From 2f3f9c11a67b71f8eb9ae483deacce64a2a5df47 Mon Sep 17 00:00:00 2001 From: Yun Zheng Hu Date: Fri, 17 Dec 2021 11:31:32 +0100 Subject: [PATCH] Emphasis NOT and ONLY and added Rationale --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 4c695b1..7193f48 100644 --- a/README.md +++ b/README.md @@ -9,16 +9,16 @@ It scans recursively both on disk and inside (nested) Java Archive files (JARs). log4j-finder identifies `log4j2` libraries on your filesystem using a list of *known bad* and *known good* MD5 hashes of specific files (currently only `JndiManager.class`) present in `log4j2-core-*` packages; the main package that is affected by `log4shell`. It searches for these files inside Java Archive files and on the filesystem. The `log4j2` version is then identified based on the MD5 hash of this file. -To optimize scanning speed, it searches the filesystem and processes only the following filenames: +To optimize scanning speed, it searches the filesystem and processes ONLY the following filenames: * All files with `Java ARchive` file extensions in the filename (also nested in these archives): * `*.jar`, `*.war`, `*.ear` * Filenames that we have *known bad* and *good* hashes for (also inside above archives, and nested): * `JndiManager.class` -If the file has a `Java ARchive` file extension, it will check inside these archives (all in memory, nothing is unpacked) to search for the filenames that the script has *known* hashes for. It also looks inside nested archives, for example, a `JAR` file in a `WAR` file. +If the file matches one of the extensions mentioned above, it will check inside these archives (all in memory, nothing is unpacked) to search for the filenames that the script has *known* hashes for. It also looks inside nested archives, for example, a `JAR` file in a `WAR` file. -The script does not process non Java ARchive formats such as `7z`, `RAR`, `TAR`, `BZ2`, etc. So, for example, if a `JAR` file is inside a `7z` file, the script will not find it. +The script does NOT process other archive file extensions such as `7z`, `RAR`, `TAR`, `BZ2`, etc. So, for example, if a `JAR` file is inside a `7z` file, the script will not find it. The rationale is that Java can only load `Java ARchive` formats so we only process those. Unknown MD5 hashes are shown as `UNKNOWN`; this could happen if a non `log4j2` Java package uses the same filename that this script searches for. It's most likely not `log4j2` if the identified file path does not contain references to `org/apache/logging/log4j`. However, manual verification is still recommended.