crash.software
Projects
Pull Requests
Issues
Builds
text4shell-tools
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY text4shell-tools Commits 8a947c64
🤬
  • ■ ■ ■ ■ ■ ■
    LICENSE
     1 + Apache License
     2 + Version 2.0, January 2004
     3 + http://www.apache.org/licenses/
     4 + 
     5 + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
     6 + 
     7 + 1. Definitions.
     8 + 
     9 + "License" shall mean the terms and conditions for use, reproduction,
     10 + and distribution as defined by Sections 1 through 9 of this document.
     11 + 
     12 + "Licensor" shall mean the copyright owner or entity authorized by
     13 + the copyright owner that is granting the License.
     14 + 
     15 + "Legal Entity" shall mean the union of the acting entity and all
     16 + other entities that control, are controlled by, or are under common
     17 + control with that entity. For the purposes of this definition,
     18 + "control" means (i) the power, direct or indirect, to cause the
     19 + direction or management of such entity, whether by contract or
     20 + otherwise, or (ii) ownership of fifty percent (50%) or more of the
     21 + outstanding shares, or (iii) beneficial ownership of such entity.
     22 + 
     23 + "You" (or "Your") shall mean an individual or Legal Entity
     24 + exercising permissions granted by this License.
     25 + 
     26 + "Source" form shall mean the preferred form for making modifications,
     27 + including but not limited to software source code, documentation
     28 + source, and configuration files.
     29 + 
     30 + "Object" form shall mean any form resulting from mechanical
     31 + transformation or translation of a Source form, including but
     32 + not limited to compiled object code, generated documentation,
     33 + and conversions to other media types.
     34 + 
     35 + "Work" shall mean the work of authorship, whether in Source or
     36 + Object form, made available under the License, as indicated by a
     37 + copyright notice that is included in or attached to the work
     38 + (an example is provided in the Appendix below).
     39 + 
     40 + "Derivative Works" shall mean any work, whether in Source or Object
     41 + form, that is based on (or derived from) the Work and for which the
     42 + editorial revisions, annotations, elaborations, or other modifications
     43 + represent, as a whole, an original work of authorship. For the purposes
     44 + of this License, Derivative Works shall not include works that remain
     45 + separable from, or merely link (or bind by name) to the interfaces of,
     46 + the Work and Derivative Works thereof.
     47 + 
     48 + "Contribution" shall mean any work of authorship, including
     49 + the original version of the Work and any modifications or additions
     50 + to that Work or Derivative Works thereof, that is intentionally
     51 + submitted to Licensor for inclusion in the Work by the copyright owner
     52 + or by an individual or Legal Entity authorized to submit on behalf of
     53 + the copyright owner. For the purposes of this definition, "submitted"
     54 + means any form of electronic, verbal, or written communication sent
     55 + to the Licensor or its representatives, including but not limited to
     56 + communication on electronic mailing lists, source code control systems,
     57 + and issue tracking systems that are managed by, or on behalf of, the
     58 + Licensor for the purpose of discussing and improving the Work, but
     59 + excluding communication that is conspicuously marked or otherwise
     60 + designated in writing by the copyright owner as "Not a Contribution."
     61 + 
     62 + "Contributor" shall mean Licensor and any individual or Legal Entity
     63 + on behalf of whom a Contribution has been received by Licensor and
     64 + subsequently incorporated within the Work.
     65 + 
     66 + 2. Grant of Copyright License. Subject to the terms and conditions of
     67 + this License, each Contributor hereby grants to You a perpetual,
     68 + worldwide, non-exclusive, no-charge, royalty-free, irrevocable
     69 + copyright license to reproduce, prepare Derivative Works of,
     70 + publicly display, publicly perform, sublicense, and distribute the
     71 + Work and such Derivative Works in Source or Object form.
     72 + 
     73 + 3. Grant of Patent License. Subject to the terms and conditions of
     74 + this License, each Contributor hereby grants to You a perpetual,
     75 + worldwide, non-exclusive, no-charge, royalty-free, irrevocable
     76 + (except as stated in this section) patent license to make, have made,
     77 + use, offer to sell, sell, import, and otherwise transfer the Work,
     78 + where such license applies only to those patent claims licensable
     79 + by such Contributor that are necessarily infringed by their
     80 + Contribution(s) alone or by combination of their Contribution(s)
     81 + with the Work to which such Contribution(s) was submitted. If You
     82 + institute patent litigation against any entity (including a
     83 + cross-claim or counterclaim in a lawsuit) alleging that the Work
     84 + or a Contribution incorporated within the Work constitutes direct
     85 + or contributory patent infringement, then any patent licenses
     86 + granted to You under this License for that Work shall terminate
     87 + as of the date such litigation is filed.
