From b9f2b3b6189e281d15c2925330a30eaacf9e20d4 Mon Sep 17 00:00:00 2001 From: Daniel M German Date: Fri, 17 Dec 2021 17:19:04 -0800 Subject: [PATCH 01/17] added toc --- README.md | 51 ++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 36 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 7484455..3468c5d 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,23 @@ -# log4j-detector +# Table of Contents +- log4j-detector (#itemdetector) +- Example Usage: (#itemexample) +- More Example Usage: (#itemmore) +- Understanding The Results (#itemresults) +- This Scanner Only Reports Hits Against The `log4j-core` Library. What About `log4j-api`? (#itemapi) +- Why Report About 2.10.0, 2.15.0, and 2.16.0 ? (#item2.10.0) +- What are those "file1.war!/path/to/file2.zip!/path/to/file3.jar!/path/to/log4j.jar" results about? (#itemwar) +- Usage (#itemusage) +- Build From Source: (#itembuild) +- Testing: (#itemtesting) +- License (#itemlicense) +- How Does It Work? (#itemwork) +- What About Log4J 1.2.x ? (#item1.2.x) +- How Can I Be Sure This Isn't A Trojan Pretending To Be A Log4J Detector? (#itemtrojan) +- What Is MergeBase All About? (#item) + +](http://mergebase.com) + +# log4j-detector Detects Log4J versions on your file-system within any application that are vulnerable to [CVE-2021-44228](https://mergebase.com/vulnerability/CVE-2021-44228/) and [CVE-2021-45046](https://mergebase.com/vulnerability/CVE-2021-45046/). It is able to even find instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too! @@ -11,13 +30,13 @@ exploded jar files just sitting uncompressed on the file-system (aka *.class). We currently maintain a collection of [log4j-samples](https://github.com/mergebase/log4j-samples) we use for testing. -# Example Usage: +# Example Usage: java -jar log4j-detector-2021.12.16.jar [path-to-scan] > hits.txt ![Terminal output from running java -jar log4j-detector.jar in a terminal](./log4j-detector.png) -# More Example Usage: +# More Example Usage: ``` java -jar log4j-detector-2021.12.16.jar ./samples @@ -42,7 +61,7 @@ java -jar log4j-detector-2021.12.16.jar ./samples /opt/mergebase/log4j-detector/samples/log4j-core-2.9.1.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) _VULNERABLE_ :-( ``` -# Understanding The Results +# Understanding The Results **\_VULNERABLE\_** -> You need to upgrade or remove this file. @@ -54,13 +73,14 @@ java -jar log4j-detector-2021.12.16.jar ./samples **\_POTENTIALLY_SAFE\_** -> The "JndiLookup.class" file is not present, either because your version of Log4J is very old (pre 2.0-beta9), or because someone already removed this file. Make sure it was someone in your team or company that removed "JndiLookup.class" if that's the case, because attackers have been known to remove this file themselves to prevent additional competing attackers from gaining access to compromised systems. -# This Scanner Only Reports Hits Against The `log4j-core` Library. What About `log4j-api`? +# This Scanner Only Reports Hits Against The `log4j-core` Library. What About `log4j-api`? Many scanners (including GitHub's own [Dependabot](https://github.com/dependabot)) currently report both "`log4j-core`" and "`log4j-api`" libraries as vulnerable. These scanners are incorrect. There is currently no existing version of the "`log4j-api`" library that can be exploited by any of these vulnerabilities. At MergeBase we pride ourselves on our scan accuracy. You're already busy enough patching and defending your systems. We don't want you to waste your time with false positives. That's why we don't report any hits against `log4j-api`. -# Why Report About 2.10.0, 2.15.0, and 2.16.0 ? + +# Why Report About 2.10.0, 2.15.0, and 2.16.0 ? We consider version 2.10.0 important because that's the first version where Log4J's vulnerable "message lookup feature" can be disabled via Log4J configuration. @@ -69,7 +89,7 @@ We consider version 2.15.0 important because that's the first version where Log4 And version 2.16.0 is important because it's not vulnerable to CVE-2021-45046. Despite CVE-2021-45046 being much less serious, we anticipate everyone will want to patch to 2.16.0. -# What are those "file1.war!/path/to/file2.zip!/path/to/file3.jar!/path/to/log4j.jar" results about? +# What are those "file1.war!/path/to/file2.zip!/path/to/file3.jar!/path/to/log4j.jar" results about? The "!" means the log4j-detector entered a zip archive (e.g., *.zip, *.ear, *.war, *.aar, *.jar). Since zip files can contain zip files, a single result might contain more than one "!" indicator in its result. @@ -83,7 +103,7 @@ system, and hence, not a vulnerability worth reporting. before attempting to scan it. You might need to give Java some extra memory if you have extremely large inner-zips on your system (e.g., 1 GB or larger). -# Usage +# Usage ``` java -jar log4j-detector-2021.12.16.jar @@ -99,7 +119,7 @@ Docs - https://github.com/mergebase/log4j-detector (C) Copyright 2021 Mergebase Software Inc. Licensed to you via GPLv3. ``` -# Build From Source: +# Build From Source: ``` git clone https://github.com/mergebase/log4j-detector.git @@ -107,15 +127,15 @@ cd log4j-detector/ mvn install java -jar target/log4j-detector-2021.12.16.jar ``` -# Testing: +# Testing: We maintain a collection of log4j samples here: https://github.com/mergebase/log4j-samples -# License +# License GPL version 3.0 -# How Does It Work? +# How Does It Work? The Java compiler stores String literals directly in the compiled *.class files. If log4j-detector detects a file named "JndiManager.class" @@ -123,19 +143,20 @@ on your file-system, it then examines that file for this String: "Invalid JNDI U literal is only present in the patched version of Log4J (version 2.15.0). Any versions of Log4J without that String are vulnerable. -# What About Log4J 1.2.x ? +# What About Log4J 1.2.x ? Only versions of Log4J 2.x (from 2.0-beta9 to 2.14.1) are vulnerable to CVE-2021-44228. -# How Can I Be Sure This Isn't A Trojan Pretending To Be A Log4J Detector? +# How Can I Be Sure This Isn't A Trojan Pretending To Be A Log4J Detector? Great question! Since we include the complete source code here in Github (all 750 lines of Java), as well as the steps to build it, and since this