Searches filesystem for CVE-2021-44228 and CVE-2021-45046 vulnerable instances of log4j library, including embedded (jar/war/zip) packaged ones.

Hynek Petrak

Last update: Jan 4, 2023

Related tags

Overview

log4shell_finder

Detects Log4J versions on your file-system within any application that are vulnerable to CVE-2021-44228 and CVE-2021-45046. It is able to even find instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Python runs, too!

Currently reports log4j-core versions 2.12.2 and 2.17.0 as SAFE, 2.16.0 as NOTOKAY and all other versions as VULNERABLE (although it does report pre-2.0-beta9 as "MAYBESAFE").

log4j v1.x may appear in the log either as OLDUNSAFE or OLDSAFE depending on presence of JMSAppender.class.

Can correctly detect log4j inside executable spring-boot jars/wars, dependencies blended into uber jars, shaded jars, and even exploded jar files just sitting uncompressed on the file-system (aka *.class).

It can also handle shaded class files - extensions .esclazz (elastic) and .classdata (Azure).

Changelog

Version 1.6-20211221

added checks for JMSAppender.class within log4j v1.x instances

Version 1.5-20211220

fixed bug where --exclude-dirs skipped the given directory, but not it's subdirectories

Version 1.4-20211220

added option --same-fs to skip mounted volumes while scanning.
findings can be saved in json format with --json-out <filename>
skip folder with --exclude-dirs DIR [DIR ...] parameter
use - as folder name to source folder names from stdin, e.g. echo "/home" | test_log4shell.py -

Version 1.3-20211219

handle elastic's SHADED_CLASS_EXTENSION ".esclazz"

Version 1.2-20211219

get exact log4j version from pom.properties

Usage

Either run from a python interpreter or use the Windows/Linux binaries from the dist folder.

# ./test_log4shell.py --help
usage:  Type "test_log4shell.py --help" for more information
        On Windows "test_log4shell.py c:\ d:\"
        On Linux "test_log4shell.py /"

Searches file system for vulnerable log4j version.

positional arguments:
  folders               List of folders or files to scan. Use "-" to read list of files from stdin.

optional arguments:
  -h, --help            show this help message and exit
  --exclude-dirs DIR [DIR ...]
                        Don't search directories containing these strings (multiple supported)
  --same-fs             Don't scan mounted volumens.
  --json-out [FILENAME]
                        Save results to json file.
  -d, --debug           Increase verbosity, mainly for debugging purposes.

Does not require any extra python libraries.

Compile binaries

The binaries were produces with:

pip install pyinstaller
pyinstaller -F ./test_log4shell.py

Sample run

# ./test_log4shell.py ../war/ --exclude-dirs /mnt --same-fs
[2021-12-21 11:16:43,373] [INFO] [I] Starting ./test_log4shell.py ver. 1.6-20211220
[2021-12-21 11:16:43,408] [INFO] [I] Parameters: ./test_log4shell.py ../war/ --exclude-dirs /mnt --same-fs
[2021-12-21 11:16:43,416] [INFO] [I] 'hostname': '<redacted>', 'fqdn': '<redacted>', 'ip': '<redacted>', 'system': 'Linux', 'release': '5.4.0-58-generic', 'version': '#64-Ubuntu SMP Wed Dec 9 08:16:25 UTC 2020', 'machine': 'x86_64', 'cpu': 'x86_64'
[2021-12-21 11:16:43,416] [INFO] [I] Analyzing paths (could take a long time).
[2021-12-21 11:16:43,776] [INFO] [*] [MAYBESAFE] Package /home/hynek/war/elastic-apm-java-aws-lambda-layer-1.28.1.zip:elastic-apm-agent-1.28.1.jar contains Log4J-2.12.1 <= 2.0-beta8 (JndiLookup.class not present)
[2021-12-21 11:16:43,850] [INFO] [*] [MAYBESAFE] Package /home/hynek/war/elastic-apm-agent-1.28.1.jar contains Log4J-2.12.1 <= 2.0-beta8 (JndiLookup.class not present)
[2021-12-21 11:16:43,916] [INFO] [+] [VULNERABLE] Package /home/hynek/war/spring-boot-application.jar:BOOT-INF/lib/log4j-core-2.14.1.jar contains Log4J-2.14.1 >= 2.10.0
[2021-12-21 11:16:44,288] [INFO] [+] [VULNERABLE] Package /home/hynek/war/apache-log4j-2.14.0-bin.zip:apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar contains Log4J-2.14.0 >= 2.10.0
[2021-12-21 11:16:44,335] [INFO] [*] [STRANGE] Package /home/hynek/war/apache-log4j-2.14.0-bin.zip:apache-log4j-2.14.0-bin/log4j-core-2.14.0-sources.jar contains pom.properties for Log4J-2.14.0, but classes missing
[2021-12-21 11:16:44,557] [INFO] [*] [STRANGE] Package /home/hynek/war/apache-log4j-2.14.0-bin.zip:apache-log4j-2.14.0-bin/log4j-core-2.14.0-tests.jar contains pom.properties for Log4J-2.14.0, but classes missing
[2021-12-21 11:16:44,659] [INFO] [+] [OLDUNSAFE] Package /home/hynek/war/log4j-samples/old-hits/log4j-1.1.3.jar contains Log4J-1.x <= 1.2.17, JMSAppender.class found
[2021-12-21 11:16:44,664] [INFO] [+] [OLDUNSAFE] Package /home/hynek/war/log4j-samples/old-hits/log4j-1.2.17.jar contains Log4J-1.2.17 <= 1.2.17, JMSAppender.class found
[2021-12-21 11:16:44,668] [INFO] [*] [MAYBESAFE] Package /home/hynek/war/log4j-samples/old-hits/log4j-core-2.0-beta2.jar contains Log4J-2.0-beta2 <= 2.0-beta8 (JndiLookup.class not present)
[2021-12-21 11:16:44,670] [INFO] [+] [OLDUNSAFE] Folder /home/hynek/war/log4j-samples/old-hits/log4j-1.2.17/org/apache/log4j contains Log4J-1.x <= 1.2.17, JMSAppender.class found
[2021-12-21 11:16:44,694] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/log4j-core-2.15.0.jar contains Log4J-2.15.0 == 2.15.0
[2021-12-21 11:16:44,706] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/log4j-core-2.9.1.jar contains Log4J-2.9.1 >= 2.0-beta9 (< 2.10.0)
[2021-12-21 11:16:44,718] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/log4j-core-2.10.0.zip contains Log4J-2.10.0 >= 2.10.0
[2021-12-21 11:16:44,725] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/log4j-core-2.0-beta9.jar contains Log4J-2.0-beta9 >= 2.0-beta9 (< 2.10.0)
[2021-12-21 11:16:44,737] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/log4j-core-2.10.0.jar contains Log4J-2.10.0 >= 2.10.0
[2021-12-21 11:16:44,818] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/uber/infinispan-embedded-query-8.2.12.Final.jar contains Log4J-2.5 >= 2.0-beta9 (< 2.10.0)
[2021-12-21 11:16:44,966] [INFO] [+] [VULNERABLE] Folder /home/hynek/war/log4j-samples/true-hits/uber/expanded/org/apache/logging/log4j/core contains Log4J-2.x >= 2.0-beta9 (< 2.10.0)
[2021-12-21 11:16:45,094] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/shaded/clt-1.0-SNAPSHOT.jar contains Log4J-2.14.1 >= 2.10.0
[2021-12-21 11:16:45,108] [INFO] [+] [VULNERABLE] Folder /home/hynek/war/log4j-samples/true-hits/shaded/expanded/clt/shaded/l/core contains Log4J-2.x >= 2.10.0