     88 + 
     89 + 4. Redistribution. You may reproduce and distribute copies of the
     90 + Work or Derivative Works thereof in any medium, with or without
     91 + modifications, and in Source or Object form, provided that You
     92 + meet the following conditions:
     93 + 
     94 + (a) You must give any other recipients of the Work or
     95 + Derivative Works a copy of this License; and
     96 + 
     97 + (b) You must cause any modified files to carry prominent notices
     98 + stating that You changed the files; and
     99 + 
     100 + (c) You must retain, in the Source form of any Derivative Works
     101 + that You distribute, all copyright, patent, trademark, and
     102 + attribution notices from the Source form of the Work,
     103 + excluding those notices that do not pertain to any part of
     104 + the Derivative Works; and
     105 + 
     106 + (d) If the Work includes a "NOTICE" text file as part of its
     107 + distribution, then any Derivative Works that You distribute must
     108 + include a readable copy of the attribution notices contained
     109 + within such NOTICE file, excluding those notices that do not
     110 + pertain to any part of the Derivative Works, in at least one
     111 + of the following places: within a NOTICE text file distributed
     112 + as part of the Derivative Works; within the Source form or
     113 + documentation, if provided along with the Derivative Works; or,
     114 + within a display generated by the Derivative Works, if and
     115 + wherever such third-party notices normally appear. The contents
     116 + of the NOTICE file are for informational purposes only and
     117 + do not modify the License. You may add Your own attribution
     118 + notices within Derivative Works that You distribute, alongside
     119 + or as an addendum to the NOTICE text from the Work, provided
     120 + that such additional attribution notices cannot be construed
     121 + as modifying the License.
     122 + 
     123 + You may add Your own copyright statement to Your modifications and
     124 + may provide additional or different license terms and conditions
     125 + for use, reproduction, or distribution of Your modifications, or
     126 + for any such Derivative Works as a whole, provided Your use,
     127 + reproduction, and distribution of the Work otherwise complies with
     128 + the conditions stated in this License.
     129 + 
     130 + 5. Submission of Contributions. Unless You explicitly state otherwise,
     131 + any Contribution intentionally submitted for inclusion in the Work
     132 + by You to the Licensor shall be under the terms and conditions of
     133 + this License, without any additional terms or conditions.
     134 + Notwithstanding the above, nothing herein shall supersede or modify
     135 + the terms of any separate license agreement you may have executed
     136 + with Licensor regarding such Contributions.
     137 + 
     138 + 6. Trademarks. This License does not grant permission to use the trade
     139 + names, trademarks, service marks, or product names of the Licensor,
     140 + except as required for reasonable and customary use in describing the
     141 + origin of the Work and reproducing the content of the NOTICE file.
     142 + 
     143 + 7. Disclaimer of Warranty. Unless required by applicable law or
     144 + agreed to in writing, Licensor provides the Work (and each
     145 + Contributor provides its Contributions) on an "AS IS" BASIS,
     146 + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
     147 + implied, including, without limitation, any warranties or conditions
     148 + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
     149 + PARTICULAR PURPOSE. You are solely responsible for determining the
     150 + appropriateness of using or redistributing the Work and assume any
     151 + risks associated with Your exercise of permissions under this License.
     152 + 
     153 + 8. Limitation of Liability. In no event and under no legal theory,
     154 + whether in tort (including negligence), contract, or otherwise,
     155 + unless required by applicable law (such as deliberate and grossly
     156 + negligent acts) or agreed to in writing, shall any Contributor be
     157 + liable to You for damages, including any direct, indirect, special,
     158 + incidental, or consequential damages of any character arising as a
     159 + result of this License or out of the use or inability to use the
     160 + Work (including but not limited to damages for loss of goodwill,
     161 + work stoppage, computer failure or malfunction, or any and all
     162 + other commercial damages or losses), even if such Contributor
     163 + has been advised of the possibility of such damages.
     164 + 
     165 + 9. Accepting Warranty or Additional Liability. While redistributing
     166 + the Work or Derivative Works thereof, You may choose to offer,
     167 + and charge a fee for, acceptance of support, warranty, indemnity,
     168 + or other liability obligations and/or rights consistent with this
     169 + License. However, in accepting such obligations, You may act only
     170 + on Your own behalf and on Your sole responsibility, not on behalf
     171 + of any other Contributor, and only if You agree to indemnify,
     172 + defend, and hold each Contributor harmless for any liability
     173 + incurred by, or claims asserted against, such Contributor by reason
     174 + of your accepting any such warranty or additional liability.