tool has zero dependencies, it shouldn't take too long to carefully study the code to your satisfaction. If you don't trust Maven you can go directly into the "src/main/java/com/mergebase/log4j" directory and type "javac \*.java". That works, too! -# What Is MergeBase All About? +# What Is MergeBase All About? +![MergeBase](mergebase.png) [MergeBase](https://mergebase.com/) is an SCA company (Software Composition Analysis) based in Vancouver, Canada. We're similar to companies like Snyk, Sonatype, Blackduck, etc., in that we help companies detect and manage vulnerable open-source libraries in their software. Check us out! We have great accuracy, great language support, and we're not too From 14156c1652bc22d4c2fd86267136a21860f8601e Mon Sep 17 00:00:00 2001 From: Daniel M German Date: Fri, 17 Dec 2021 17:19:27 -0800 Subject: [PATCH 02/17] added icon --- mergebase.png | Bin 0 -> 18540 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 mergebase.png diff --git a/mergebase.png b/mergebase.png new file mode 100644 index 0000000000000000000000000000000000000000..a7cf3b5a8a94943de66c390375d98d4095a05e6d GIT binary patch literal 18540 zcmYIwbzD^4_w~?S($b(((k0R%ptO{dBaO_^-QB4m-HmjYgd&X$f-rP%RqefC*cum*gzn9&}&&K zO}FX2IbSEuvkZy*4ete!{vf0Nuw)pCG#Z;Fq00^0Jg1blZc+$BhkPz{F6yUPfQtLuJU(BQ|(jLb6H&L-e<|t2dpbsBGl8p1nVZ=p& z28@*`%GM?jdc>2A!6ufiZrps`sKxF-i;AA{CR`D2pSm)vVTD~Hp}$1@WZJpjj7%R&Ybl8sV?~1mJQ-QwHAM^0W-&hxX&7U&nAQxbeU9%K z?uPTEg?<_1-IL%j;8nv>g*3(cTibw-hSwHb)A=R#_sM)st@s*6&t8wy-uciEyJm4r zz%z4|2p}nx)1_od(nLDE+3EvQDs*uCFczW5O3`}#A++ka~Co$z4 zWF?xN^m~epn#<-XPqaH#lg0EPY!ZL)0UFdv)&|p7Czi@g#^UhBmmlrZfZpivbtAr4 zhasmuKb!_bOb9c{M6-({eP7{yPVHCPUJs*?ii1u)s?;fZgl%vkHfVyb(t2i4 z3h55ArGQF$hkocRRdmfXj77if0jdC{N}cF|v;6z53Yy@CwBDcPx5d**FH+@%E1?T- zx~~`H^!L~K-yqfmU9i=E*wC`|!zjdZ`VWPUlgMNt5nkRm6S0^Jv0kDVe}B{9grc{d zvlsHJmT2IC_nE#2d6C$o0e|q9uU~6U_XT)s>i$XZmu6`3a785q1PDsh8?M zEcJMVF)fZYstiT04a&AAwn31 z0{)f&3OG@w)!)mE!6#f*1~2Mfr=9XL zEHe7c!n>IvsDGc>fHTT@m`iXpM2r}d`Y&JzKc)#)VxJsqFwTFM`_IN)bz4VwyGXJX zMgh!l^nWwi3Kmq(H0GjrNJ+qj{`-iW|2S1p#>A4zAuWs!{P(G7^kr!LRY>HIt*rGY z`)Q^A4i6V1g$I>gZ4YVr_P=4A%1{a2Km9u$^afCQPTEc=Bc4@jj&m4=sAR&VL46jyc#oDv} zGo(3JoqZsb@xt=cB>BG^4a0iy8p3Bk_wD=}Fi+JK4ip3q?d;?;RL7p#Sp$|7ic=6c{=Ph!M3(M8ZL9_u;^(fKNHlbU&33)jY_myzaiJ z{p&9ufKT7|N7q&FO2h}|L{B2tnx~4VN|p4*zNpv7yS$<?uo{6SHcr z^8ei{F)8Cz^?r;^JH9PBCx8P8v-B$I_#Z-Cu%mZg)^68pPlOOfsJ`Ud%%D6jG`I(e z{N&DbV;TDEbAS~ZOs!r&m|EzF0lSqidCv%M&N9@BHh^}4Ksi%dW^O*+8pE1BEN4>e z_l^-dsJJ*h8X^1(aP@$xW=t)JF#h2j_0}AsRtS#ss3oxo>VF1nCZ2wD z-3qF4Y|)#!|D({Y2j08^jb=J)Q1W#ZLB(&24V;Iab_kXnBx9slDn*%441i7aSs7SE zTnH{?KS)qa@%+p7ZfWn)3LbaVH|{kITuaL3G1g+wP&_A#7+CNzCjq33B%Cu->3DHqD`4Hj8;X#AQ;(LW;TYLnbb4y?q70mYm(gP1rMF>E>S`3vV1Mjt=sC}1rq z;6RA@7?a@hl9)~5TsDp9&Xmdc&XzBK)IFrsaG;Gi2{d-OY&-fyP6d9TxJ>7#&3HA{arA45;)-VJ|>?^!d$bm=EDdF^G+TnKKN# zxVn#;Ij@v^D0$gd?|)+u?^(tgH5~ZRh76wC8g06TkrOtrHYBj?n9Hp7*{_gc@YZQ@ zaNe9hij+dsKKi-g5l&;Lz)`a^_P%!lJ5k3n@NffpH(YR~Z*;@H^Z~6xooOLm z?C}NnKPbQ`aZs2qw_KCsU~1Lxr8%iYFw1YsQRhdK5XM5dE*-Rv43GHEGs5(E&*U?A z6;GKv%`||Ha=j88KkOaGYbo@3klAK;Ru`_h;DnbAF4Y`4q+iUgGe8Jo7U`f&W?u1EJ=Gw+?CIRJJiPp1Vx_Sxw=tAj-Sgh*Zqu zlXkla7JbG_CU(P(sI6EA!y5>=LOI7M%|5M+m}m`|Ap%s5`_=|EihPP5;j)Gyf{l}F zyYsbiAEJ3P1)>{~BvII`lVmn0bFE~~PpwFO#V)UJ$!UL<#LLQd;oCM!A>-QoccH<; z(g2^;Oyi?omHPRk?!R+ z?#tHgYR}&1ZTF`?a3Qjkxscx(#k%_2HzzE8H+q@4jJdejHl5Uhs3=tKMAHBuflX=I z-t+;R92h2Hhxe`ZEMXc83R;fwN>lEPJ7ZWFZ}_!=EMqVP16|NTqz0IL`R`&CY=T?j`uI1G}&410B&p7n_I@p&r8yS%Y*dMkcYmP zK0yZ`6ei1t($;0`@N~4&@NCN+IPB0XR}G&;P1FWt=442(w5S-0qk@YARynt`Se7FI>ddlV!>Al5?hf)c&X z3RDrOX5Q>TF_+#2>*oLK(ZXN?Lm$ zL77}!So@Z=+YO_i#ne15WYydf#ScK$Bdu1pRwdFaA&WlN4lnbqbWFxKADFkC-4j}t zrW?ExN!PDU4t{W-OLr4o3VCaPBb6Qpf%12Q30r|oMbZl6G}eFgTb7UADBAl(>NK%t z9}6YlC_EL})e;v;Uy`@qpmu=}3rzK(@Akp^lmDjp?qR0rVU`%$lOxlZXD@Ro_ZAUi z{Sf_S3}pk=~30n<*pU zd^u8AGN`V8!aiB_6Z=kAP>?8|3mvrbO2Mo&kI81#k_Z&ipoDLY3!x;O&TrV;?Ig=C zu|*vA5o}THEg3sTyxe`t`V&zdPCmWgSY7iX{V!J|LxXa-i-zh0s6nh$*{tOhA}-_| zG@^l8qoZ>iVm)L&k$B3ot9gBJquhh;%5*Q;LmYKr3kuf>lt(ihWEQ}P(~ybaY#$jB z8ymg;x!vmK$$mwAgg5IP6q`X-;7RGIE3#h$@#9pAMQ+W}(Qh#A`lbY?HCb8lNVyx3 zbDrballmjSUoK`~CLI|nP+Rpn>w?j%Ke_IhvAS^@q_nkD6%%>}3qf~7CGqF97GzJ% zGe{Sm?jDdS`kGI)b$RLj2#gu%0Q?J zZ26|MmSSBhNIiakr+;e!l6pCmhAgTEjT{4}ROL%IY-I8a2q zz@~wACU7oF7PbooBPsb8dXu%ZJ(7+>OE|{458-c+)>4(`naQz+O72Ro2MKm)j?1b6 zXQ3G}t#N(t^X1nJX-|se3aJ)l`%nu0ZY^wG6C@C%RDR8dl?ue16^jT!u!xs^Nl(V3q+BllVR=k5mO-0`4bH<2PY zVN16zIZ1v71*NWj%X~@x45Wb+ghY?Z;zlfIOyxHR()Wy2=iT=JP7knVm$Y`A30QG~ zQj2Ns2{Dcsw8K}IG%78gru4T?(G0O%~J$7|-#6e@6B zPzzs+s+@H!PKieXe!z3GoniHG4}{;*!(Ddr0|~(QgUP_(3tXcwpJt71G}H)2#U&pM zkVgWvNEq#1BhdoaUc*i7QN@Qk>c4G^wmd)$x>>Rc00szLNiSmu+wPaTQG>Xefiyof8OeCPT?zp>w9X zq_i1$3rp(fg>nu12C4A}G>Cbz9W$v;9KXNe6h~j=iDG*f(R2jqiGAZngc{;#0u^`@ z;k!NkJPwG6EF3AZhpyTy@Nlhm48n8!n%;6pHS}Vk+yhx>Y$i*5^=C4RGjZEAe#eip zZO@-pt!)?~8TbrhTSvH7&LwJM&}m3LWz*fO@pTDb0d8tqg3TR9d+Wa%f1m&_GG@jV+aRR$=A-$Yy!A#0&t;dJ)#GDeR}zXFYL*KcqWqstG??!H8sxAxR7P6BDV()=RdB# zcxIn{dON?Y`45i`o#90g%l8( zSkg{K7I4_3V~2XQ_zZt=T-;M6)-Od_bx>J<^|tERPTfNMVuU?CCU!{9-JQv%eM9{G zh!2jKJ~n&;Lwm z9gNNU%m+0ntmZ|D2?0sk=zR73gvpEdTlV^+dksDh@M>quv2&pXN4kMQDwMN!App%p zad~u&((ex>8c_8NU(ALgz`y$qV)Lcw9GsrD4JY5flS36cKYGs70?)y?u9b=9!%(Ah zwV^_8{H|!3V%-I0sS3Y*b1<=Aa811?9TuyjyE8cZ>4JdplBg_z3CVq~2}@cJt8>Dc zxD2NKo~j37v)X}&KJST|cL+-El=GCKYM3&;bn*O;JNL?0xy%<=zL2|ijYL}8clIPLtcQCBz@-5P5;XAlXa!GCcY-*{67hYbbF7&n^?;steKMRuIU7twS_X05egXXHdsQml!-oR&%Se+oU z*1K?nt%u`HV@Xd!X-x}#st6cwuN-^mL{+$dK^FnUVxFDS^@Wg@!yAfaE&^n8_f8|{ zoQ%bFUrVag-@IRMW7DzwJJ*jxqvUOOdqOFFD-bBU#kHiow@UA*I`^6Jjbi%!{Ujw^ zzp11g!0D?RzEQS&I)DMY!?`ey9oZG`!o5XrPBZMxp9Lr2otqcn&VF8%gCpVDpeQ1( z&fr5pu+gjGPL*)#qqDDE!nLffJ*W+ifqDZ-GYg1Ae7upBW3_zZn_~4=(#5s5;nn5Q zS5e$BIpAV%?AH`>(<=XuiqEx+^ z@X3>wSS63%T@mhKJ6(DgPw>N>((CSQ$VSDCH@lz%ZBz}+&ccGDIU2v3c`LP9Ekxta zQh$<0Ndo_cX){d_XKerI0pKum-IHG&twnkA6`dl_P+4alp9w3t@%6q>72)#{n~4K} z=H_l`;~9kun*4Lx^|RNnG9 zw#aG#ZX1%418e~sQRl-b|9q4)oc=lhT%0W<}G)~PmUgN_lF_F zPLuN}0BAu6ZH73@L%7Tw&>D97kzj7NRZeE7$#09dU5wl2VSe|KdH>cnHmi)%Rs z(%;zRmu2-NqP)-lW-PQ6eIWu+D^`l|P|x5T^vXEUwy( zKbE(oPCwWrG$(xIJO2Q9Ia0y(F1=fu{;2(KgDMl*YIa4Xn7;wPp?|4Mu4Cw>(YAi* z$OE#1iHKi5_OTn?G$NjO{$PI+ml`>6uV(~ zvR>Q5bK@pC6pYziN1#P5*;hW&ZzS@9seq#F?