CVE-2021-44228-Scanner: .jar Files not being fixed with --fix parameter

Using the --fix parameter is not working for the .jar file below:

C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars\log4j-1.2.17.jar 1.2.17 POTENTIALLY_VULNERABLE

The output of log4j2-scan.exe (Ver. 2.2.0) looks like this:

C:\Temp\Logpresso\logpresso-log4j2-scan-2.2.0-win64>log4j2-scan.exe --fix "C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars\log4j-1.2.17.jar"
Logpresso CVE-2021-44228 Vulnerability Scanner 2.2.0 (2021-12-18)
This command will remove JndiLookup.class from log4j2-core binaries. Are you sure [y/N]? y
Scanning directory: C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars\log4j-1.2.17.jar

Scanned 0 directories and 1 files
Found 0 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Fixed 0 vulnerable files
Completed in 0.00 seconds

Every hint is highly appreciated.

Thank you.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 15 (7 by maintainers)

Most upvoted comments

Use: ./log4j2-scan --scan-log4j1 --fix

+1
latency0ms on Dec 18, 2021

After --fix has been applied, a new scan shows no mitigation note (mitigated)

Logpresso CVE-2021-44228 Vulnerability Scanner 2.2.2 (2021-12-18)
Scanning drives: C:\


Scanned 75461 directories and 312990 files
Found 0 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 98.31 seconds
+1
latency0ms on Dec 18, 2021

@latency0ms If SQL server uses JMS or socket logging feature, it can be damaged. In most cases, JMS or socket server feature is not used. However you should use this option at your own risk. I can’t figure out all the software configurations in the world.

+1
xeraph on Dec 18, 2021 
Logpresso CVE-2021-44228 Vulnerability Scanner 2.2.2 (2021-12-18)
This command will remove JndiLookup.class from log4j2-core binaries. Are you sure [y/N]? y
Scanning directory: C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars\log4j-1.2.17.jar
[?] Found CVE-2021-4104  (log4j 1.2) vulnerability in C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars\log4j-1.2.17.jar, log4j 1.2.17

Fixed: C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars\log4j-1.2.17.jar

Scanned 0 directories and 1 files
Found 0 vulnerable files
Found 1 potentially vulnerable files
Found 0 mitigated files
Fixed 1 vulnerable log4j2 files and potentially vulnerable log4j1 files
Completed in 0.64 seconds

This worked, could this lead to side effects? What exactly is being performed with --scan-log4j1 --fix?

+1
latency0ms on Dec 18, 2021
Read more comments on GitHub
← grpc-spring-boot-starter: unable to get spring security basic example working
CVE-2021-44228-Scanner: unable to report-csv or custom csv report path on windows at least →