     175 + 
     176 + END OF TERMS AND CONDITIONS
     177 + 
     178 + APPENDIX: How to apply the Apache License to your work.
     179 + 
     180 + To apply the Apache License to your work, attach the following
     181 + boilerplate notice, with the fields enclosed by brackets "{}"
     182 + replaced with your own identifying information. (Don't include
     183 + the brackets!) The text should be enclosed in the appropriate
     184 + comment syntax for the file format. We also recommend that a
     185 + file or class name and description of purpose be included on the
     186 + same "printed page" as the copyright notice for easier
     187 + identification within third-party archives.
     188 + 
     189 + Copyright {yyyy} {name of copyright owner}
     190 + 
     191 + Licensed under the Apache License, Version 2.0 (the "License");
     192 + you may not use this file except in compliance with the License.
     193 + You may obtain a copy of the License at
     194 + 
     195 + http://www.apache.org/licenses/LICENSE-2.0
     196 + 
     197 + Unless required by applicable law or agreed to in writing, software
     198 + distributed under the License is distributed on an "AS IS" BASIS,
     199 + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     200 + See the License for the specific language governing permissions and
     201 + limitations under the License.
  • ■ ■ ■ ■ ■ ■
    README.md
     1 +# log4j-tools
     2 + 
     3 +### Quick links
     4 + 
     5 +Click to find:
     6 + 
     7 +| [Inclusions of `log4j2` in compiled code](#scan_jndimanager_versionspy) | [Calls to `log4j2` in compiled code](#scan_log4j_calls_jarpy) | [Calls to `log4j2` in source code](#scan_log4j_calls_srcpy) |
     8 +| ------------------------------------------------------------ | ------------------------------------------------------------ | ----------------------------------------------------------- |
     9 +| [Sanity check for env mitigations](#env_verifyjar) | [Applicability of CVE-2021-45046](#scan_cve_2021_45046_config) | [Xray wrapper for Log4Shell](#log4shell_xray_wrapper) |
     10 +| [Automatically patch container images in Artifactory](patch_rt_container_registry_repos/python/README.md) | | |
     11 + 
     12 +### Overview
     13 + 
     14 +CVE-2021-44228 poses a serious threat to a wide range of Java-based applications. The important questions a developer may ask in this context are:
     15 + 
     16 +### 1. Does my code include `log4j2`?
     17 + 
     18 +Does the released code include `log4j2`? Which version of the library is included there? Answering these questions may not be immediate due to two factors:
     19 + 
     20 +1) Transitive dependencies: while `log4j2` may not be in the direct dependency list of the project, it may be used indirectly by some other dependency.
     21 + 
     22 +2) The code of this library may not appear directly as a separate file (i.e., `log4j2-core-2.xx.0.jar`), but rather be bundled in some other code jar file.
     23 + 
     24 +JFrog is releasing a tool to help resolve this problem: [`scan_log4j_versions`](#scan_log4j_versionspy). The tool looks for the **class code** of `JndiManager` and `JndiLookup` classes **(regardless of containing `.jar` file names and content of `pom.xml` files)**, and attempts to fingerprint the versions of the objects to report whether the included version of `log4j2` is vulnerable. Both Python and Java implementations are included.
     25 + 
     26 +### 2. Where does my code use `log4j2`?
     27 + 
     28 +The question is relevant for the cases where the developer would like to verify if the calls to log4j2 in the codebase may pass potentially attacker-controlled data. While the safest way to fix the vulnerability, as discussed in the advisories, is to apply the appropriate patches and global flags, controlling for and verifying the potential impact under assumption of unpatched `log4j2` may be valuable in many situations. In order to address this problem JFrog is releasing two scripts:
     29 + 
     30 +1. [`scan_log4j2_calls_src.py`](#scan_log4j_calls_srcpy), which locates calls to log4j2 logging functions (info, log, error etc.) with non-constant arguments in *.java source files* and reports the findings on the level of source file and line
     31 +2. [`scan_log4j2_calls_jar.py`](#scan_log4j_calls_jarpy), which locates the calls to logging functions in *compiled .jar*s, and reports the findings as class name and method names in which each call appears.
     32 + 
     33 +### 3. Am I configuring this correctly?