+Mj9Be>i!qiY4Q9D~2I7ydTJD6iPIW)Qzvdh!e`}cSuqk{`EtI-lFUhd5$;E zTO)D!12V}p1>8YiQIYhqP#dwI#ixU*c8<5_-|wAb!BcO^e>RP>LzV4o*d(9PO#}2t z!veE$ksw-waz@+M!Z!XPGRBv`dT)Eh+A0(*7dFhgr-TEe?p#a%HEh0$Q$u4{{ zFK9DsJW1OMaP2A?w_;A-82s+ocP}D1oYmRGK$1<=40|36LIvh@MW+(XLdfv_U6W^m z1!RW9frRj&Y7^I|l(aMDz5swT4B}sxw8Y6s>&jE2rJmYVVFj$iT3Jo1uX&3b-hCta za=|`xH^g5DsSSH|7&Mf|^>UjzQJEa~RsV1C3O}dfyWnQ@miC|6%5uCy6d2$|5V#FV z`KzDieiiwALO-kyd-M9$cUL(A&57WPvKo;8W6;~n0h4e()c+DZP zQgIqGOp9WcNZ>5WD0KFm4(-KVyGSCkxfdso&j{$tD%Uar>p*ghu$<3q0ch;N6=> zW_%l!g{BH(Z{`De&)(}gIun3~kY?5Imtw zLQZ?iyWdET8TpNH{d3$kF9_eJ-=qya#jQI&^wEG8E1Do^^PsVjBbcXU{)(7L1XRKm zs5Y7Y@c55_AMu#67DmOZS~I&h#*HXkEmUuPNx1bOXzF{*iL!HaR$nW=efH;&N1pkY z*;@EzYNhnveA)dqed1YmVWzjRsh3F4)!ttH(Y|CaqQ-+US%ZoFBV)q?j%V(0%z-n! zPB3I(`et-K{{G$&*Z`PPY2p*})wI1gnStXC(Qw0w%>&rvo+p>beR}$rP0jei9=wC> znsfFrpJSN?c7dAMu`8io42H9!#q;0(mURSbLin}R#_WtMnXc8PCoT#nl$dKXf^-&~ ze$1bM^DKKOtGcmp@aLOJk6mT@S@aL0sMgzHy352zj`$SnZ>7$JKAZZJzc3 z!7r;~uo=cmtkqyUjxtGrF*S7$?pum^RiQNcQJ3n+(F*(T`#XTqF4pDeBHTkHYlwwa z?r0;Arkb}e`?kAJwJ8S{Il27?FlUx?tqI{Z!U85Yf6CUzCcQ$s=tHq6) zvOp!#rF%iq>-8>AP}+#Z+hiv&3dk~Vm&Pt)@P@DlUvizJQTmb3UZ31_={4!ih4nUD zD9TJq*B+&wKS@(h2aK%w)b}tt(tnsdUSa9yMx%&=jD~jB28Z+Lm|4SEqSC9r!3baQ z4h66tI1s97Z)mw^l3~6>rWgP#t36e(HD+C7Vxeu>Wu-?{C^D^$Ylo%4?on?}(e-jksSl{75dt-(CYIFe1=;Y%2G>(aCbj9fK z)Xk)Kf8hEA+Q_&Pqi6`*Gv|XV<_|@9&Z+=1+=O{{PGdV-Ky~W=vzX-Q|Fi%B!QP^7-l7_q>Ufq$ zp@qXTFVo~^2vqgxiP;yOf(IgR4$IWV^}4zvJJBUsBFjq?D;DB}1%3;oG$`&;QOz9$ zT$6#ezL{I+9ac%?>}g5}!G5iGuAjD`$fvlvA$-Wm_xcrx-^Q(1yDJdz5ArfxtHwT= zo%sU)z1W;vE{kq!Yh9|^^B-?6o=J90oHRh^T1hG;?yA1-X#h|xzE{}GG?DoRfj1*Alh*gg#{#V{<K!k@Vy5xZYJax~Ptk7-cr_@B43hQGdMG`9|rkcr)l{4Kcj5b-$oB zxgC{z@$GvSP$vuj%ypE(9$B|<@c6J3-Fi$>)mGbOZRo1e(?m;f>(>W)4(#uV4YZB5 zU+4dn*t=+QaMo+N*8=axSo;8<9ivsR_gu*=)c~jv2Wo+l`{<#ieIwI7aiiT8r_n<) zU8Ld#u*r+!j)i_?u3&B;kGWhSoMw`omjLBh`zd^oG=x@v`?$C+^+ID_;{BY0Ys4zr z_mZ2O@*JDWJ+Vxd7yf&IJJ>>$1D+ii&H*;4s_tvw^m@@uFl= zFm+h{vBU(re4et^ouO6#ZJGWF@$ZVpI|>&$SL9gl^iSBfjaRg@W!TYXpbAhO)yO@D z&btS$&OGIfneAH{w$BVhXh3Gw9d0BQ1f+;gu>#S&qCbmD60)i<$jsUguK2$6U|2Oi zVD3!wt7f{LZgxyvlf?uO!;v3y2z3|tkZPS|_HgFGXJQy|xZ-dr_l4CV0{6}wAS4IK zGlr#te+$Y+F9Eh+~n@oIIZd>N_Z{q-ZxUZki^$l#wfJ>b$><{)C|y zO0yY(xXHblK}3(Yy7BKtZ0-Q$jpRrN_QJHLn^=VIFb!SMCpL4^6%Yamx)m<|nG-S$ zUpnFf=|l!RU z9xdGjFViCA7=t%OcqVry`kU{;jnXSHA9)~#B7sOq;Ot8?4Ymc$KWToG4zM?#-I&Nd zh}m5IQqC0L2vE;beMtJT_TE*-+Vz`ROWw5P-=|ivB@Ihp@5(suadC@(k8a>oR#g16m9~=|Nqa+uxwM4F zD#Vy3G~Nz7OLrZ4I|QWK*B7FBWFR*T0P)WhjNgdqPOc6PGn6^|r6g|m9!8%~PZX=1 z8`Bky2kPPFSEKy0Z4>L&o!tMh8Qz3TN!dw|YPxyRGA%;X5MeX8Voxn|6%dGkO!I2%3zA3fFeND*WSuZPGwuMp z5c((~tPU=w*ALIly@81J011{`*W1INx^VP_59sI;E7M5ceAy4|*uA%T0<+VXeDM8$ODF4T_^nxQ9; zveGXu`jv{*6T)HRCtqDiqprQC7rcPFto#X9lBS1;Y`Bm^`@#9SxY-WX z`QS5AQ_l=*-?DI9MkHcv13-)ckSL~FZ+ysp!_A}lg&j=XF#I?aJnMjrj!cA>;9(!0&<}am{Z3)a(bBqjCQ?2A zEJesy3=fbIWRbR?BIH`*TP}xh5xSlh0SWDOWq(2w6^wSZ%}-++D^B3SIyMVkw4miZ zDi_mT&oDX18|9y!bO75j*9jcl&e=F|t86=WtA>K80F_d{7Z)y1jb$TEBE{m1W}s?f zt_nh)DXLr%RG7kXYm;aog`+>6C$O_aQJO_PN_wPli@de};R|2Fha#|brUXIj+V{YG zApTp{VPV}FP#oD5A7egpr}3ZZ-Q6V=)Caeb18%-~6oA`?^{cVHNTL+ z0BGyqE)4NbKUJW}L_}94vqKj23AQs2O2JymY=1_4c&bP+CBY(me%EC1U${0)bTXR@ zIO{LDYpEGeF-?uJKru}PeK)X)rX?CB{V(oo4pWZ=DFP_S?y`?9Dz=UAasp8>MG3zE4-nLNn2Zmt-LdFZkkboK z0xB*0{!bnwUwdix@6o8T!uoVjK&c>jkc%v7~c5H)u0b5Iz=qpkWF()xWK{&JEQ zVJzw9iAkdNe1MgV{)4e7LCBThScNi&W+)i+uf zwcM-QV5qS2P_s3%B@*&UD zzlqo?|4A^N%drQdC?Di#0rS$e9Kt4PvAOdNC&$3a)|AGyy$DejuF4>ucWT30R0cco z@SBk3x8ZYp&pWDR5KuhCYZm`n+p2005d?%jX`oB;Y26FXSH_DSFLJ+B8%&1QL)>Uo zAjqlEhVfTCHc{WwrZuS#JUMHn_e#V-zdLde0Lr$^J%WZK5Fm2p{w)74yEBgS77fkV zMVCIOlVhpXBp*aS_&beRY=Gv+z$Miji_6S`SlDHFC0#%TDE*&#rBrVM^VaXCn0 zxm*j2W@oT_+BTc77lsxmC&no_{mhIxDAmXEvxA1iQd|zy4S*m-_c5+Q9-WKD)78!j zeb;4djGsKc-VLJD^X^{=8?F03(S9m_QMm@>aQO`!dDG8`8XKz}q>|G|Yl(AL85tUD47;uWC!(tv3cyRX&156JE6>NJ-cV}0@PM%ur3emPnY&~!7@ z)ftF>e&UM+oT*Z(<9F&iO!8SHO*=ZdgYz7t`6BA?smz%N7acJ{Nu&?-)+0q1nUY0M55=i4-zEnQgLGpxEFr3*V8*R|8%R`T3RJrrUM+Y{F3aB4w?wN z2DTP1f9R8H6qt#vbkBp(YO*i2SNSimc<6HE>)Ua0j2M2tu}ZU;H2~*R( zmyAjKu(-?=0XdD@ZnjgIjQJnh1gbfOv+GYhbYP8~r{=hwIbMQZHQ;HFEKca3*( zEcdB7!{^bo_lui#rE}#MxwSX!xYqAk9)eJOdiFz5AG6v)&afYX`>a(sm1GFa9Xt=065gNgXWR?&h<&{mjIt@ z?!@DCqOw6dBDy*39VBBt7Wf!Gep{(a%J410jShR>>5g0OyFa7pQ6+EPlym9A{NXlG zxu;n!0T_VqdXR#d%}@oHIG|G+R$14x^c<<~ zP35`cne`g+jv-wD)&Sgfk#+8TpmBbr{}#Pl`$em!RDb%7P$P00G{+h|5KQRnP8dew z;bAE=x7(%eGNUTCtq(e(nBIlIC0DlIevOccxDH7pbR}Z^gJ&5{gQ2eLfeO|HN!07( zeOJwoP#zMG_I?9&`(AJJ#~y2hwq?t)vJ7wKi>Gh;$)7tQ=+I=`i=5AjD`UJgz(+CG4II_4{hs~VY2KT_joL19`DBnmMHG2;_;CNSnv)CP zc(2i1=qhL*Lv8m63tI+n4keBB`77|X-a|=Cf=@fZ4Zdvc_!J+E#iC{Aw{sJOd&01M z7_g?FBhrRm1vsiL)biJ*i+$H{x@hRtH<1MAWpx8W0v@*0AL$1(Dyk10z@P>y zXG4L-<0^2}1?0BIn2V|v`pFr@ount#6}k24b=hl2*}jxF^Ne-Be=KU_=7?bu3rXR5kNrZi^53!p zhSc*^aapkHzz$h$73#8~J_`TgLTsXZ?rZ!X51NN2dr?xMj?RViVWtK?*b&nbS z9@?r9;2Z2Btng&IoXylW|V-Z{NViZ$@{U#bTX!|#bVCd zab*@Tv}pZvG6G1%0EIi=JVhd)-#$>xAv!;zPsJf}c)(G{l59%W$=`idW8GWOOe~#Z z#x$o-Kv7buLEr%Xv1y!q6#PTNb{2K?>Q&gGB22LX*QRhU0B+$Im$4ubcRKRA+Sx8O zk0zKfCoyijbTu~Pi#uV?&mxri@HD@}b*ETXb?p4Gf6w!qvxrTs0U%NU z;;76Dv0O0;F?75qCtQm=iiT2u7(H>mvRnTEC@%t>_6L4*!*7n=XX-%xj_CWsn$v_(a0agMUaO9&mO$L-C;U2vfP-l7rhsl`noQ2y-aq*H&Uw^V*&|8-#1 zlDQBggn{3)(jfJq=p3gSC9X$%qbAgWAm|(uU=AA5?4n60qC$}hyt+@aONELYK^$t6 zPykbwTKoDR#TSj-__kg=?_RIR%cjoNl4N<6N%!TZM%a;KW3G1GML>jkAPi%;n)oYF ziFSfS7yz_3HQ!fQkGAS%^Br4WGT0IOnk0qaDq&Vq+=+8zDP z14cw|31g6S61;-nQkg+7xz^KI(8dj8>7We%R`b=l{rOS$XLl~-@Ks;&$9pJs84XFw zn7~x8Ux05P|0p-=c!#Lt$;@7|-LiZVlofO0Q)&AzsPk@8OH#U1Q*F!xXCu$=I)btwfasC-U10hrBE&Z&^9{(|^o$ z^i4NRwKX7JT~sJ-%{*wn-xD7{CwOrW@AY`V@4QamTTqF8R*mpXeeh>z)|h?V-$oeH z=aVfs>ZoC6e(r?GY1tbGC@L-lRB-W&W-lk_MEVbgcw?6}5*iF6PX5bG4b!NO9|oGa zd4`ZnVPN&gf4WvuxTF~8xa8*j1IFc=-WCG#)N)4-43rj=N?*Iw{10uZw_8}b-Tg_R zcV>60Pkny5Hl#bEd9faG2^C%-Ni!|Lr;Bf2%ockJ3MXDR=iT_YLlMEifKSZg<{VHV z;=4Y_UUhUd?%)Sj#9l|jb~wZDNG`SGo7mYhDS5N|mw`Kg_hXRek{o`(8gIK9xh%rR z5Xq96b)zWM-}D8ed}0y*gms<0qX!WSh`)60g!IG70ISoBKCP9Rfl05g^y;{A3oy{B z*}kfYe2Z0)MUXSMHyF>f;?ukC`mQCB4k%(+Xd!)C;xCWRIas};G#F=`WZx4Q-+QH~ zsFj_mp{ST>a#MgXYwIJpDHo%OZ#YglbL*zb=17YhvjP52lZ`7hQlf9Y~r+`ZkOJ(HH}dMA41gN{A~m@vN?HDRLuzf_M5a zJP2l`-Qvl)j6zD@&#gxXGHfXZ+{#^PpmdMQ2&rdZL`1H)txS|c3bjmKEFJ# zy-DThS0Ns*hnXt}lN|MiR*L3xzIGpb3*@Pu`$fo`hz zFY`Y6OwD<43EmwWYEO#fWzoHKYTf9{2jBq*of4i`fffLh8cE+iWZ_p*(SeR9-x;-C zD_i+98Xle}UyH=KEAmvM^<8;+z~Gjb^OL3Tx<5?6?4jQrEiQTH2dOp zWk~RBS`_BfP<+>8Y=7FV`Siap(F_=ObjoTgtmi?9f#H8Vtg|OUK+(_SBIdp2yTMYA z4YWq*4EX7wXSL^uwCb;={Rz*}u~yhw0qX8b0w=2{!w@qAv1(@`m%OSA$`WZix)7SJ z@v#MMaBlkX{UUQK!@H-LqCe~W|KYB-0L06;jy}$jHYu2$yDlaxaV4)a zSWr|7M93fV+6)Xkqnf?