Log4-detector | CVE-2021-44228 |
Log4-detector | CVE-2021-44228
Distinguishes Log4J forms on your record framework inside any application that are powerless against CVE-2021-44228 and CVE-2021-45046. It can even observe cases that are covered up a few layers profound. Deals with Linux, Windows, and Mac, and wherever else Java runs, as well
Example Usage
java -jar log4j-detector-2021.12.20.jar [path-to-scan] > hits.txt
More Example Usage:
java -jar log4j-detector-2021.12.20.jar ./samples
-- github.com/mergebase/log4j-detector v2021.12.20 (by mergebase.com) analyzing paths (could take a while).
-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
/opt/mergebase/log4j-detector/samples/clt-1.0-SNAPSHOT.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-(
/opt/mergebase/log4j-detector/samples/infinispan-embedded-query-8.2.12.Final.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) _VULNERABLE_ :-(
/opt/mergebase/log4j-detector/samples/log4j-1.1.3.jar contains Log4J-1.x <= 1.2.17 _OLD_ :-|
/opt/mergebase/log4j-detector/samples/log4j-1.2.13.jar contains Log4J-1.x <= 1.2.17 _OLD_ :-|
/opt/mergebase/log4j-detector/samples/log4j-1.2.17.jar contains Log4J-1.x <= 1.2.17 _OLD_ :-|
/opt/mergebase/log4j-detector/samples/log4j-core-2.0-beta2.jar contains Log4J-2.x <= 2.0-beta8 _POTENTIALLY_SAFE_ :-| (or did you already remove JndiLookup.class?)
/opt/mergebase/log4j-detector/samples/log4j-core-2.0-beta9.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) _VULNERABLE_ :-(
/opt/mergebase/log4j-detector/samples/log4j-core-2.0.2.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) _VULNERABLE_ :-(
/opt/mergebase/log4j-detector/samples/log4j-core-2.0.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) _VULNERABLE_ :-(
/opt/mergebase/log4j-detector/samples/log4j-core-2.10.0.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-(
/opt/mergebase/log4j-detector/samples/log4j-core-2.12.2.jar contains Log4J-2.x >= 2.12.2 _SAFE_ :-)
/opt/mergebase/log4j-detector/samples/log4j-core-2.14.1.jar contains Log4J-2.x >= 2.10.0 _VULNERABLE_ :-(
/opt/mergebase/log4j-detector/samples/log4j-core-2.15.0.jar contains Log4J-2.x >= 2.15.0 _OKAY_ :-|
/opt/mergebase/log4j-detector/samples/log4j-core-2.16.0.jar contains Log4J-2.x >= 2.16.0 _SAFE_ :-)
/opt/mergebase/log4j-detector/samples/log4j-core-2.4.1.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) _VULNERABLE_ :-(
/opt/mergebase/log4j-detector/samples/log4j-core-2.9.1.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) _VULNERABLE_ :-(
Understanding The Results
_VULNERABLE_ - > You really want to redesign or eliminate this record.
_OKAY_ - > We just report this for Log4J form 2.15.0. We prescribe moving up to 2.16.0.
_SAFE_ - > We at present just report this for Log4J adaptations 2.16.0 and 2.12.2.
_OLD_ - > You are protected from CVE-2021-44228, however should plan to update in light of the fact that Log4J 1.2.x has been EOL for a considerable length of time and has a few known-weaknesses.
_POTENTIALLY_SAFE_ - > The "JndiLookup.class" document is absent, either on the grounds that your form of Log4J is extremely old (pre 2.0-beta9), or on the grounds that somebody previously eliminated this record. Ensure it was somebody in your group or organization that eliminated "JndiLookup.class" assuming that is the situation, since assailants have been known to eliminate this document themselves to keep extra contending aggressors from accessing compromised frameworks.
Usage
java -jar log4j-detector-2021.12.20.jar
Usage: java -jar log4j-detector-2021.12.20.jar [--verbose] [paths to scan...]
Exit codes: 0 = No vulnerable Log4J versions found.
1 = At least one legacy Log4J 1.x version found.
2 = At least one vulnerable Log4J version found.
About - MergeBase log4j detector (version 2021.12.20)
Docs - https://github.com/mergebase/log4j-detector
(C) Copyright 2021 Mergebase Software Inc. Licensed to you via GPLv3.
Build From Source
git clone https://github.com/mergebase/log4j-detector.git
cd log4j-detector/
mvn install
java -jar target/log4j-detector-2021.12.20.jar