     34 + 
     35 +Due to the high risk associated with the vulnerability, developers relying on mitigations may want to double check that the environment was indeed configured correctly (which Java runtime actually runs the application? Were environment and command line flags set correctly?). In order to simplify this sanity check, JFrog is releasing a few tools. The tools are intended to run in the same environment as a production application.
     36 + 
     37 +* [env_verify.jar](#env_verifyjar) will validate the proper application of mitigations against CVE-2021-44228.
     38 +* [scan_cve_2021_45046_config](#scan_cve_2021_45046_config) will validate the `log4j2` configuration does not allow for exploitation of CVE-2021-45046.
     39 + 
     40 +------
     41 + 
     42 +## Usage instructions
     43 + 
     44 +### `scan_log4j_versions.py`
     45 + 
     46 +The tool requires Python 3, without additional dependencies.
     47 + 
     48 +##### Usage
     49 + 
     50 +```
     51 +python scan_log4j_versions.py root-folder [-quiet] [-exclude folder1 folder2 ..]
     52 +```
     53 + 
     54 +If python3 is not available, python2 ported version can be used:
     55 + 
     56 +```
     57 +python2 scan_log4j_versions_p2.py root-folder [-quiet] [-exclude folder1 folder2 ..]
     58 +```
     59 + 
     60 +The tool will scan `root_folder` recursively for `.jar` and `.war` files; in each located file the tool looks for a `*log4j/core/net/JndiManager.class` and `*log4j/core/lookup/JndiLookup.class` (recursively in each `.jar` file). If at least one of the classes is found, the tool attempts to fingerprint its version (including some variations found in patches and backport patches) in order to report whether the code is vulnerable.
     61 + 
     62 +With `-quiet` flag, only log4j version conclusions are printed out, and other messages (files not found/ archives failed to open/ password protected archives) are muted.
     63 + 
     64 +Folders appearing after `-exclude` (optional) are skipped.
     65 + 
     66 +<img src="img/jndi_manager_results.PNG" style="zoom:33%;" />
     67 + 
     68 +To reiterate, the results depend on the code of the classes rather than file names and the metadata. Files where both `JndiManager` and `JndiLookup` classes are not present (and hence are not vulnerable to CVE-2021-44228), like `log4j-1.x.xx.jar`, or `log4j-api-2.xx.x.jar`, do not appear in the results. Otherwise, vulnerability status and estimated version/patch status are displayed. When the versions of the two classes follow a pattern not accounted for, `inconsistent` is reported; this result should be investigated further.
     69 + 
     70 +#### Currently recognized log4j versions:
     71 + 
     72 +| Vulnerable | Mitigated | Fixed |
     73 +| -------------------- | --------- | ------------------------------------------------------------ |
     74 +| `2.0`, `2.1 .. 2.14` | `2.15` | `2.12.2`, `2.16`, `2.17` ,`JndiLookup removed`; patched versions `2.17.1`, `2.3.2`, `2.12.4` classified as `2.17` |
     75 + 
     76 +Supported archive extensions: jar, war, ear, sar, par, zip.
     77 + 
     78 +------
     79 + 
     80 +### `scan_log4j_versions.jar`
     81 + 
     82 +Compiled jar can be downloaded from [here](https://releases.jfrog.io/artifactory/log4j-tools/0.0.11/scan_log4j_versions.jar) or [compiled](#compiling-scan_log4j_versionsjar-from-source) from source.
     83 + 
     84 +The tool requires java runtime, without additional dependencies.
     85 + 
     86 +##### Usage
     87 + 
     88 +```
     89 +java -jar scan_jndimanager_versions.jar root-folder
     90 +```
     91 + 
     92 +The operation and displayed results are equivalent to the [Python version](#scan_log4j_versionspy).
     93 + 
     94 +------
     95 + 
     96 +### `scan_log4j_calls_jar.py`
     97 + 
     98 +The tool requires python 3 and the following 3rd party libraries: `jawa`, `tqdm`, `easyargs`, `colorama`
     99 + 
     100 +##### Dependencies installation
     101 + 
     102 +```
     103 +pip install -r requirements.txt
     104 +```
     105 + 
     106 +##### Usage
     107 + 
     108 +The default use case:
     109 + 
     110 +```
     111 +python scan_log4j_calls_jar.py root-folder
     112 +```
     113 + 
     114 +will recursively scan all `.jar` files in `root-folder`, for each printing out locations (class name and method name) of calls to `info`/`warn`/`error`/`log`/`debug` /`trace`/`fatal` methods of `log4j2.Logger`.
