Merge branch 'main' into main

erikcostlow · web-flow · commit 7c35c6870b00 · 2021-12-15T22:46:58.000-05:00
diff --git a/README.md b/README.md
@@ -3,6 +3,9 @@
 SafeLog4j can identify and resolve the log4j2 [CVE-2021-45046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046). It can work with custom and third party applications that run on Java and does not require source code.
 
 The patch works by connecting to a Java process, looking for affected versions of Log4j2, and neutralizing the vulnerability. Other application functionality is unaffected and applications proceed as normal with a reduced risk profile.
+
+This tool tests and verifies the vulnerability using a functioning yet safe payload. This ensures that the security tool takes action if and only if it is necessary without false positives.
+
 - If the application was previously vulnerable, this will patch it.
 - If the application was not previously vulnerable, this will simply do nothing and can remain in place.
 
diff --git a/pom.xml b/pom.xml
@@ -54,6 +54,7 @@
 								<transformer
 									implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
 									<manifestEntries>
+										<Main-Class>com.contrastsecurity.App</Main-Class>
 										<Premain-Class>com.contrastsecurity.SafeLog4J</Premain-Class>
 										<Agent-Class>com.contrastsecurity.SafeLog4J</Agent-Class>
 										<Can-Redefine-Classes>true</Can-Redefine-Classes>
diff --git a/src/main/java/com/contrastsecurity/App.java b/src/main/java/com/contrastsecurity/App.java
@@ -0,0 +1,125 @@
+package com.contrastsecurity;
+
+import java.io.IOException;
+import java.net.URISyntaxException;
+import java.util.List;
+
+import com.sun.tools.attach.AgentInitializationException;
+import com.sun.tools.attach.AgentLoadException;
+import com.sun.tools.attach.AttachNotSupportedException;
+import com.sun.tools.attach.VirtualMachine;
+import com.sun.tools.attach.VirtualMachineDescriptor;
+
+public class App {
+
+    private static final String SELF;
+
+    private static boolean CAN_ATTACH;
+
+    static{
+        String self;
+        try {
+            self = App.class.getProtectionDomain()
+            .getCodeSource()
+            .getLocation()
+            .toURI()
+            .getPath();
+        } catch (URISyntaxException e) {
+            self=null;
+        }
+        SELF=self;
+        //Need the agent's location or Attach won't work.
+        try {
+            Class.forName("com.sun.tools.attach.VirtualMachine");
+            CAN_ATTACH=SELF!=null;
+        } catch (ClassNotFoundException e) {
+            CAN_ATTACH=false;
+        }
+        
+    }
+
+    public static void main(String[] args){
+        System.out.println("SafeLog4j by Contrast Security");
+
+        if(args.length>0 && CAN_ATTACH){
+            String options = args.length>=2 ? args[1] : null;
+            patch(args[0].trim(), options);
+        }else{
+            showHelp();
+        }
+    }
+
+    public static void listProcesses(){
+        List<VirtualMachineDescriptor> vms = VirtualMachine.list();
+        vms.stream()
+            .filter(vm -> !vm.displayName().contains("safelog")) //No need to patch ourselves
+            .forEach(vm -> {
+            System.out.println(vm.id() + " \t" + vm.displayName());
+        });
+    }
+
+    private static void showHelp(){
+        System.out.println("This tool can be used in two modes for custom and third party applications:");
+        System.out.println("1. At application startup, through the -javaagent flag.");
+        System.out.println("2. Without application restart, if supported.");
+
+        if(!CAN_ATTACH){
+            System.out.println("  -- Option 2 is not supported on this system.");
+        }else{
+            System.out.println();
+            System.out.println("SafeLog4j can connect to and patch the following Java processes:");
+            try{
+                listProcesses();
+
+                System.out.println();
+                System.out.println("To patch a process, add an argument of the ID or use the word all.");
+            }catch(NoClassDefFoundError err){
+                System.err.println("Please use jcmd to list Java processes.");
+            }
+        }
+    }
+
+    private static void patch(String process, String options){
+        try{
+            int pid = Integer.parseInt(process);
+            patch(pid, options);
+        }catch(NumberFormatException ex){
+            if("all".equalsIgnoreCase(process)){
+                System.out.println("Patching all...");
+                List<VirtualMachineDescriptor> vms = VirtualMachine.list();
+                vms.stream()
+                    .filter(vm -> !vm.displayName().contains("safelog")) //No need to patch ourselves
+                    .map(vm -> vm.id())
+                    .forEach(id -> patch(Integer.parseInt(id), options));
+            }else{
+                System.err.println("Uknown process: " + process);
+                System.err.println("  Use a number or all.");
+            }
+        }
+    }
+
+    private static void patch(int process, String options){
+        try {
+            VirtualMachine vm = VirtualMachine.attach(String.valueOf(process));
+            vm.loadAgent(SELF, options);
+            System.out.println("Successfully patched process "
+                + process 
+                + ". You should see safelog4j messages in its log.");
+        } catch (AttachNotSupportedException | IOException e) {
+            if("Non-numeric value found - int expected".equals(e.getMessage())){
+                //Odd interplay between majors. https://bugs.eclipse.org/bugs/show_bug.cgi?id=534489
+                String javaHome = System.getProperty("java.home");
+                System.err.println("Unable to bridge Java version to process "
+                    + process
+                    + ". Please re-run this tool from its Java installation instead of " + javaHome);
+            }else{
+                System.err.println("Unable to connect to " + process + ". " + e.getMessage());
+            }
+        } catch (AgentLoadException | AgentInitializationException e) {
+            System.err.println("Attempt to patch was unsuccessful. Process "
+                + process
+                + " must be restarted to be patched. "
+                + e.getMessage());
+        }
+    }
+}
diff --git a/src/main/java/com/contrastsecurity/SafeLog4J.java b/src/main/java/com/contrastsecurity/SafeLog4J.java
@@ -81,6 +81,22 @@ public static void transform(String args, Instrumentation inst) {
 		}
 
 		builder.installOn(inst);
+		
+		Loggers.log("Looking for previously loaded Log4J2.");
+		Class[] classes = inst.getAllLoadedClasses();
+		List<Class> reTransform = Arrays.stream(classes).filter(clazz -> clazz.getName().endsWith("suffix"))
+		.collect(Collectors.toList());
+		if(reTransform.isEmpty()){
+			Loggers.log("No previously loaded Log4J2 detected.");
+		}else{
+			try {
+				inst.retransformClasses(reTransform.toArray(new Class[reTransform.size()]));
+				Loggers.log("Engaged " + reTransform.size() + " Log4J classes.");
+			} catch (UnmodifiableClassException e) {
+				Loggers.log("Unable to retransorm and defend previously loaded loggers: " + e.getMessage());
+				Loggers.log(reTransform.stream().map(clazz -> clazz.getName()).collect(Collectors.joining(", ")));
+			}
+		}
 	}
 
 }