(p*U7<=cJnB{7ZeK!O3=81~IlcFod3vIkO)=oHfX*|>FW7xu-^uxNS}xSJy`g{mQx{>>&pkC*IYF6+^H7w@5}Q4d;$=;NIQ7mfv@D- z((w-QO^wONVKnWqZ2B(pDGD=`N3%U!|G67JJ;5({kp3S>p5bS~UZR==W{gEES ziD8iavYp*yiRpjTfSRf|T45WSWX{Ol2V(H}k1X{{af)yONjE;ihtfc*fEgU?tpmlR z;hf?9;IEugrn53-ESoLt^s@B?woktKRmTq>AP?SW{=SLD#TAmA4^5+3NW+IvrlARi7*D4VqV8VkkQ6_HTZLAW5(W2iLH zbZD^P-zfM*B13JM-5i*S>x1L?ELKjsAHOTobuS3N^Wtpj+MGmgUgi|OfJ>I_C|B|`ZI_uA%h{;oBNQ>Psbl7pk`m*o2Tp@SJU5H<+4BAiv&`YT>pmsq#~4X zK3bOTpOo=}A;YZ+LL5%Q2;h|%+;~MtX5d&SE3s3&U;Kh29#!*{7HP6Zy|APV4^Z1P z>K~HIayAc-TDbzsMOlfdFhCj{H!T?R!n8_n|E{{+DipvZvOv;N6|1qnKmgFgpv3ci zzM(+1@rQt%JEC=NChG`e^bVfFApc(}ehz3sZ9T!|i6H^gp`dvJH87zw0D7K9*bgT~q*THi=QgwdoEo)LY#p^qlWE@jS1-h-XRB2fnnGDW^8nbuG59a5)sMQ*?> zKV0kMwGIDa78)KFK)gCwIcu@QEp!s7gI#;M1pvZ6SRFH#X_P zGQ8$~hAY38?yOF8@gJRXvhNj1wa#tjeyR&TK{QVh$)x=ddYD$#*M)efDB?Y@kCDfp z)wKb1Y-WN*aG@M9m*|;iMqHn%Az^WV1krf@8k^z2vf3rW&H*j44F0 zs2&Br4UG(c4041!|Ax6Pa~c)C`Ywt|VS9*57{6juRxWNmwhLUI3y9eOg5ZL)ii7iK z_wOu`<98_bA%ck89Bq@P{nVZY(dxfGAOfrvaCnF>UiaRw?zfcok(WrKQZqzqvEAci-O zRi7iKsD5ZFbJpi#%_YF4r%ZxWO$z?-$uzN9ckU#>KYENYyzeQwo{XSl&ln4b4;7&D z5EeJ9$$b_8>;@h{ok%m|_tNDfu`1i&TXCE9ibE$VF20Ipd01#M-RijH;S7Yr?sXnf zksjX?s;?JUq{ILTk<#@BATL1Rbc&i$ZRZ|9g$I+y;a>XPN{wR;0vb(X7sT%cGT;3* z0r+>#vX*R~H>~a~u4!Rx1%b`4@jBh&4XmDQ3wdKfv<>x9Hbv27SKHL%=?YFyfNYpY z{FomEUatAOg@KL)v39yt(O@9$VG5CvQSvKQ{t5J~sO$1BWQ>gFJ@kBjgXpCp(SPIe zje3uH9*SgV?#7oDRMGKc-)Vmfwl2kXapM5VBxZCN1d`gOk8PDZCawt9tZJ2-qorFX@bp`SZ5Yp_! zmZ$I4k2R(P?{|CAK|L!Vbc7Gs12SZqsm_-y2$ppP{ns0MMBA6KOK*ppxu2?lY-q>rn5i7e!k%N6gEp>LtOb$lHY?ODdxeJ z^5WLDem+7dYei7tzuk-URudj^{|=4h>F!lEsTsP`C{AB&O*{E3#^A7w+Y+ulTu@;< zb~VLM>DTih5GEDk?*fqjCXN@vhfG!<+)0>d_FKcGjlLHLeCm|g0LbslrV|%_@s14U zIK)U?%MZxFc>mp0u;J(Z7d9=rC!hXAKsmA=5gW>Km&T!9V4>I52Y zQoIP>A6dy|BtJ+rkgk|Pa^?c_0EEAHU3hb&7c8H-W~PW}RQ?;)rylUDaSEG|Bi;@z zet83qEI+hW&Tb|yyf&4712bdhD|veKntWYg!jU6n=4QMcbjIp z)kAAKzaiftY*e56c3vD9Eo$6Irwc<5n|8#%KH&kak2W2*-LE?#fw|h(m*^U}8c5)M zV=z^S7VEK$VJXmc`u=;g`roZK=pn|vCeHFPIJOIluJj5=+YUz>NK5^$JYCfPYdSWz z%;Pj-e}m51gvM9}MU6_D5&$}i|LvLRkongxJWXg%t5QUeR&;hh|JTtf+iVbKO3@Rk z4L&@H3Y!6)Q8m-RPvxh`|6Uo^_dUMhMB_&mIHII|ZwdV!lTCy!wuVip>kLu?(y@_O z=A$Vbia{jYDmvgVQ}9$7EEbvG0XjOgYNJkOQf@r(f>M} zqr-AInit7fXZ`Qr1y@S-q~SGfNCthmnw~B~p}H^zdg=c<2w-IG=Yk;MXfj{E-o>-o z7NW1Sy?N-Vs02OA*me5f6mX%eZ_;r!?IKC`tG?$$ulzj7gD!o&ZH;X*fyUjxYYGfW zpsQR$8!5_T#6!g@LKd57jLwhH5#9ZB#nJV#-=qCpv$6(olvJebD|pqNIU*v zN#R_Yr59x808S0{|DWyq$YScI$cjroeUM}|1tb1$0b=xm*dOfxaPhx)h@Q^>TZX|Q zV6mnH?)`aL-tYh?&wo$jsY6o+)~8RRi$uebt?Bg?j)oD^qKpgj-@E*^Nj9Iu-!Fo6 zK;bHx9{=}+61I)6Ux}q!0_7APT*c)i0ch|3i;I9oSQc5RD8sV>U>L=qzbxGd-+!B# zNJh^bLr9A{phQ2(z+c&yq!Tp4^?%=y1yN4{<_GqYX_xgBCPfD__^|u0UjhbdR{TKh zR)MQV7eM%m@-ciHv?7ox2Mi|!v39n0`NN*xoy8Z~n>xtob}*3olLnF$+{WU@R%^%@-(Bsxcp$qqkt)q zjn!p9&jkMupY}x^p0-baEk9@5xLW5V7jWk-%)F9mdNWv~6V%qVgY!(MJ43OtKPS|W z6aTZ!R`BpEQ#N|1nEg1*{?M#9t!JW{60Fa&f>j8zGP~buQWKN@u+*W`q@3wk(YknW zBzjA^-|UdMRWu`Xfs1H+g4Xq&@;7$W!4ibV3JV{(n$(700xcRvifg_y9b13!=d3@$geDxovsXvr&K;MrIRr~1s1+%nlalYp_=W& z&PX$;MS*OOJffc&C7iN9B(gVPO168&cRS!RU!D`+Z^po!JF`U zjK`!I*lyUsWO;I*YzK~kUVMDN-9d55KM{s?v4~U-O8lU_kOVw+1I$_^qk4k{s1=kw vMIM}<> Date: Fri, 17 Dec 2021 17:23:58 -0800 Subject: [PATCH 03/17] added small icon --- mergebase-small.png | Bin 0 -> 9144 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 mergebase-small.png diff --git a/mergebase-small.png b/mergebase-small.png new file mode 100644 index 0000000000000000000000000000000000000000..0a5411d6a5ac03f6e822701901a72b7dd062be85 GIT binary patch literal 9144 zcmV;pBS+kcP)004R>004l5008;`004mK004C`008P>0026e000+ooVrmw00006 zVoOIv0RI600RN!9r;`8x00(qQO+^Rg3=#nsClvMxP5=NRyh%hsRCwC$op-z)Rkg>z zYtPI%x8LO6^n@fNK&UYwM3CN#G)1u>MJWO*D)=5M7JMico()hQ0-_)wASfLvp-4$6 zA)$qYKtg(Qdp~7nulL8Ex#!%LTu34bZ)6L$V7;MQ z{Fn6py3Yrkcs^vhV8{?CiG|{rBjEa*$|xxrf$xn+%w&vAMr0x)V}Tk(h5~6IjYtr; z-TMNtfW{Z7hCl|$q1pn{gxcl6QdAcbMQ;*Ci^*nJbHmTu`Q~MgzK%|4XoPec{(0s5 zJ>J>28SOCx7|@iIz18Jn~L#v!^qBvOaz7@QU-W& zgGw>O7yf-WkfMK!g(*U{3ur*~9jtv7)fWk)Idpa{;^6&TdGRIa>Vl=qpsWl!o8jS` z-|wN{f=wBN5RBwb;eeB2=N;hR&l-07$QV+o-SEsl7&9G_Z4jveQt<;lSO5PEdTXIP zs*PA(fQ_C(^$D`MmpJ0kI-Yn6d=D=F&VP`+E!ga^4znt`%YC`yVZz7vJcLy0M2y)J zkqL;D#y2Gbv8h1-6L+>9)dfV+zlfr15VMr4fB1gWw*{Lb-i78!{>P`L)+d$vGQR&g zAdeG@=>6`?y1Lp;qevMdyJ5^UMCK6$x4hrPZNVmp!3jstn?x|wtqd`y3&(Kw{qDzm z>3TQqB7(^JwzmZzG`vUQ05F{XWyRWt_qz`p02b&Z4Bu}$wqR4jdI$%APis4<*0E{& z8iR$Pnjw>|$MfEATDD+Q!Fmb@fKOW+7}Lb&X{|ZJ5oq3tO;3umObw zz$cdlWeq{l3RJUs`XYkb<*Z!YK{~bmt!=^Pi480qkR;oLW>o8WZyF>?+IfHib$&HUCO|jeT&*f zELseK?>;&2=L7d3irnB_`Mtj1op?SNfnl}uarna!R;_lE@sAHtfuy|K$e@52K*8oW zK7AWWH~@U22#!BG$E+9LT6>T2P|X1=v33EI z7}X5czD*_r>8j#4B^s$GDk}1{w)WrCkL>K|Zfx=}eL`Xid{`4LKK+elUnr^(qAn`x zd7uJzBMsX|6b{$v7iYtS@u2z!eJ9_UPpYf2_6fr10iy5)I=Yr}>=7NzdJ(cYh^!;Q z^I-b!@WNcEUjyVJ7q|4}&2Z2uZm_%%2w?a~_~`CRL>?rM+IEyRc-}&capm@V?FqO2 zJw;h*H9;^6&)XJbc0ptsB0C^v9MFNa%gE&+Y$>Mybl^COOJ`JbG&f(0@6YCQ7r@_s zRk-`mFTtB{fl@lH6vE#IcpbPH=-fE7y@^5$z`?+ttUDbLA+!N+123Z9Dl~Fh zNH=f=(?%8!0H19pJ0`bwKC11pd80Uu(Lfaaom~FU)Hlp!!d7`YWAo(Cx46wy_xu44 zI1N%+umS|o)C4KFHKe-^_^7j7hr%!}4pCUS3LgJU|CAm21@Nn2&KwvuI)_q+m^y;s z6>4hkLc8MfQjt?=hu;+V?!AzcDLIR~Ud zn6yVPbu6%ArP4Le^0OPEvCfgd^QBH`BI|YzHaEl8)1ZDntf+$-@yshkXeiy54=$+6HxtJhtEN zxVWOZ*gi~ZzBb1w--duKx?td7iWc274&)SUScjM;G_?%kHG{x^NH`!_4cpqGwXKeA zCcT2{1j6WY+S`9ibyWk^)sW4=8w;Gq*k&?Jnh3M!mI0%P>{ev6sP4{`5NS?3$G=pa{gtig2b%@jx*_EJmKs}93ZEW8afe&Lw$Io@=FJ0uTd3BE4 zuP6+_{wKm=pMir<9!#GjM7ATH-j9;>t<+A1hkzr_gsLj2tlS3AJCJu%S+M`funknMmQzD+brrvFC!dP+RL3j4*`Te**`f3fpfBD_6Vr%PZU_x5fsj zsDu?O;IY51z3qLz08=JIQwx-&p=PLiS7Vbie@aT=omKGop9e$fB49ZM=G1t8#>Q9T zBaQ;u3uOtu4`E_+r-3psZ3%M}@ri<;f^0vQY$6;9!@Iw=M7Y4>+z6|&bu)32n*l3fvvWRNTuNRd*GB4;i$u4>GGk3;cmRW_yB5# z?g6+BRc^I)4zcGksCuZtxRpjV#P_>^7Sid}Ox^iynp^&jwKpNA9RM!^>w(C}frAil zO*}zw0?V0sM~1vD8vFs_c0h`h;CsijZ23P(rE(l}3OslNeD^YFZaEB*aq;9PJ0=Il zX%{(0&PQpua+@UAIkP%?5&mC7soOGU& zPPs{+Fb-C(8cQnuDUA6vMs|t)ltL6~{mqVKx1jTT!tf%Nt-PL!vXEQ;HyNk^;hVt6 zD5&~&;AP-XKzomnq6_o>2KYM8#8Ry7#F#Q%;9(8f?9muAm&NbEh~Z#uCDqk;#2UnH z_jRFWm!k>8r&+c77*yM6>x6A4CYmB(#PEIbgHK{)D#p~Jn#I~hMA1WJvj3#AVhvYa z562u1!