     115 + 
     116 +The tool may be configured for additional use cases using the following command line flags.
     117 + 
     118 +| Flag | Default value | Use |
     119 +| --------------------- | -------------------- | ------------------------------------------------------------ |
     120 +| `--class_regex` | .*log4j/Logger | Regular expression for required class name |
     121 +| `--method_regex` | [^1] | Regular expression for required method name |
     122 +| `--quickmatch_string` | log4j | Pre-condition for file analysis: .jar files not containing the specified string will be ignored |
     123 +| `--class_existence` | Not set | When not set, look for calls to class::method as specified by regexes. When set, `--method_regex` is ignored, and the tool will look for *existence* of classes specified by `--class_regex` in the jar. |
     124 +| `--no_quickmatch` | Not set | When set, the value of `--quickmatch_string` is ignored and all jar files are analyzed |
     125 +| `--caller_block` | .*org/apache/logging | If caller class matches this regex, it will *not* be displayed |
     126 + 
     127 +For example,
     128 + 
     129 +```
     130 +python scan_log4j_calls_jar.py --class_regex ".*JndiManager$" --class_existence --no_quickmatch root-folder
     131 +```
     132 + 
     133 +Will scan all `.jar` files (even if they do have no mentions of `log4j2`) for the existence of a class ending with `JndiManager`.
     134 + 
     135 +Typical results output looks like this:
     136 + 
     137 +<img src="img/scan_log4j_jar.PNG" style="zoom:33%;" />
     138 + 
     139 +------
     140 + 
     141 +### `scan_log4j_calls_src.py`
     142 +The tool requires python 3 and the following 3rd party libraries: `javalang`, `tqdm`, `easyargs`, `colorama`
     143 + 
     144 +##### Dependencies installation
     145 + 
     146 +```
     147 +pip install -r requirements.txt
     148 +```
     149 + 
     150 +##### Usage
     151 + 
     152 +The default use case:
     153 + 
     154 +```
     155 +python scan_log4j_calls_src.py root-folder
     156 +```
     157 + 
     158 +will recursively scan all `.java` files in `root-folder`, for each printing out the locations (file name and corresponding code lines) of calls to `log4j2` logging methods.
     159 + 
     160 +The tool may be configured for additional use cases using the following command line flags:
     161 + 
     162 +| Flag | Default value | Use |
     163 +| ---------------- | ------------------------------- | ------------------------------------------- |
     164 +| `--class_regex` | org/apache/logging/log4j/Logger | Regular expression for required class name |
     165 +| `--method_regex` | [^1] | Regular expression for required method name |
     166 + 
     167 +Typical output looks like this:
     168 + 
     169 +<img src="img/scan_log4j_src.PNG" style="zoom:33%;" />
     170 + 
     171 +------
     172 + 
     173 +### `env_verify.jar`
     174 + 
     175 +Compiled jar can be downloaded from [here](https://releases.jfrog.io/artifactory/log4j-tools/0.0.5/env_verify.jar) or [compiled](#compiling-env_verifyjar-from-source) from source, and does not require additional dependencies.
     176 + 
     177 +#### Usage
     178 + 
     179 +The intended use is running the tool in the same setting precisely as the production application. For example, for the original launch line in the start-up script:
     180 + 
     181 +```shell
     182 +eval "\"${JAVA_CMD}\" ${VMARG_LIST} application ${CLASSNAME} ${ARGS[@]}" &>/dev/null &
     183 +```
     184 + 
     185 +We add the following to the script:
     186 + 
     187 +```shell
     188 +eval "\"${JAVA_CMD}\" ${VMARG_LIST} -jar env_verify.jar" > /tmp/env_verify
     189 +```
     190 + 
     191 +And read the result after the start-up script completes:
     192 + 
     193 +<img src="img/env_verify_results.PNG" style="zoom: 33%;" />
     194 + 
     195 +------
     196 + 
     197 +### `scan_cve_2021_45046_config`
     198 + 
     199 +##### Dependencies
     200 + 
     201 +Python version requires installing dependencies:
     202 + 
     203 +```
     204 +pip install -r requirements.txt
     205 +```
     206 + 
     207 + 
     208 + 
     209 +##### Usage
     210 + 
     211 +Jar version can be [compiled](#compiling-scan_cve_2021_45046_configjar-from-source) from source or downloaded from [here](https://releases.jfrog.io/artifactory/log4j-tools/0.0.8/scan_cve_2021_45046_config.jar).
