Bug when exporting Reports related to CVE-2021-4104

[markus8899]

hello,

I just noticed that .jar files that are vulnerable to CVE-2021-4104 seem to have a problem when exporting out to .csv or .json.

I run log4j-scan.exe with the parameter --fix --Report-csv --report-json. The console shows that there are findings and that they have been fixed. This is also written to the log file.

If I then run the scan again to check whether everything is OK, the console shows that the files were found but have already been mitigated. However, a different status is written in the report, namely "Potentially vulnerable". This only happens with files that are affected by CVE-2021-4104. All other files are correctly written in the log with "Mitigated".

I can reproduce this on any computer with this CVE.

Thanks for all your work!
Regards, Markus

[xeraph]

@markus8899 Would you test new v2.5.3 release?

[markus8899]

It now works perfectly. Thank you very much!

[xeraph]

@markus8899 Happy to hear that. :D

[markus8899]

Sorry, I just noticed that CVE-2021-42550 still behaves as described above. Could you please check / fix this?

[xeraph]

@markus8899 Scanner does not fix logback. I cannot ensure that it is safe to remove ch/qos/logback/classic/util/JNDIUtil.class. If you do it manually, you would see mitigated report.

[markus8899]

oh, i see. thanks

[markus8899]

Hello, thank you for your great work.
i think the bug appears again in version 3.0.1. Anyway, when we check the exported .logs, the classes from CVE-2021-4104 are again marked as vulnerable although the classes have already been deleted from the archives via Logpresso. maybe this can be fixed again.
Thank you!