[2021-12-21 11:16:45,150] [INFO] [+] [VULNERABLE] Folder /home/hynek/war/log4j-samples/true-hits/exploded/2.12.1/org/apache/logging/log4j/core contains Log4J-2.x >= 2.10.0
[2021-12-21 11:16:46,054] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.zip:WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.10.0 >= 2.10.0
[2021-12-21 11:16:47,528] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.jar:WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.10.0 >= 2.10.0
[2021-12-21 11:16:48,999] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.ear:WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.10.0 >= 2.10.0
[2021-12-21 11:16:50,449] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.war:WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.10.0 >= 2.10.0
[2021-12-21 11:16:51,044] [INFO] [+] [NOTOKAY] Package /home/hynek/war/log4j-samples/false-hits/log4j-core-2.16.0.jar contains Log4J-2.16.0 == 2.16.0
[2021-12-21 11:16:51,058] [INFO] [-] [SAFE] Package /home/hynek/war/log4j-samples/false-hits/log4j-core-2.12.2.jar contains Log4J-2.12.2 == 2.12.2
[2021-12-21 11:16:51,223] [INFO] [-] [SAFE] Package /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin.zip:apache-log4j-2.17.0-bin/log4j-core-2.17.0.jar contains Log4J-2.17.0 >= 2.17.0
[2021-12-21 11:16:51,266] [INFO] [*] [STRANGE] Package /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin.zip:apache-log4j-2.17.0-bin/log4j-core-2.17.0-sources.jar contains pom.properties for Log4J-2.17.0, but classes missing
[2021-12-21 11:16:51,477] [INFO] [*] [STRANGE] Package /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin.zip:apache-log4j-2.17.0-bin/log4j-core-2.17.0-tests.jar contains pom.properties for Log4J-2.17.0, but classes missing
[2021-12-21 11:16:51,658] [INFO] [*] [STRANGE] Package /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin/log4j-core-2.17.0-tests.jar contains pom.properties for Log4J-2.17.0, but classes missing
[2021-12-21 11:16:51,681] [INFO] [-] [SAFE] Package /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin/log4j-core-2.17.0.jar contains Log4J-2.17.0 >= 2.17.0
[2021-12-21 11:16:51,691] [INFO] [*] [STRANGE] Package /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin/log4j-core-2.17.0-sources.jar contains pom.properties for Log4J-2.17.0, but classes missing
[2021-12-21 11:16:51,702] [INFO] [-] [SAFE] Folder /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin/exploded/org/apache/logging/log4j/core contains Log4J-2.x >= 2.17.0
[2021-12-21 11:16:51,747] [INFO] [-] [SAFE] Folder /home/hynek/war/log4j-samples/false-hits/exploded/2.12.2/org/apache/logging/log4j/core contains Log4J-2.x == 2.12.2
[2021-12-21 11:16:51,813] [INFO] [+] [VULNERABLE] Package /home/hynek/war/BOOT-INF/lib/log4j-core-2.14.1.jar contains Log4J-2.14.1 >= 2.10.0
[2021-12-21 11:16:51,916] [INFO] [+] [VULNERABLE] Folder /home/hynek/war/BOOT-INF/lib/org/apache/logging/log4j/core contains Log4J-2.x >= 2.10.0
[2021-12-21 11:16:52,013] [INFO] [+] [VULNERABLE] Package /home/hynek/war/app/spring-boot-application.jar:BOOT-INF/lib/log4j-core-2.14.1.jar contains Log4J-2.14.1 >= 2.10.0
[2021-12-21 11:16:52,478] [INFO] [*] [STRANGE] Package /home/hynek/war/apache-log4j-2.14.0-bin/log4j-core-2.14.0-tests.jar contains pom.properties for Log4J-2.14.0, but classes missing
[2021-12-21 11:16:52,507] [INFO] [+] [VULNERABLE] Package /home/hynek/war/apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar contains Log4J-2.14.0 >= 2.10.0
[2021-12-21 11:16:52,530] [INFO] [*] [STRANGE] Package /home/hynek/war/apache-log4j-2.14.0-bin/log4j-core-2.14.0-sources.jar contains pom.properties for Log4J-2.14.0, but classes missing
[2021-12-21 11:16:52,555] [INFO] [+] [OLDUNSAFE] Package /home/hynek/war/HelloLogging/target/whoiscrawler/WEB-INF/lib/log4j-1.2.17.jar contains Log4J-1.2.17 <= 1.2.17, JMSAppender.class found
[2021-12-21 11:16:52,556] [INFO] [I] Finished, found 18 vulnerable or unsafe log4j instances.

