*\log4j-1.2-api-2.17.1.jar' ( Manifest Vendor: log4j, Manifest Version: 2.17.1, JNDI Class: NOT Found, Log4j Vendor: log4j-1.2-api, Log4j Version: 2.17.1, CVE Status: Potentially Vulnerable ( CVE-2021-4104: Found ) )

    Thanks!,

    opened by capricewag 0
  • network_scan option does not find any network drives

    network_scan option does not find any network drives

    I ran into this issue on Windows 10 Pro x64, but also on a few different Windows Server OSes.

    If you pass the /scan_network parameter to Log4JScanner-2.1.2.0, it simply returns the following:

    Log4jScanner.exe /scan_network /verbose Qualys Log4j Vulnerability Scanner 2.1.2.0 https://www.qualys.com/ Dependencies: minizip/1.1 zlib/1.2.11, bzip2/1.0.8 Supported CVE(s): CVE-2021-4104, CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, CVE-2021-45105

    Known TAR Extensions : .tar Known GZIP TAR Extensions : .tgz, .tar.gz Known BZIP TAR Extensions : .tbz, .tbz2, .tar.bz, .tar.bz2 Known ZIP Extensions : .zip, .jar, .war, .ear, .par, .kar, .sar, .rar, .jpi, .hpi, .apk

    Scanning Network Drives...

    Scan Summary: Scan Date: 2022-01-28T08:36:29-0800 Scan Duration: 0 Seconds Scan Error Count: 0 Scan Status: Success Files Scanned: 0 Directories Scanned: 0 Compressed File(s) Scanned: 0 JAR(s) Scanned: 0 WAR(s) Scanned: 0 EAR(s) Scanned: 0 TAR(s) Scanned: 0 Vulnerabilities Found: 0

    Looking through the code, it looks like the ScanNetworkDrives method on line 634 of Scanner.cpp is using the same logic to get the drive type as ScanLocalDrives is, but it is only returning local drives.

    opened by Charles-Auer 0
Releases(log4j-rem-1.2.2.1)
  • log4j-rem-1.2.2.1(Apr 7, 2022)

  • 2.1.3.0(Feb 9, 2022)

  • 2.1.2.0(Jan 10, 2022)

    Scanner: • Added Bzip2 compression support. • Added support for scanning the following file extensions: .tbz, .tbz2, .tar.bz, .tar.bz2 • Allow both types of reports to be generated at the same time. (Issue: Allow run of /report and /report_sig together · Issue #29 · Qualys/log4jscanwin (github.com)) • Add ability to exclude drives/directories/files from a scan. (Issue: Exclude from scan parameter · Issue #42 · Qualys/log4jscanwin (github.com)) o Excluded drives, directories, and files are added to the report summaries. • Added the ability to add additional file extensions to the scanning engine via command line parameters.

    Source code(tar.gz)
    Source code(zip)
    Log4jRemediate-1.2.1.1.zip(672.63 KB)
    Log4jScanner-2.1.2.0.zip(521.93 KB)
  • 2.0.2.7(Jan 8, 2022)

    • Addresses issue where the tar library code would throw an Out of Memory exception with small tar/tgz files ( less than 512 bytes, which violate the TAR standards ). (Issue: https://github.com/Qualys/log4jscanwin/issues/35)
    • Allow for /report and /report_sig to be processed at the same time. (Issue: https://github.com/Qualys/log4jscanwin/issues/29)
    Source code(tar.gz)
    Source code(zip)
    Log4jScannerRemediate-2.0.2.7.zip(1.06 MB)
  • 2.0.2.4(Jan 6, 2022)

    • Add Remediation Tool to distribution
    • Add support for lowering process and thread priorities for background processing (/lowpriority command line argument) (Community submission: Nico Agten)
    • Add support for processing directories attached by mount points (/scaninclmountpoints command line argument) (Community submission: Nico Agten)
    • Add support for scanning tarballs (.tar) and compressed tarballs (.tar.gz, .tgz)
    • Add support for creating a scan summary file for the /report_sig command line argument
    Source code(tar.gz)
    Source code(zip)
    Log4jScannerRemediate-2.0.2.4.zip(1.04 MB)
  • 2.0.2.3(Jan 6, 2022)

    • Add Remediation Tool to distribution
    • Add support for lowering process and thread priorities for background processing (/lowpriority command line argument) (Community submission: Nico Agten)
    • Add support for processing directories attached by mount points (/scaninclmountpoints command line argument) (Community submission: Nico Agten)
    • Add support for scanning tarballs (.tar) and compressed tarballs (.tar.gz, .tgz)
    • Add support for creating a scan summary file for the /report_sig command line argument
    Source code(tar.gz)
    Source code(zip)
    Log4jScanner-2.0.2.3.zip(1.04 MB)
  • 1.2.19(Dec 29, 2021)

  • 1.2.18(Dec 21, 2021)

  • 1.2.17(Dec 17, 2021)

  • 1.2.16(Dec 15, 2021)

    The Log4jScanner.exe utility helps to detect CVE-2021-44228 and CVE-2021-45046 vulnerabilities. The utility will scan the entire hard drive(s) including archives (and nested JARs) for the Java class that indicates the Java application contains a vulnerable log4j library. The utility will output its results to a console. Qualys has added a new QID (376160) that is designed to look for the results of this scan and mark the asset as vulnerable if the vulnerable log4j library was found.