-fKsQ&RdxM1}!E7(U1EFM5bGFW!Z~KN@8iZEZip+ImtcsH^uFJ7#}^;By$+ z1!F3)wt>h#Nv7*hl$Mm>2gl>eZX!B5?;!9Oa`lhkl<|P~{PE)3IO#&C{%`qpvdT_CQ z6%b2T<~~Z&`^E=M2>JYv7(3=?TzxGZ{RxP|14yU;9xnh9QS>05w=Ylym>vQ$d>B}T zOtyx~^6%mMr^f9j0-vxcWd{nb^bbf}wzn_jy$B-SJ zX@=LHgYSP6V-gdnm`;neuaeDO#DRN1z|D8M;LXF=4J06c1@0YSE{_3DqF{DCjF-QL zFaX6Mx;rAr0$Wqi90?uC_%#D}qWX}dE${fiOKp$pmw<`A`j9*y;;f5XA$r*bB3A;& zgYaNnRC5@8?JEUV0k>nrr!k&7ViVlziF zRu_@YeU&|Tzm3mc-~{!S%iJr)fXK97!jW`pA?kGvBKK}keF1A=__e% zo5WXsTugfuUpYMQ2-2xbF(#RKcTdewsIB=lzW<$A07D7_k^v$-GacXmauI_R<|&_t zxvvPrhkcD8_#ccJgEOmIu=Z7~orkJ3WsTW|bm|IbJhe9y$HUYe*EXJIxD~i2zJ>y| zxMcHzg@K|Ic!4l*B#D+FauhHHXX599CZHa-)FgRESW#jwb z!iC?L#^d3|-w$)syfXGH!h>-_JFIBzR^a@oKh=Noj_UX z6?oneMFejwcv$-eVfYQkj+()}4>=#^)?c~tH6CCqKz66EPmo9T4aB-A*xI1+suV?c z;duuGf{~pmE!_)a?&FLfj>mY1lB{}B^dus0&|h*)6>4jsv-4AUUJ@CwMA6;k^S`3A z>upl0G6Mf_g5Y}?GX~F_PC9iiPtN>r_T1I>%F=7hxE5>Q1l~e*3D$Pe+BTHRigOUD zAX&YwokJAeh{z&T$6(B-@Vx!#FPc+Z3w!Rd7lHpRM4ZhX*_nj-pVF0?i!p{&@G*ka z5Ae*+7&DPn>c41gnu{0vfc=do9EuC&7Q+CQINLs9!uwJCip#EB!0!Zo3YZKm03HJt z$8$Lxkt2cKZ~{;TOvmP52Otb51CuC3CvO9J0=FoXfo=mF0feZ`>VBsQCgLp@Fi}-7sdCxPyks&Y`pOWXj5}!1wQ^q~wn@w|t&3ytxmp zs_>6{1<(5eBBSEZR*=tKfS7*~hO5ZuSCC5mgM9uws5S!@&+JEK`E)8P;m}hD8qG>z zWUp&DE|LDL`^+nk$UaL~<_yZqXEJ+^tAV=Xcims37EnL#VDGT80p?+(;a!xt z8@}?TMOb|-e%@ltfn4~5sd(No2(I=^?R+wse=|^NMR_TdluX8$ok`4@d^m%K#tvFr zYq7SLOtzLc-yTY5=S-|!Qiy-5k>d$e?RyIuo$aZR6}w(Kz2Z+oWxIv z!aq|pbUy!@0n3&r;o2r#usVqv5i=AVdcZJ@*^9(yiK6FeXnKdn##+L#mVCaJHFY(# zw7!A0^KlDDC7$H}%4 zK0z*b9u?*D`P~(8^f7QpQE0I{b}f@!=lf`~EHE3Z??%H3x7-0Xx(hX*MWhsC#*!{M zA7hff8X|i??k6MVbvxEV0BlW33FLal+fmw> zyHxqcMG%CpBH$apfWRN!%`B>IM0PIi9kBHTms>gPbl73LBrMr;EQ|+br6XePVPhuS zlaa&k=}V^yVv^Dt4`mYncb#F+>HVo@0cPWD|KfHGj_G%g$7TrdNkm!@d6Y<Ma@@-vFjjFv0f5MWwQ!jhM`9Ade!QiyYfgf%A_N ztur1m7Y@K5HAVb70-Ftb3dp0^L$DQm`@#mAn{LOLJqBpV359Aas*6y44XbZ}E+(=o z@x4~sJK9~RO@xhnd_PTDX(jo51;*5p%RfhH=@Nc-A-ug9?!Btld?~0k7;pc0AZ)Mq zF9F^F-hCllCi5)5|1u(b0Um+>X+-?^z4e6Qy)-osoX_z*2>c}X6MtqVf|)$P8G7cWr&ZM>V6^7Lg z+(wuOYg5vMbqqC79NLIfxM7GBBo@d8xfiJ_z zVewe?GYDY>`FsZ@C7p4U&0y^-7<11$-fR$ANJ-iZnQwgye)s$3AioE@EwCd_s7B*_j1=A3 z`^3>E2a+og$tqwbYj;`&XaMqk1?2u~;h3}G?yKJB+@IWoF>!(<4#kGyAIWBKq*{0bgj-&5CPYfZ%9DoBUW*EwGeJXg?$??QtJuzV$0`vAWG)!6(< zxFAOq-No23U28o)D4z#U7n2GaajTZAc)t9{mvHX)6~AcFx0dcOWrD#TO_a-n>O$NK z>m!oJ^FB*`!-G^;wK92vyYKSvz&V#}7Y{~(qt!wtyP9-*d3?w?K!(P~-%?rCO!4~Y z79^K5Nf>hN)@y9C6{RsWc7a5P2_Dc^`}eVuHVB6(>8!`0A3JVi#i48y!AIr zGf53uh3b3TXVBaVtJb_hWdBXUOfp#eHu-SIfO|!{C#(xPI~QZ^^CVi;m?Js+yC?C7 zi<|&-b~y%n@g+lN*M78jOd*?d$+y9xvlH_9*>Th@4$S*UP&4$`Se=gQR#-cYvoHB6 zzJFey=f%KTr#EBmWAP^u#!REK>g%jpox)m2XB5HVhe2o8G&(w`1c-8gg{f0>h-4}DZ92QaFM-f{U_Xhh zIS!;U7RC^?3G_waaeA6b0hm1S3I!izG$O~)?fWFPT?Wwcz)syJo%IGN-L7kL4qi4p zhtVS+LnKW{=hrAJUB!#9!mXFl9jcT7%F@s=P{{mUAV??qj5Kg0E|l1x_IQF^Gcf4r zRZmn`!l)5>a=E)ub6oe&HCX!)*Zt2Dj{h2rFB|yzd>%%P$db)ogE9LdG8B<2g5WaF z{mHI`(IZ&fOc;)1*J%f1%yC#dgSOVM;Q8$YgWRE4*9doAxtMb<`5VSu6o2aB`={V} zN8`+r3Pgq%F+k7Jy76X+!kaMWlNhrdAo$(|j2=0Oe0Vq3t|W?vbN>T-Q&#$ER9Df` z`Z?~na~U$=7$`0oxL-ftCEKTq8TEB64PYXST|vRg9t9kPGJ`Q&W$EfFW9H1=P@PEc zh@6c;*am7{h$kUfDA z!LC5PLJ`~A(N~JzT9j-OdlKKDkH|Dsn+e0aIp-%%Gp?;20qW{uP5q;6 zJNcKSg6|_zfk+L$e;%H9Ch1f*&XG7DMa;33mflWj=|Ac07~FW2q~VMoK_+_@#_WXW z9ZwRTc3JgWoO!nbYoEvS4yQP90B!@=QHRds&9{C?D)n288I4FOzW+r${S2v~3n=MM zBEkex!58?*&cEcHWosM9-p+6F93`5=;L1Mk!w|(WfM-GW!kNw~;4{EptXkEI^Fc;a zh+-Aq8SMk!Q&Vx830wqhTb#q52T9ZOR|uYhun|05ajV_}oI#0^0j#`d{|NOGNq+U`QycK)0KeMy3Is#0V1C#i6j);qVEObIpJ^}IGXq! zJ33<3>dVRH&coWd@%MsAdHk~xX#Z_rr zipysFrvdH$K;u1s zB&DHCSHV`JprSm_m@zl9WXTMIU|&Rb#rK^<97Zca=aCPe;klO<@UdMjsWfqzw;4DO z7j^`fr0R(oe}$3%k3gn`E{r$e~6~07bq#&8<9Qmya^Z+5Qg=r&L@gyQrGwjqlV}B@i}n#89k_> zV9T!yA*yb_kMSa+BEAq&YRaFWsbdi$yW=8S0Bi8P*Ql&qKvVN*(4^9~0~d(`v=Li# zE2i;roCcXd&uZS~ps!=?VvKS8V?*Z-Xa+E^p)5w25b-Cr; z7#Aw9s~<~6`SB#$LutV3Qt~lV-u7!3nLO<@_}%Xs@%?)kKkgo8y(o+vA$etV8u!(D}~42Lxk_FAAui0K0lpw`gWk1FuaB+dYW{)i74`kqA3Ky*?8U|IJWc& z!@sa}`Pr10<$D}T0q)?888^TuzT);+1Ocq6hvmy%vFam#-ZwPgz>-yxadP~CVm6eD}g#E(J7p; zt_6jC=4J6Nw7uxxw7LfLX{@1;Wc?7}^WTQf&VaFFuEzII>+Za26C#~B2YqN93~>1d zYv1;^li2`i+;t9fdxm%2i^DE&=YsIjqIKu)vh~B#=tC z5@grjrX-O-@#4)h)9F8I^$6C^EW|WEB*Kw&Kbwn)q6gw2fW;*YhvPKuR&g1;K{X<> zPm#-?%jAi3c;ii2wrsuLzG1pBs49m|QaGS@NN^xzl6@!&=(4zMp})GLv4~Wl@){zc zQ(^rvbh6ht1mhiotHtjf1~b4*sQwi(E{?n@npPVVQ}=;%TA4Whb()(W#Dz>dfDTu- zK^-<)fa(*3;gxiD{*0>1*O@)n9YAsSRqIK>dg9%lKC+1k$3O(HFM)8zB! z`_$G}QdOD8TBWh6i$#mu*>k$3xdo0n60W-e?z{T^rTYUQ90L)(c6dQj95)t`uTj|H zRorF>+=J?!B=!44Dxo<(;-%C;m+p;lDz37!w{X;f{sH85Cm1OTq3aJRjyw|(s3?W< za;G7zb%B8}gxBZ6s8R6fU)K9o>x~bHa12EFIuM&pCIDqSgmZ8Od%cAu4?KYC9YD4_ zSfG($y!}88|Y0=IAW!?p-%$ef{lj{sBpl0GO>ygxh7P==o(ZOBTS;O2e=sN zei|@96RJ0$;geg0V>84DSU6z41q9qVt6ox^To1YcWE`##Y;A~3RJe|`d9J%MWs7iZ zKKOtO$3Pu=k4O$B4u}r``ywto-roVx2AGfP4TxEYO)Ro4KF4N*51>QdA2u-6K~ch; z3WVcvC-5bQiN(eF%tZBXh}5~AVzNbZY)<$PXpRIMz{Dy>{8MaVa9MPH9i#=9Of1Kh zkN*?Z+dx{o4+z+(C!21;2E~U+I0ow625LFpYGMSGop5FHPh-QEoim=4C2tXq%?g7l zTkmnl<|`Znb#Mc=9u(f9)*znk9={K3ZPn(Ef`EMBg#+OK0XUU8tt-05UK#F)cANEipJ$FflqZFgh_YD=;uRFfbAI0OtSz03~!qSaf7z zbY(hiZ)9m^c>ppnGBGVNGA%JUR4_3*Fg7|gH!CnOIxsLE>PmwE0000 Date: Fri, 17 Dec 2021 17:24:13 -0800 Subject: [PATCH 04/17] added small icon 2 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3468c5d..c0ac1d4 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ - How Can I Be Sure This Isn't A Trojan Pretending To Be A Log4J Detector? (#itemtrojan) - What Is MergeBase All About? (#item) -](http://mergebase.com) +](http://mergebase.com) # log4j-detector From d042fce2ecc969bd0a282205a74c4fb1a2037834 Mon Sep 17 00:00:00 2001 From: Daniel M German Date: Fri, 17 Dec 2021 17:27:20 -0800 Subject: [PATCH 05/17] added small icon 3 --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c0ac1d4..3ab8b10 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,8 @@ - How Can I Be Sure This Isn't A Trojan Pretending To Be A Log4J Detector? (#itemtrojan) - What Is MergeBase All About? (#item) -](http://mergebase.com) +[![mergebase.com](mergebase-small.jpg)](https://mergebase.com) + # log4j-detector From 9bcbdd3613e977bdd1959281256c0fbd5a2fee01 Mon Sep 17 00:00:00 2001 From: Daniel M German Date: Fri, 17 Dec 2021 17:29:23 -0800 Subject: [PATCH 06/17] toc --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3ab8b10..b160076 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ # Table of Contents -- log4j-detector (#itemdetector) +- [log4j-detector](#itemdetector) - Example Usage: (#itemexample) - More Example Usage: (#itemmore) - Understanding The Results (#itemresults) @@ -15,7 +15,7 @@ - How Can I Be Sure This Isn't A Trojan Pretending To Be A Log4J Detector? (#itemtrojan) - What Is MergeBase All About? (#item) -[![mergebase.com](mergebase-small.jpg)](https://mergebase.com) +[![mergebase.com](mergebase-small.png)](https://mergebase.com) # log4j-detector From ed05e49c6d408f24b966e9108178ccedb1570843 Mon Sep 17 00:00:00 2001 From: Daniel M German Date: Fri, 17 Dec 2021 17:31:27 -0800 Subject: [PATCH 07/17] toc 2 --- README.md | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index b160076..ff94841 100644 --- a/README.md +++ b/README.md @@ -1,21 +1,23 @@ +
