False positive log4j-core-2.15.0.jar

Question

False positive log4j-core-2.15.0.jar

simon04 opened this issue 3 years ago · 2 comments

Since CVE-2021-44228 is fixed in 2.15.0, this scanner should not report log4j-core-2.15.0.jar

> curl -LO https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.15.0/log4j-core-2.15.0.jar

> sha256sum log4j-core-2.15.0.jar 
419a8512895971b7b4f4f33e620d361254e5c9552b904b0474b09ddd4a6a220b  log4j-core-2.15.0.jar

> ./local-log4j-vuln-scanner - a simple local log4j vulnerability scanner
indicator for vulnerable component found in log4j-core-2.15.0.jar (org/apache/logging/log4j/core/net/JndiManager$1.class): log4j 2.13.0-2.15.0
Scan finished

To address this, the scanner could cross-check the hash of MessagePatternConverter from apache/logging-log4j2#608.

Answer 1 · 2021-12-12T22:02:44.000Z

Thank you for spotting this.

Answer 2 · 2021-12-16T08:57:32.000Z

As of 2021-12-13 2.15.0 is not consdered safe resulting in 2.16.0
The old migitation is unsafe too.
See https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046

imho 2.15.0 should result in a flag again