    Source code(tar.gz)
    Source code(zip)
    Log4jScanner-1.2.16.zip(164.27 KB)
Owner
Qualys, Inc.
Qualys, Inc.
Hygieia, a vulnerable driver traces scanner written in C++ as an x64 Windows kernel driver.

Hygieia The Greek goddess of health, her name is the source for the word "hygiene". Hygieia is a windows driver that works similarly to how pagewalkr

Deputation 77 Aug 12, 2022
An ultrasonic 3D scanner

An Ultrasonic 3D Scanner Detailed build log and infos on my website If you're looking for instructions detailed enough to build it for yourself, just

Alex Toussaint 42 Feb 24, 2022
A port scanner. Second version of portfin.

Zeus A port scanner. Second version of PortFin. Zeus is a tool which scans for open and closed port on a website/host. Note: This tool is the second v

AnonabdulJ 2 Dec 23, 2021
This is a simple port scanner written in C. I recommend to build it before using.

C-Port-Scanner This is a simple port scanner written in C. I recommend to build it before using. For building it you have to use an application like V

Steven 9 Jun 6, 2022
OpenScan is an open-source document scanner app that enables users to scan hard copies of documents or notes and convert it into a PDF file. No ads. No data collection. We respect your privacy.

OpenScan An open source app that enables users to scan hardcopies of documents or notes and convert it to a PDF file. No ads. No data collection. We r

Ethereal Developers Inc 1.1k Aug 9, 2022
PoC for CVE-2021-28476 a guest-to-host "Hyper-V Remote Code Execution Vulnerability" in vmswitch.sys.

CVE-2021-28476: a guest-to-host "Microsoft Hyper-V Remote Code Execution Vulnerability" in vmswitch.sys. This is a proof of concept for CVE-2021-28476

Axel Souchet 206 Aug 3, 2022
PoC (DoS) for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)

CallbackHell DoS PoC for CVE-2021-40449 (Win32k - LPE) CallbackHell Description Technical Writeup PoC References Description CVE-2021-40449 is a use-a

Oliver Lyak 415 Jul 28, 2022
struct_san is a vulnerability prevention tool that dynamically detects function pointers in kernel structures

struct_san - struct sanitizer 简介 struct_san是一个动态检测内核结构体函数指针的漏洞防御工具。业界对于结构体函数指针的保护主要集中在 Control-Flow Integrity (CFI),也就是关注在控制流上,没有关注在数据流上,例如某些CFI验证函数指针

YunDing Security Lab 19 May 6, 2022
Vulnerability Exploitation Code Collection Repository

Introduction expbox is an exploit code collection repository List Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution curl -i -s -k -X $'POST' -H $'Hos

0x0021h 263 Feb 14, 2022
Exploit for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)

CallbackHell Exploit for CVE-2021-40449 (Win32k - LPE) CallbackHell Description Technical Writeup PoC References Description CVE-2021-40449 is a use-a

Oliver Lyak 415 Jul 28, 2022
TAFuzzer: Effective and Efficient Targeted Fuzzing framework for Smart Contract Vulnerability Detection (CCS2022a Under Review).

TAFuzzer An effective and efficient targeted fuzzing framework for smart contract vulnerability detection. Requirements TAFuzzer is supported on Linux

null 2 Feb 7, 2022
PoC for PwnKit: Local Privilege Escalation Vulnerability in polkit’s pkexec (CVE-2021-4034)

CVE-2021-4034 PoC for PwnKit: Local Privilege Escalation Vulnerability in polkit’s pkexec (CVE-2021-4034) https://seclists.org/oss-sec/2022/q1/80 http

Andris Raugulis 898 Aug 9, 2022
Exploit for the pwnkit vulnerability from the Qualys team

CVE-2021-4034 Exploit for the pwnkit vulnerability from the Qualys team. This exploit assumes that gcc is present on the target machine. $ id uid=1001

Terry Chia 94 Jul 27, 2022
Implements a Windows service (in a DLL) that removes the rounded corners for windows in Windows 11

ep_dwm Implements a Windows service that removes the rounded corners for windows in Windows 11. Tested on Windows 11 build 22000.434. Pre-compiled bin

Valentin-Gabriel Radu 17 Aug 12, 2022
Windows 2000 styled installer for Panther based distributions of Microsoft Windows (WIM files).

An advanced installer for Microsoft Windows that mimics the looks of the Windows XP and older installers. Takes any modern (Vista and newer) Windows ISO or WIM file and creates a old styled Windows Setup experience on the go.

null 2 Mar 17, 2022
Windows kernel information leakage POCs on Windows 10 RS1+

This repository covers various techniques and methods I write while conducting research into infoleaks, these are for leaking various Windows kernel a

null 2 Jun 15, 2022
Some extensions for windows explorer, tested on windows 10+

WindowsExplorerExtension Extensions for windows explorer, tested on windows 10 & windows 11. New Folder Extension What's This A Gnome nautilus inspire

anpho 4 Jan 13, 2022
Defender-control - An open-source windows defender manager. Now you can disable windows defender permanently.

Defender Control Open source windows defender disabler. Now you can disable windows defender permanently! Tested from Windows 10 20H2. Also working on

null 383 Aug 11, 2022