[![mergebase.com](mergebase-small.png)](https://mergebase.com) +
+ # Table of Contents - [log4j-detector](#itemdetector) -- Example Usage: (#itemexample) -- More Example Usage: (#itemmore) -- Understanding The Results (#itemresults) -- This Scanner Only Reports Hits Against The `log4j-core` Library. What About `log4j-api`? (#itemapi) -- Why Report About 2.10.0, 2.15.0, and 2.16.0 ? (#item2.10.0) -- What are those "file1.war!/path/to/file2.zip!/path/to/file3.jar!/path/to/log4j.jar" results about? (#itemwar) -- Usage (#itemusage) -- Build From Source: (#itembuild) -- Testing: (#itemtesting) -- License (#itemlicense) -- How Does It Work? (#itemwork) -- What About Log4J 1.2.x ? (#item1.2.x) -- How Can I Be Sure This Isn't A Trojan Pretending To Be A Log4J Detector? (#itemtrojan) -- What Is MergeBase All About? (#item) - -[![mergebase.com](mergebase-small.png)](https://mergebase.com) +- [Example Usage](#itemexample) +- [More Example Usage](#itemmore) +- [Understanding The Results](#itemresults) +- [This Scanner Only Reports Hits Against The `log4j-core` Library. What About `log4j-api`? ](#itemapi) +- [Why Report About 2.10.0, 2.15.0, and 2.16.0 ? ](#item2.10.0) +- [What are those "file1.war!/path/to/file2.zip!/path/to/file3.jar!/path/to/log4j.jar" results about? ](#itemwar) +- [Usage](#itemusage) +- [Build From Source ](#itembuild) +- [Testing](#itemtesting) +- [License](#itemlicense) +- [How Does It Work?](#itemwork) +- [What About Log4J 1.2.x ?](#item1.2.x) +- [How Can I Be Sure This Isn't A Trojan Pretending To Be A Log4J Detector?](#itemtrojan) +- [What Is MergeBase All About?](#item) + # log4j-detector From 02cd64abe9105873fd30e655ee1d89f68ebcaf26 Mon Sep 17 00:00:00 2001 From: Daniel M German Date: Fri, 17 Dec 2021 17:32:11 -0800 Subject: [PATCH 08/17] toc 3 --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index ff94841..66c89ea 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,4 @@ -
[![mergebase.com](mergebase-small.png)](https://mergebase.com) -
+
# Table of Contents - [log4j-detector](#itemdetector) From eccb06246daeee77b275f1289c8348c7db1b05e3 Mon Sep 17 00:00:00 2001 From: Daniel M German Date: Fri, 17 Dec 2021 17:33:07 -0800 Subject: [PATCH 09/17] toc 4 --- README.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 66c89ea..0bab80f 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,11 @@
+# Log4-detector + +Detects Log4J versions on your file-system within any application that are vulnerable to [CVE-2021-44228](https://mergebase.com/vulnerability/CVE-2021-44228/) and [CVE-2021-45046](https://mergebase.com/vulnerability/CVE-2021-45046/). It is able to even find instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too! + # Table of Contents -- [log4j-detector](#itemdetector) +- [Introduction](#itemdetector) - [Example Usage](#itemexample) - [More Example Usage](#itemmore) - [Understanding The Results](#itemresults) @@ -19,9 +23,7 @@ -# log4j-detector - -Detects Log4J versions on your file-system within any application that are vulnerable to [CVE-2021-44228](https://mergebase.com/vulnerability/CVE-2021-44228/) and [CVE-2021-45046](https://mergebase.com/vulnerability/CVE-2021-45046/). It is able to even find instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too! +# Introduction Currently reports `log4j-core` versions 2.12.2 and 2.16.0 as **\_SAFE\_**, 2.15.0 as **\_OKAY\_** and all other versions as **\_VULNERABLE\_** (although it does report pre-2.0-beta9 as "**\_POTENTIALLY_SAFE\_**"). From 9480443c1df06ef0d1b29ef4c404884f5aa6f725 Mon Sep 17 00:00:00 2001 From: Daniel M German Date: Fri, 17 Dec 2021 17:33:58 -0800 Subject: [PATCH 10/17] toc 5 --- README.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 0bab80f..4c6d752 100644 --- a/README.md +++ b/README.md @@ -9,17 +9,18 @@ Detects Log4J versions on your file-system within any application that are vulne - [Example Usage](#itemexample) - [More Example Usage](#itemmore) - [Understanding The Results](#itemresults) -- [This Scanner Only Reports Hits Against The `log4j-core` Library. What About `log4j-api`? ](#itemapi) -- [Why Report About 2.10.0, 2.15.0, and 2.16.0 ? ](#item2.10.0) -- [What are those "file1.war!/path/to/file2.zip!/path/to/file3.jar!/path/to/log4j.jar" results about? ](#itemwar) - [Usage](#itemusage) - [Build From Source ](#itembuild) - [Testing](#itemtesting) - [License](#itemlicense) -- [How Does It Work?](#itemwork) -- [What About Log4J 1.2.x ?](#item1.2.x) -- [How Can I Be Sure This Isn't A Trojan Pretending To Be A Log4J Detector?](#itemtrojan) -- [What Is MergeBase All About?](#item) +- Frequently Asked Questions: + - [This Scanner Only Reports Hits Against The `log4j-core` Library. What About `log4j-api`? ](#itemapi) + - [Why Report About 2.10.0, 2.15.0, and 2.16.0 ? ](#item2.10.0) + - [What are those "file1.war!/path/to/file2.zip!/path/to/file3.jar!/path/to/log4j.jar" results about? ](#itemwar) + - [How Does It Work?](#itemwork) + - [What About Log4J 1.2.x ?](#item1.2.x) + - [How Can I Be Sure This Isn't A Trojan Pretending To Be A Log4J Detector?](#itemtrojan) + - [What Is MergeBase All About?](#item) From 4fbfcc47b88d147f3a5246ffeae4e7ac7968ac23 Mon Sep 17 00:00:00 2001 From: Daniel M German Date: Fri, 17 Dec 2021 17:35:23 -0800 Subject: [PATCH 11/17] toc 6 --- README.md | 66 ++++++++++++++++++++++++++++--------------------------- 1 file changed, 34 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index 4c6d752..8fafa5c 100644 --- a/README.md +++ b/README.md @@ -13,11 +13,11 @@ Detects Log4J versions on your file-system within any application that are vulne - [Build From Source ](#itembuild) - [Testing](#itemtesting) - [License](#itemlicense) -- Frequently Asked Questions: +- [Frequently Asked Questions](#faq) + - [How Does It Work?](#itemwork) - [This Scanner Only Reports Hits Against The `log4j-core` Library. What About `log4j-api`? ](#itemapi) - [Why Report About 2.10.0, 2.15.0, and 2.16.0 ? ](#item2.10.0) - [What are those "file1.war!/path/to/file2.zip!/path/to/file3.jar!/path/to/log4j.jar" results about? ](#itemwar) - - [How Does It Work?](#itemwork) - [What About Log4J 1.2.x ?](#item1.2.x) - [How Can I Be Sure This Isn't A Trojan Pretending To Be A Log4J Detector?](#itemtrojan) - [What Is MergeBase All About?](#item) @@ -78,36 +78,6 @@ java -jar log4j-detector-2021.12.16.jar ./samples **\_POTENTIALLY_SAFE\_** -> The "JndiLookup.class" file is not present, either because your version of Log4J is very old (pre 2.0-beta9), or because someone already removed this file. Make sure it was someone in your team or company that removed "JndiLookup.class" if that's the case, because attackers have been known to remove this file themselves to prevent additional competing attackers from gaining access to compromised systems. -# This Scanner Only Reports Hits Against The `log4j-core` Library. What About `log4j-api`? - -Many scanners (including GitHub's own [Dependabot](https://github.com/dependabot)) currently report both "`log4j-core`" and "`log4j-api`" libraries as vulnerable. These scanners are incorrect. There is currently no existing version of the "`log4j-api`" library that can be exploited by any of these vulnerabilities. - -At MergeBase we pride ourselves on our scan accuracy. You're already busy enough patching and defending your systems. We don't want you to waste your time with false positives. That's why we don't report any hits against `log4j-api`. - - -# Why Report About 2.10.0, 2.15.0, and 2.16.0 ? - -We consider version 2.10.0 important because that's the first version where Log4J's vulnerable "message lookup feature" can be disabled via Log4J configuration. - -We consider version 2.15.0 important because that's the first version where Log4J's default out-of-the-box configuration is not vulnerable to CVE-2021-44228. - -And version 2.16.0 is important because it's not vulnerable to CVE-2021-45046. Despite CVE-2021-45046 being much less serious, -we anticipate everyone will want to patch to 2.16.0. - -# What are those "file1.war!/path/to/file2.zip!/path/to/file3.jar!/path/to/log4j.jar" results about? - -The "!" means the log4j-detector entered a zip archive (e.g., *.zip, *.ear, *.war, *.aar, *.jar). Since zip files can -contain zip files, a single result might contain more than one "!" indicator in its result. - -Note: the log4j-detector only recursively enters zip archives. It does not enter tar or gz or bz2, etc. The main reason -being that Java systems are often configured to execute jars inside jars, but they are never configured to execute other -file formats (that I know of!). And so a log4j copy inside a *.tar.gz is probably not reachable for a running Java -system, and hence, not a vulnerability worth reporting. - -2nd note: for zips-inside-zips our scanner does load the inner-zip completely into memory (using ByteArrayInputStream) -before attempting to scan it. You might need to give Java some extra memory if you have extremely large inner-zips on -your system (e.g., 1 GB or larger). - # Usage ``` @@ -148,6 +118,38 @@ on your file-system, it then examines that file for this String: "Invalid JNDI U literal is only present in the patched version of Log4J (version 2.15.0). Any versions of Log4J without that String are vulnerable. +# Frequently Asked Questions + +## This Scanner Only Reports Hits Against The `log4j-core` Library. What About `log4j-api`? + +Many scanners (including GitHub's own [Dependabot](https://github.com/dependabot)) currently report both "`log4j-core`" and "`log4j-api`" libraries as vulnerable. These scanners are incorrect. There is currently no existing version of the "`log4j-api`" library that can be exploited by any of these vulnerabilities. + +At MergeBase we pride ourselves on our scan accuracy. You're already busy enough patching and defending your systems. We don't want you to waste your time with false positives. That's why we don't report any hits against `log4j-api`. + + +## Why Report About 2.10.0, 2.15.0, and 2.16.0 ? + +We consider version 2.10.0 important because that's the first version where Log4J's vulnerable "message lookup feature" can be disabled via Log4J configuration. + +We consider version 2.15.0 important because that's the first version where Log4J's default out-of-the-box configuration is not vulnerable to CVE-2021-44228. + +And version 2.16.0 is important because it's not vulnerable to CVE-2021-45046. Despite CVE-2021-45046 being much less serious, +we anticipate everyone will want to patch to 2.16.0. + +## What are those "file1.war!/path/to/file2.zip!/path/to/file3.jar!/path/to/log4j.jar" results about? + +The "!" means the log4j-detector entered a zip archive (e.g., *.zip, *.ear, *.war, *.aar, *.jar). Since zip files can +contain zip files, a single result might contain more than one "!" indicator in its result. + +Note: the log4j-detector only recursively enters zip archives. It does not enter tar or gz or bz2, etc. The main reason +being that Java systems are often configured to execute jars inside jars, but they are never configured to execute other +file formats (that I know of!). And so a log4j copy inside a *.tar.gz is probably not reachable for a running Java +system, and hence, not a vulnerability worth reporting. + +2nd note: for zips-inside-zips our scanner does load the inner-zip completely into memory (using ByteArrayInputStream) +before attempting to scan it. You might need to give Java some extra memory if you have extremely large inner-zips on +your system (e.g., 1 GB or larger). + # What About Log4J 1.2.x ? Only versions of Log4J 2.x (from 2.0-beta9 to 2.14.1) are vulnerable to CVE-2021-44228. From 9ee23817cb3524bcd4d5bfb564354016c7eaf121 Mon Sep 17 00:00:00 2001 From: Daniel M German Date: Fri, 17 Dec 2021 17:35:50 -0800 Subject: [PATCH 12/17] toc 6 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8fafa5c..4c9fa28 100644 --- a/README.md +++ b/README.md @@ -163,7 +163,7 @@ type "javac \*.java". That works, too! # What Is MergeBase All About? -![MergeBase](mergebase.png) +![MergeBase](mergebase-small.png) [MergeBase](https://mergebase.com/) is an SCA company (Software Composition Analysis) based in Vancouver, Canada. We're similar to companies like Snyk, Sonatype, Blackduck, etc., in that we help companies detect and manage vulnerable open-source libraries in their software. Check us out! We have great accuracy, great language support, and we're not too From a0d752be0910001483e8d99dae6e12e46906cbef Mon Sep 17 00:00:00 2001 From: Daniel M German Date: Fri, 17 Dec 2021 17:36:06 -0800 Subject: [PATCH 13/17] toc 7 --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 4c9fa28..f814328 100644 --- a/README.md +++ b/README.md @@ -164,6 +164,7 @@ type "javac \*.java". That works, too! # What Is MergeBase All About? ![MergeBase](mergebase-small.png) + [MergeBase](https://mergebase.com/) is an SCA company (Software Composition Analysis) based in Vancouver, Canada. We're similar to companies like Snyk, Sonatype, Blackduck, etc., in that we help companies detect and manage vulnerable open-source libraries in their software. Check us out! We have great accuracy, great language support, and we're not too From d55c77928ff05d2035520e2387675097800018a9 Mon Sep 17 00:00:00 2001 From: Daniel M German Date: Fri, 17 Dec 2021 17:54:16 -0800 Subject: [PATCH 14/17] toc 8 --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f814328..6794a4c 100644 --- a/README.md +++ b/README.md @@ -110,6 +110,8 @@ We maintain a collection of log4j samples here: https://github.com/mergebase/lo GPL version 3.0 +# Frequently Asked Questions + # How Does It Work? The Java compiler stores String literals directly in the compiled *.class files. If log4j-detector detects a file @@ -118,8 +120,6 @@ on your file-system, it then examines that file for this String: "Invalid JNDI U literal is only present in the patched version of Log4J (version 2.15.0). Any versions of Log4J without that String are vulnerable. -# Frequently Asked Questions - ## This Scanner Only Reports Hits Against The `log4j-core` Library. What About `log4j-api`? Many scanners (including GitHub's own [Dependabot](https://github.com/dependabot)) currently report both "`log4j-core`" and "`log4j-api`" libraries as vulnerable. These scanners are incorrect. There is currently no existing version of the "`log4j-api`" library that can be exploited by any of these vulnerabilities. From 8fbab21d6c6e751e9e10441a102183b5914c5427 Mon Sep 17 00:00:00 2001 From: Daniel M German Date: Fri, 17 Dec 2021 17:57:04 -0800 Subject: [PATCH 15/17] toc 9 --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 6794a4c..bfcb68e 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ Detects Log4J versions on your file-system within any application that are vulne - [What are those "file1.war!/path/to/file2.zip!/path/to/file3.jar!/path/to/log4j.jar" results about? ](#itemwar) - [What About Log4J 1.2.x ?](#item1.2.x) - [How Can I Be Sure This Isn't A Trojan Pretending To Be A Log4J Detector?](#itemtrojan) - - [What Is MergeBase All About?](#item) + - [What Is [MergeBase](https://mergebase.com/) All About?](#item) @@ -124,7 +124,7 @@ vulnerable. Many scanners (including GitHub's own [Dependabot](https://github.com/dependabot)) currently report both "`log4j-core`" and "`log4j-api`" libraries as vulnerable. These scanners are incorrect. There is currently no existing version of the "`log4j-api`" library that can be exploited by any of these vulnerabilities. -At MergeBase we pride ourselves on our scan accuracy. You're already busy enough patching and defending your systems. We don't want you to waste your time with false positives. That's why we don't report any hits against `log4j-api`. +At [MergeBase](https://mergebase.com/) we pride ourselves on our scan accuracy. You're already busy enough patching and defending your systems. We don't want you to waste your time with false positives. That's why we don't report any hits against `log4j-api`. ## Why Report About 2.10.0, 2.15.0, and 2.16.0 ? From 92f509a4af1c31799baf28325fa180fed07fc3c7 Mon Sep 17 00:00:00 2001 From: Daniel M German Date: Fri, 17 Dec 2021 17:57:53 -0800 Subject: [PATCH 16/17] toc 10 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index bfcb68e..c0948ff 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ Detects Log4J versions on your file-system within any application that are vulne - [What are those "file1.war!/path/to/file2.zip!/path/to/file3.jar!/path/to/log4j.jar" results about? ](#itemwar) - [What About Log4J 1.2.x ?](#item1.2.x) - [How Can I Be Sure This Isn't A Trojan Pretending To Be A Log4J Detector?](#itemtrojan) - - [What Is [MergeBase](https://mergebase.com/) All About?](#item) + - [What Is MergeBase All About?](#item) From 988ff5d41234fbe3e130299e401e2e569a688003 Mon Sep 17 00:00:00 2001 From: Daniel M German Date: Fri, 17 Dec 2021 17:59:12 -0800 Subject: [PATCH 17/17] toc 11 --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index c0948ff..ac24aff 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ Detects Log4J versions on your file-system within any application that are vulne - [What are those "file1.war!/path/to/file2.zip!/path/to/file3.jar!/path/to/log4j.jar" results about? ](#itemwar) - [What About Log4J 1.2.x ?](#item1.2.x) - [How Can I Be Sure This Isn't A Trojan Pretending To Be A Log4J Detector?](#itemtrojan) - - [What Is MergeBase All About?](#item) +- [What Is MergeBase All About?](#item) @@ -150,11 +150,11 @@ system, and hence, not a vulnerability worth reporting. before attempting to scan it. You might need to give Java some extra memory if you have extremely large inner-zips on your system (e.g., 1 GB or larger). -# What About Log4J 1.2.x ? +## What About Log4J 1.2.x ? Only versions of Log4J 2.x (from 2.0-beta9 to 2.14.1) are vulnerable to CVE-2021-44228. -# How Can I Be Sure This Isn't A Trojan Pretending To Be A Log4J Detector? +## How Can I Be Sure This Isn't A Trojan Pretending To Be A Log4J Detector? Great question! Since we include the complete source code here in Github (all 750 lines of Java), as well as the steps to build it, and since this tool has zero dependencies, it shouldn't take too long to carefully study the code to your