Skip to content

MannemSolutions/log4shelldetect

BranchesTags

Repository files navigation

jarscanner

Scans a file or folder recursively for jar files that contain log4j and other modules by inspecting the class paths inside the jar.

Use this info to find out if it may be vulnerable to Log4Shell (CVE-2021-44228).

Install

Just download the correct version / platform from Releases and run. Or download the container image from dockerhub.

Example:

cd /tmp
curl -L https://github.com/MannemSolutions/log4shelldetect/releases/download/v0.9.2b/log4shelldetect-v0.9.3-linux-amd64.tar.gz | tar -xvz
./log4shelldetect -modversion -hash -class log4j/core/lookup/JndiLookup.class -pom META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties /

Example result:

84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f 2.16.0     DETECTED   test/dir/log4j-core-2.16.0b.jar
UNKNOWN                                                          2.13.3     WORKAROUND test/dir2/velocity-1.1.9.jar
e4abe8708d914d20887d0704ea42b1914eb50e638c3016d8f8d312b39592a768 2.13.3     DETECTED   test/dir3/velocity-1.1.9.jar
UNKNOWN                                                          2.0.0-beta WORKAROUND test/file/log4j-core-2.0-beta6.jar
e4abe8708d914d20887d0704ea42b1914eb50e638c3016d8f8d312b39592a768 2.13.3     DETECTED   test/file/velocity-1.1.9.war

In this result:

  • hash of the log4j/core/lookup/JndiLookup.class in the jar file is printed
    • if existing
    • when multiple versions are embedded, only for the lowest version detected
    • only printed with -hash option
  • Version of log4j is printed
    • only when it is listed in a file META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties
    • can be subfolder (e.a. a/b/c/META-INF/...)
  • lists the state:
    • DETECTED: module was detected
    • WORKAROUND: module was detected, but class was removed (probably as a workaround to the CVE issue)
    • UNDETECTED: module was not detected
    • EMPTY: The file is not a jar, but an empty file
    • NOFILE: The file is a symlink pointing to a file that does not exist
    • NOZIP: The file cannot be opened with the zip module
    • UNKNOWN: a weird situation has occurred. Run with -debug to get more details...
  • lists the path to the jar or war file

Issues

If you run into any issue, please let us know (file an issue on github, or mail me at [email protected]).

License

Code here is released to the public domain under unlicense.

With the exception of:

  • ./test/*/velocity-1.1.9.* which is an example vulnerable .jar file part of Velocity which is licensed under GPLv3.
  • All the test/*/log4j* files which are licensed under the Apache 2.0 license...

About

log4shelldetect

Resources

Readme

License

Unlicense license
Activity
Custom properties

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases 10

v0.9.4 Latest
Apr 7, 2022
+ 9 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages