Detects Log4J versions on your file-system within any application that are vulnerable to CVE-2021-44228 and CVE-2021-45046. It is able to even find instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too!
log4j-core versions 2.12.2 and 2.17.0 as _SAFE_, 2.15.0 and 2.16.0 as _OKAY_ and all other versions as _VULNERABLE_ (although it does report pre-2.0-beta9 as “_POTENTIALLY_SAFE_“).
Can correctly detect log4j inside executable spring-boot jars/wars, dependencies blended into uber jars, shaded jars, and even exploded jar files just sitting uncompressed on the file-system (aka *.class).
We currently maintain a collection of log4j-samples we use for testing.
java -jar log4j-detector-2021.12.17.jar [path-to-scan] > hits.txt
java -jar log4j-detector-2021.12.17.jar ./samples
-- github.com/mergebase/log4j-detector v2021.12.17 (by mergebase.com) analyzing paths (could take a while).
-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
/opt/mergebase/log4j-detector/samples/clt-1.0-SNAPSHOT.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-(
/opt/mergebase/log4j-detector/samples/infinispan-embedded-query-8.2.12.Final.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) _VULNERABLE_ :-(
/opt/mergebase/log4j-detector/samples/log4j-1.1.3.jar contains Log4J-1.x <= 1.2.17 _OLD_ :-|
/opt/mergebase/log4j-detector/samples/log4j-1.2.13.jar contains Log4J-1.x <= 1.2.17 _OLD_ :-|
/opt/mergebase/log4j-detector/samples/log4j-1.2.17.jar contains Log4J-1.x <= 1.2.17 _OLD_ :-|
/opt/mergebase/log4j-de tector/samples/log4j-core-2.0-beta2.jar contains Log4J-2.x <= 2.0-beta8 _POTENTIALLY_SAFE_ :-| (or did you already remove JndiLookup.class?)
/opt/mergebase/log4j-detector/samples/log4j-core-2.0-beta9.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) _VULNERABLE_ :-(
/opt/mergebase/log4j-detector/samples/log4j-core-2.0.2.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) _VULNERABLE_ :-(
/opt/mergebase/log4j-detector/samples/log4j-core-2.0.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) _VULNERABLE_ :-(
/opt/mergebase/log4j-detector/samples/log4j-core-2.10.0.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-(
/opt/mergebase/log4j-detector/samples/log4j-core-2.12.2.jar contains Log4J-2.x >= 2.12.2 _SAFE_ :-)
/opt/mergebase/log4j-detector/samples/log4j-core-2.14.1.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-(
/opt/mergebase/log4j-detector/samples/log4j-core-2.15.0.jar contains Log4J-2.x >= 2.15.0 _OKAY_ :-|
/op t/mergebase/log4j-detector/samples/log4j-core-2.16.0.jar contains Log4J-2.x >= 2.16.0 _OKAY_ :-)
/opt/mergebase/log4j-detector/samples/log4j-core-2.17.0.jar contains Log4J-2.x >= 2.16.0 _SAFE_ :-)
/opt/mergebase/log4j-detector/samples/log4j-core-2.4.1.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) _VULNERABLE_ :-(
/opt/mergebase/log4j-detector/samples/log4j-core-2.9.1.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) _VULNERABLE_ :-(
_VULNERABLE_ -> You need to upgrade or remove this file.
_OKAY_ -> We only report this for Log4J versions 2.15.0 and 2.16.0. We recommend upgrading to 2.17.0.
_SAFE_ -> We currently only report this for Log4J versions 2.17.0 and 2.12.2.
_OLD_ -> You are safe from CVE-2021-44228, but should plan to upgrade because Log4J 1.2.x has been EOL for 7 years and has several known-vulnerabilities.
_POTENTIALLY_SAFE_ -> The “JndiLookup.class” file is not present, either because your version of Log4J is very old (pre 2.0-beta9), or because someone already removed this file. Make sure it was someone in your team or company that removed “JndiLookup.class” if that’s the case, because attackers have been known to remove this file themselves to prevent additional competing attackers from gaining access to compromised systems.
Many scanners (including GitHub’s own Dependabot) currently report both “
log4j-core” and “
log4j-api” libraries as vulnerable. These scanners are incorrect. There is currently no existing version of the “
log4j-api” library that can be exploited by any of these vulnerabilities.
We consider version 2.10.0 important because that’s the first version where Log4J’s vulnerable “message lookup feature” can be disabled via Log4J configuration.
We consider versions 2.15.0 and 2.16.0 important because these are the first versions where Log4J’s default out-of-the-box configuration is not vulnerable to CVE-2021-44228.
And version 2.17.0 is important because it’s not vulnerable to CVE-2021-45046. Despite CVE-2021-45046 being much less serious, we anticipate everyone will want to patch to 2.17.0.
The “!” means the log4j-detector entered a zip archive (e.g., *.zip, *.ear, *.war, *.aar, *.jar). Since zip files can contain zip files, a single result might contain more than one “!” indicator in its result.
Note: the log4j-detector only recursively enters zip archives. It does not enter tar or gz or bz2, etc. The main reason being that Java systems are often configured to execute jars inside jars, but they are never configured to execute other file formats (that I know of!). And so a log4j copy inside a *.tar.gz is probably not reachable for a running Java system, and hence, not a vulnerability worth reporting.
2nd note: for zips-inside-zips our scanner does load the inner-zip completely into memory (using ByteArrayInputStream) before attempting to scan it. You might need to give Java some extra memory if you have extremely large inner-zips on your system (e.g., 1 GB or larger).
<div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="java -jar log4j-detector-2021.12.17.jar Usage: java -jar log4j-detector-2021.12.17.jar [–verbose] [paths to scan…] Exit codes: 0 = No vulnerable Log4J versions found. 1 = At least one legacy Log4J 1.x version found. 2 = At least one vulnerable Log4J version found. About – MergeBase log4j detector (version 2021.12.17) Docs – https://github.com/mergebase/log4j-detector (C) Copyright 2021 Mergebase Software Inc. Licensed to you via GPLv3.”>
java -jar log4j-detector-2021.12.17.jar
Usage: java -jar log4j-detector-2021.12.17.jar [--verbose] [paths to scan...]
Exit codes: 0 = No vulnerable Log4J versions found.
1 = At least one legacy Log4J 1.x version found.
2 = At least one vulnerable Log4J version found.
About - MergeBase log4j detector (version 2021.12.17)
Docs - https://github.com/mergebase/log4j-detector
(C) Copyright 2021 Mergebase Software Inc. Licensed to you via GPLv3.