Log4J-Detector : Detects Log4J versions on your file-system within any application that are vulnerable to CVE-2021-44228 and CVE-2021-45046

Log4J-Detector is a Scanner that detects vulnerable Log4J versions to help teams assess their exposure to CVE-2021-44228 (CRITICAL), CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832. Can search for Log4J instances by carefully examining the complete file-system, including all installed applications. It is able to find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too!

Introduction

Currently reports log4j-core versions 2.3.2, 2.12.4, and 2.17.1 as _SAFE_, 2.3.1, 2.12.2, 2.12.3, 2.15.0, 2.16.0, and 2.17.0 as _OKAY_ and all other versions as _VULNERABLE_ (although it does report pre-2.0-beta9 as _POTENTIALLY_SAFE_). It reports older log4j-1.x versions as _OLD_.

Can correctly detect log4j inside executable spring-boot jars/wars, dependencies blended into uber jars, shaded jars, and even exploded jar files just sitting uncompressed on the file-system (aka *.class).

We currently maintain a collection of log4j-samples we use for testing.

Example Usage

java -jar log4j-detector-2021.12.29.jar ./samples

— github.com/mergebase/log4j-detector v2021.12.29 (by mergebase.com) analyzing paths (could take a while).
— Note: specify the ‘–verbose’ flag to have every file examined printed to STDERR.
false-hits/log4j-core-2.12.2.jar contains Log4J-2.x == 2.12.2 OKAY
false-hits/log4j-core-2.12.3.jar contains Log4J-2.x == 2.12.3 OKAY
false-hits/log4j-core-2.12.4.jar contains Log4J-2.x == 2.12.4 SAFE
false-hits/log4j-core-2.15.0.jar contains Log4J-2.x == 2.15.0 OKAY
false-hits/log4j-core-2.16.0.jar contains Log4J-2.x == 2.16.0 OKAY
false-hits/log4j-core-2.17.0.jar contains Log4J-2.x == 2.17.0 OKAY
false-hits/log4j-core-2.17.1.jar contains Log4J-2.x >= 2.17.1 SAFE
false-hits/log4j-core-2.3.1.jar contains Log4J-2.x == 2.3.1 OKAY
false-hits/log4j-core-2.3.2.jar contains Log4J-2.x == 2.3.2 SAFE
true-hits/log4j-core-2.0-beta9.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) VULNERABLE true-hits/log4j-core-2.10.0.jar contains Log4J-2.x >= 2.10.0 VULNERABLE
true-hits/log4j-core-2.10.0.zip contains Log4J-2.x >= 2.10.0 VULNERABLE
true-hits/log4j-core-2.11.0.jar contains Log4J-2.x >= 2.10.0 VULNERABLE
true-hits/log4j-core-2.11.1.jar contains Log4J-2.x >= 2.10.0 VULNERABLE
true-hits/log4j-core-2.11.2.jar contains Log4J-2.x >= 2.10.0 VULNERABLE
true-hits/log4j-core-2.12.0.jar contains Log4J-2.x >= 2.10.0 VULNERABLE
true-hits/log4j-core-2.12.1.jar contains Log4J-2.x >= 2.10.0 VULNERABLE
true-hits/log4j-core-2.14.0.jar contains Log4J-2.x >= 2.10.0 VULNERABLE
true-hits/log4j-core-2.14.1.jar contains Log4J-2.x >= 2.10.0 VULNERABLE
true-hits/log4j-core-2.2.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) VULNERABLE true-hits/log4j-core-2.3.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) VULNERABLE true-hits/log4j-core-2.4.1.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) VULNERABLE true-hits/log4j-core-2.4.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) VULNERABLE true-hits/log4j-core-2.9.1.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) VULNERABLE
old-hits/log4j-1.1.3.jar contains Log4J-1.x <= 1.2.17 OLD
old-hits/log4j-1.2.17.jar contains Log4J-1.x <= 1.2.17 OLD
old-hits/log4j-core-2.0-beta2.jar contains Log4J-2.x <= 2.0-beta8 POTENTIALLY_SAFE (Did you remove JndiLookup.class?)

Understanding The Results

_VULNERABLE_ -> You need to upgrade or remove this file.

_OKAY_ -> We report this for Log4J versions 2.3.1, 2.12.2, 2.12.3, 2.15.0, 2.16.0, and 2.17.0. We recommend upgrading to 2.17.1.

_SAFE_ -> We currently only report this for Log4J versions 2.3.2, 2.12.4, and 2.17.1 (and greater).

_OLD_ -> You are safe from CVE-2021-44228, but should plan to upgrade because Log4J 1.2.x has been EOL for 7 years and has several known-vulnerabilities.

_POTENTIALLY_SAFE_ -> The “JndiLookup.class” file is not present, either because your version of Log4J is very old (pre 2.0-beta9), or because someone already removed this file. Make sure it was someone in your team or company that removed “JndiLookup.class” if that’s the case, because attackers have been known to remove this file themselves to prevent additional competing attackers from gaining access to compromised systems.

Usage

java -jar log4j-detector-2021.12.29.jar
Usage: java -jar log4j-detector-2021.12.29.jar [–verbose] [–json] [–stdin] [–exclude=X] [paths to scan…]
–json – Output STDOUT results in JSON. (Errors/warning still emitted to STDERR)
–stdin – Read STDIN for paths to explore (one path per line)
–exclude=X – Where X is a JSON list containing full paths to exclude. Must be valid JSON.
Example: –exclude='[“/dev”, “/media”, “Z:\TEMP”]’
Exit codes: 0 = No vulnerable Log4J versions found.
1 = At least one legacy Log4J 1.x version found.
2 = At least one vulnerable Log4J version found.
About – MergeBase log4j detector (version 2021.12.29)
Docs – https://github.com/mergebase/log4j-detector
(C) Copyright 2021 Mergebase Software Inc. Licensed to you via GPLv3.

Build From Source

git clone https://github.com/mergebase/log4j-detector.git
cd log4j-detector/
mvn install
java -jar target/log4j-detector-latest.jar