Help in locating vulnerable component
nycalex opened this issue · comments
Trivy is detecting log4j v2.x yet i am unable to locate the corresponding file in the container.
the package field says "org.apache.logging.log4j:log4j-core" which isn't a package name or a file name.
Is there any way to extract more details from trivy that could be used to locate what needs to be remediated?
Edit: took a bunch of retries to get the table below formatted right
+--------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------------------------+
| org.apache.logging.log4j:log4j-api | CVE-2021-44228 | CRITICAL | 2.6.2 | 2.15.0 | log4j-core: Remote code execution |
| | | | | | in Log4j 2.x when logs contain |
| | | | | | an attacker-controlled... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44228 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2021-45046 | | | 2.16.0 | log4j-core: DoS in log4j 2.x |
| | | | | | with thread context message |
| | | | | | pattern and context... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-45046 |
+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2021-45105 | HIGH | | 2.17.0, 2.12.3 | log4j-core: DoS in log4j |
| | | | | | 2.x with Thread Context |
| | | | | | Map (MDC) input data... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-45105 |
+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2021-44832 | MEDIUM | | 2.17.1, 2.12.4, 2.3.2 | log4j-core: remote code |
| | | | | | execution via JDBC Appender |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44832 |
+--------------------------------------------------------+------------------+----------+ +--------------------------------+---------------------------------------------------------------------------------+
| org.apache.logging.log4j:log4j-core | CVE-2017-5645 | CRITICAL | | 2.8.2 | log4j: Socket receiver |
| | | | | | deserialization vulnerability |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-5645 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2021-44228 | | | 2.15.0 | log4j-core: Remote code execution |
| | | | | | in Log4j 2.x when logs contain |
| | | | | | an attacker-controlled... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44228 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2021-45046 | | | 2.16.0 | log4j-core: DoS in log4j 2.x |
| | | | | | with thread context message |
| | | | | | pattern and context... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-45046 |
+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2021-45105 | HIGH | | 2.17.0, 2.12.3 | log4j-core: DoS in log4j |
| | | | | | 2.x with Thread Context |
| | | | | | Map (MDC) input data... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-45105 |
+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2021-44832 | MEDIUM | | 2.17.1, 2.12.4, 2.3.2 | log4j-core: remote code |
| | | | | | execution via JDBC Appender |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44832 |
+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2020-9488 | LOW | | 2.13.2 | log4j: improper validation |
| | | | | | of certificate with host |
| | | | | | mismatch in SMTP appender |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-9488 |
+--------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------------------------+
@nycalex use three ``` before and after the first +------- and after the last ----+ and it should fix the formatting.
(FYI: I came here because I'm running into a similar issue in trying to locate which jar contains the log4j vuln).
I had an idea to look inside the jars, but all is see inside is class names that all the same regardless of log4j version... Not helpful... Really need to know the filename that is triggering the detection...
find / -name "*log4j*.jar" -exec sh -c 'printf "\n\nFile: {}"; jar tf {}' ";" | grep log4j
@nycalex Look inside any WAR files as well.
@nycalex Use the --format json and it should print the filename. (Kudos to my coworker V for figuring that out)
@nycalex I localized the libraries using unzip application.jar, and use a find . -name "log4j*.jar". For more details you could take a look to this log4j image sample
I polished it up a bit more... hope it will help someone save their time.... replace CVE as needed.
sudo /usr/local/bin/trivy -f json imagename:tag | grep -A2 "\"VulnerabilityID\": \"CVE-2021-44228\""
Output:
"VulnerabilityID": "CVE-2021-44228",
"PkgName": "org.apache.logging.log4j:log4j-api",
"PkgPath": "opt/xxx/yyy/filename-2.3.0.jar",
"VulnerabilityID": "CVE-2021-44228",
"PkgName": "org.apache.logging.log4j:log4j-core",
"PkgPath": "opt/xxx/yyy/filename-2.3.0.jar",
Nice! @nycalex
This issue is stale because it has been labeled with inactivity.