You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+37-14Lines changed: 37 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,11 +1,17 @@
1
1
# safelog4j
2
2
3
-
If you're wrestling with log4shell [CVE-2021-45046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046), the best thing to do is to upgrade your log4j to the latest secure version.
4
-
5
-
But if you can't do that for whatever reason, you probably want to be *really* sure that you have a problem and an easy way to fix it.
6
-
7
-
Safelog4j is an instrumentation-based tool to help you discover, verify, and solve log4shell without scanning or upgrading.
8
-
3
+
<palign="center"><b>
4
+
<br>
5
+
<br>
6
+
Safelog4j is an instrumentation-based security tool to help teams<br>
7
+
discover, verify, and solve log4shell without scanning or upgrading
8
+
<br>
9
+
<br>
10
+
</b></p>
11
+
12
+
If you're wrestling with log4shell [CVE-2021-45046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046), the best thing to do is to upgrade your log4j to the latest secure version. But if you can't do that for whatever reason, you probably want to be *really* sure that you have a problem and an easy way to fix it.
13
+
14
+
Safelog4j:
9
15
* accurately discovers the use of log4j
10
16
* verifies that the log4shell vulnerability is actually present and exploitable
11
17
* prevents the log4shell vulnerability from being exploited
@@ -15,15 +21,21 @@ Safelog4j doesn't rely on version numbers or filenames. Instead, it instruments
## Why should you use an instrumentation-based approach to log4shell (and other security challenges)
25
+
26
+
Instrumentation has been around for decades, is widely used in performance tools, debugging and profiling, and app frameworks. Many security tools scan from the 'outside-in' and don't have the full context of the running application. This leads to false-positives, false-negatives, and long scan times.
27
+
28
+
Instrumentation allows us to do security analysis from within the running application - by watching the code run. Directly measuring security has speed, coverage, and accuracy benefits. Using instrumentation to analyze for vulnerabilities is often called IAST (Interactive Application Security Testing). Using instrumentation to identify attacks and prevent exploit is often called RASP (Runtime Application Self-Protection).
19
29
20
-
Unfortunately, log4j is deployed in a huge variety of ways that make traditional detection very difficult. Scanning file systems, code repos, or containers is very likely to fail to detect log4j accurately. Determining exploitability by attempting to test, scan, or fuzz for log4shell is even more inaccurate, requiring exactly right input with the exactly right syntax.
30
+
Safelog4j provides both IAST and RASP capabilities focused on a single vulnerability: log4shell. IAST verifies that the vulnerability is present and actually exploitable. RASP prevents it from being exploited. IAST and RASP can be used for a broad range of vulnerabilities and attacks. Please reach out if you're interested in applying these techniques to new security chaallenges.
31
+
32
+
Remember, you may be getting false results from other approaches. Scanning file systems, code repos, or containers could easily fail to detect log4j accurately. Determining exploitability by attempting to test, scan, or fuzz for log4shell is even more inaccurate, requiring exactly right input with the exactly right syntax.
21
33
22
34
* log4j could be buried in a fat jar, war, or ear
23
35
* log4j could be shaded in another jar
24
36
* log4j could be included in the appserver, not the code repo
25
37
* log4j could be part of dynamically loaded code or plugin
26
-
* log4j could have multiple different versions with different classloaders, some vulnerable some not
38
+
* log4j could be many different versions with different classloaders in a single app
27
39
* log4j could be masked by use of slf4j or other layers
28
40
* log4j could be renamed, recompiled, or otherwise changed
29
41
@@ -32,7 +44,7 @@ Unfortunately, log4j is deployed in a huge variety of ways that make traditional
32
44
33
45
You can use safelog4j in just about any environment using Java.
34
46
35
-
1. Download the latest [safelog4j-1.0.3.jar](https://github.com/Contrast-Security-OSS/safelog4j/releases/download/v1.0.1/safelog4j-1.0.1.jar)
47
+
1. Download the latest [safelog4j-1.0.3.jar](https://github.com/Contrast-Security-OSS/safelog4j/releases/download/v1.0.1/safelog4j-1.0.3.jar)
36
48
37
49
You can run it wherever you launch a JVM...
38
50
@@ -57,13 +69,24 @@ Or you can attach to a JVM that is already running...
57
69
58
70
## Safelog4j Options
59
71
60
-
* CHECK means that safelog4j will actually test every log4j instance for log4shell. This is done by generating a synthetic log message and a sensor to detect it in the vulnerable clsas. This is iron clad evidence the application is vulnerable -- provided unttrusted data reaches that logger.
72
+
***CHECK** means that safelog4j will actually test every log4j instance for log4shell. This is done by generating a synthetic log message and a sensor to detect it in the vulnerable clsas. This is iron clad evidence the application is vulnerable -- provided unttrusted data reaches that logger.
73
+
74
+
***BLOCK** means that safelog4j will stub out all the methods in the JNDI lookup class. This is the recommended approach to ensure that log4j can't be exploited. It is harmless, except for the total prevention of this attack.
75
+
76
+
***BOTH** simply means that both CHECK and BLOCK will occur.
77
+
78
+
***NONE** disables both CHECK and BLOCK, allowing you to keep the agent in place but completely disabled.
79
+
61
80
62
-
* BLOCK means that safelog4j will stub out all the methods in the JNDI lookup class. This is the recommended approach to ensure that log4j can't be exploited. It is harmless, except for the total prevention of this attack.
81
+
## Building and Contributing
63
82
64
-
* BOTH simply means that both CHECK and BLOCK will occur.
83
+
We welcome pull requests and issues. Thanks!
65
84
66
-
* NONE disables both CHECK and BLOCK, allowing you to keep the agent in place but disabled.
0 commit comments