FAQ

What's the difference between vulnerable and potentially vulnerable?

For Log4j 2.x:

If JAR file doesn't have pom.properties, scanner cannot detect Log4j version.
- pom.properties should be located in META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties
- If JndiLookup.class exists and scanner cannot determine Log4j version, it is treated as "Potentially Vulnerable"
If JAR file has pom.properties, scanner can recognize Log4j version.
- If Log4j version is 2.17.1 or above, it is not vulnerable.

For Log4j 1.x:

For Logback:

Prior to Logback 1.2.9 version has CVE-2021-42550 vulnerability in certain configuration conditions.
- To exploit:
  - Attacker has write access to logback.xml
  - Reloading of poisoned configuration data, which implies application restart or scan="true" set prior to attack
Therefore, scanner marks Logback prior to 1.2.9 version as "Potentially Vulnerable"

nfs, nfs3, nfs4, afs, cifs, autofs, tmpfs, devtmpfs, fuse.sshfs and iso9660 are ignored by default.
- Network file systems are excluded by default to avoid high network traffic.
- Temporary file systems are excluded by default since there are only system metrics.
- Removable file systems (e.g. CD-ROM) are excluded by default.
If you want to force scan all file systems, use --exclude-fs none switch.

Add --scan-log4j1 switch.
- Scanner find Log4j 2.x vulnerabilities only by default.

Open x64 Native Tools Command Prompt for VS 2019.
- Start -> Visual Studio 2019 -> Tools -> x64 Native Tools Command Prompt
Move to scanner source directory.
Run mvn package -Pnative

Download GraalVM Community Edition 21.0.0.2
- Latest version is 21.3.0, but I didn't tested it yet.
Install native-image
- gu install native-image
Open x64 Native Tools Command Prompt for VS 2019
Build PE binary using GraalVM Native Image
- native-image -jar log4j2-scanner-2.7.1-package.jar log4j2-scan-2.7.1 -H:-CheckToolchain -H:ReflectionConfigurationFiles=reflection-config.json
- Added ReflectionConfigurationFiles option to allow reparse point related reflection.

Set environment variables

export PATH=/path/to/graalvm-ce/graalvm-ce-java11-21.0.0.2/bin:$PATH
export JAVA_HOME=/path/to/graalvm-ce/graalvm-ce-java11-21.0.0.2/

Build elf binary using GraalVM Native Image
- native-image --static -jar log4j2-scanner-2.7.1-package.jar log4j2-scan -H:-CheckToolchain -H:+AllowIncompleteClasspath -H:ReflectionConfigurationFiles=reflection-config.json
- Added AllowIncompleteClasspath option to ignore windows specific reflection.

Build Mach-O binary using GraalVM Native Image
- native-image -jar log4j2-scanner-2.7.1-package.jar log4j2-scan -H:-CheckToolchain -H:+AllowIncompleteClasspath -H:ReflectionConfigurationFiles=reflection-config.json
- Added AllowIncompleteClasspath option to ignore windows specific reflection.
Codesign and Notarize binary
- Install Xcode first. It takes too long time.
- Generate App-Specific Password from https://appleid.apple.com/
- Generate Developer-ID Application Certificate from https://developer.apple.com/
- Codesign the binary
  - codesign --options=runtime -s 'Developer ID Application' log4j2-scan
  - codesign -dv log4j2-scan
- Zip the binary
  - zip log4j2-scan.zip log4j2-scan
- Retrive your ProviderShortname
  - AC_USERNAME is apple id
  - AC_PASSWORD is App-Specific Password
  - xcrun altool --list-providers -u "AC_USERNAME" -p "AC_PASSWORD"
- Notarize the binary
  - xcrun altool --notarize-app --primary-bundle-id "com.example.ote.zip" --username "AC_USERNAME" --password "AC_PASSWORD" --asc-provider <ProviderShortname> --file log4j2-scan.zip
- Check notarization status
  - xcrun altool --notarization-history 0 -u "AC_USERNAME" -p "AC_PASSWORD"
  - xcrun altool --notarization-info "RequestUUID" -u "AC_USERNAME" -p "AC_PASSWORD"