     212 + 
     213 +```
     214 +python scan_cve_2021_45046_config.py root-folder
     215 +```
     216 + 
     217 +or
     218 + 
     219 +```
     220 +java -jar scan_cve_2021_45046_config.jar root-folder
     221 +```
     222 + 
     223 +Will recursively scan `root-folder` and all archive files in it, looking for probable log4j configuration files (`xml`, `yml`, `properties`,`json`), in each looking for [configuration options](https://jfrog.com/blog/log4shell-0-day-vulnerability-all-you-need-to-know/#appendix-c) which may enable an attacker to exploit CVE-2021-45046.
     224 + 
     225 +Please note that an "applicable" result only means that the configuration **may** be problematic and should be inspected.
     226 + 
     227 +A "non-applicable" result is more conclusive, and means the configuration does not contain even the basic (publicly known) options for the exploitation of CVE-2021-45046.
     228 + 
     229 +------
     230 + 
     231 +### `log4shell_xray_wrapper`
     232 + 
     233 +##### Dependencies
     234 + 
     235 +Python version requires installing dependencies:
     236 + 
     237 +```bash
     238 +pip install -r requirements.txt
     239 +```
     240 + 
     241 +In addition, the following tools must be available in your `PATH`:
     242 + 
     243 +* [JFrog CLI](https://www.jfrog.com/confluence/display/CLI/JFrog+CLI#JFrogCLI-Downloadandinstallation) 2.6.2 or later (either `jfrog` or `jf`) - [configured](https://www.jfrog.com/confluence/display/CLI/JFrog+CLI#JFrogCLI-JFrogPlatformConfiguration) with an "Xray URL"
     244 +* Either [maven](https://maven.apache.org/download.cgi) or [gradle](https://gradle.org/install/) (according to the project you are planning to scan)
     245 + 
     246 + 
     247 + 
     248 +##### Usage
     249 + 
     250 +Jar version can be [compiled](#compiling-log4shell_xray_wrapperjar-from-source) from source or downloaded from [here](https://releases.jfrog.io/artifactory/log4j-tools/0.0.12/log4shell_xray_wrapper-all.jar).
     251 + 
     252 +```
     253 +java -jar log4shell_xray_wrapper.jar [--recurse] [--verbose] target_dir
     254 +```
     255 + 
     256 +or running the Python version:
     257 + 
     258 +```bash
     259 +python log4shell_xray_wrapper.py [--recurse] [--verbose] target_dir
     260 +```
     261 + 
     262 +The tool looks for Maven and Gradle projects , either directly at `target_dir` or (if `--recurse` is specified) in any child directory of `target_dir`.
     263 + 
     264 +Any detected project will be scanned using Xray (via the JFrog CLI), and results will be filtered to show only the Log4Shell vulnerabilities:
     265 + 
     266 +* CVE-2021-44228
     267 +* CVE-2021-45046
     268 +* CVE-2021-45105
     269 + 
     270 + 
     271 + 
     272 +------
     273 + 
     274 +### Compiling `scan_log4j_versions.jar` from source
     275 + 
     276 +```
     277 +cd scan_log4j_versions/java
     278 +gradle build
     279 +cp build/libs/scan_log4j_versions.jar ..
     280 +```
     281 + 
     282 +------
     283 + 
     284 +### Compiling `env_verify.jar` from source
     285 + 
     286 +```
     287 +cd env_verify/java
     288 +gradle build
     289 +cp build/libs/env_verify.jar ..
     290 +```
     291 + 
     292 +------
     293 + 
     294 +### Compiling `scan_cve_2021_45046_config.jar` from source
     295 + 
     296 +```
     297 +cd scan_cve_2021_45046_config/java
     298 +gradle build
     299 +cp build/libs/scan_cve_2021_45046_config.jar ..
     300 +```
     301 + 
     302 +------
     303 + 
     304 +### Compiling `log4shell_xray_wrapper.jar` from source
     305 + 
     306 +```
     307 +cd log4shell_xray_wrapper/java
     308 +gradle shadowJar
     309 +cp build/libs/log4shell_xray_wrapper-all.jar ..
     310 +```
     311 + 
     312 +------
     313 + 
     314 + 
     315 +[^1]: (info&#124;warn&#124;error&#124;log&#124;debug&#124;trace&#124;fatal&#124;catching&#124;throwing&#124;traceEntry&#124;printf&#124;logMessage)
Please wait...
Page is in error, reload to recover