Comments

Several improvements to the scanner
Thanks for the scanner, it's great. As part of our use, we have made a few minor improvements to it, maybe they will be useful to everyone.

CVSS score change according to nvd.nist.gov

UTF8 patch, fixes problems on Windows systems with a non-UTF 8 locale installed in path

all new argument, for windows version (close to similar --same-fs on Linux) remove header to --cvs-out, it is not needed when you do multiple system scans, and then combine the file into one. For example, running on a host group (Windows) from a network drive with the parameter log4shell.exe all --csv-out and after scanning the collection to 1 report type *.csv > all.csv (for Windows) cat .csv > all.csv(for Linux)

some changes to cvs output, it becomes more convenient log4shell_1.22.2.6.zip
opened by trust1345 8
Doesn't scale well to multiple CPU cores
I've been running this on our AMD Threadripper 2990WX machine and since it took more than 5 minutes, I started to investigate why.

It looks like the disk is bored and only one CPU core is loaded with 100%, all other cores are also idling.

I didn't have a look at the source code but maybe a two-pass approach might speed things up:

Build a list of all files to be scanned. This probably cannot be parallelized much

Go through the list in several threads so it's not just one CPU core doing all the work
opened by jachstet-sea 5
Thanks for implementing --csv-stats. It works a little differently than I expected. Is it possible to correct this.

Thanks for implementing --csv-stats. It works a little differently than I expected. Is it possible to correct this. I liked the proposed implementation. 1 separate row for each host, instead of adding statistics to each row by adding extra columns (when the --csv-stats argument is specified). This approach is better than I originally suggested.

launched on https://github.com/HynekPetrak/log4shell-finder/commit/75cb4f129110f5da8e8132698ed2b52ad34c405c test_log4shell_1.2120220126.py all --csv-out --no-csv-header --no-error --csv-clean --csv-stats output2.csv output1.csv

Proposed format output1-expected.csv output2-expected.csv Also in the proposed output, I propose to slightly change the output of --csv-clean, for unification

thank you in advance.

opened by trust1345 4
Windows: "all" argument to scan all local drives doesn't work on pre-build binary

Hi,

I tried the pre-build windows binary from the dist Folder and realized that the all option to scan all local drives (https://github.com/HynekPetrak/log4shell-finder/commit/a5cfac0a1fd5678a8c144e59d0e862d274d08965) doesn't work, no drives where found, so nothing was scanned until I had to defined c:\ d:\ instead.

I tried to build the binary on my own with pyinstaller and was running into the same issue, by checking the code I assumed that there might be a problem with the win32api and win32file import so drives will become none.

At least for me it was necessary to run pyinstaller --hidden-import win32api --hidden-import win32file -F ./test_log4shell.py to enforce that those modules will be included in the binary. Afterwards the all option was working as expected, every available drives was found and scanned.

Cheers Dominik

opened by wombelix 3
CVE-2022-23307 (chainsaw) detection shouldn't depend on CVE-2022-23302 (jmssink)?

Hi,

the detection for CVE-2022-23307 was introduced in commit https://github.com/HynekPetrak/log4shell-finder/commit/b271f275547f2879ca21e57c38150c1fb1bf2c92 and later changed in commit https://github.com/HynekPetrak/log4shell-finder/commit/b04487e92dd361a9cbc98350f42878e884b2c735.

In the first commit, there was no dependency to any other CVE, in the second one the dependency to JMSSINK was added. As far I understand CVE-2022-23307 and based on my tests, this change / dependency avoids the detection in most cases and therefore should be reverted to the initial state?

Cheers Dominik

opened by wombelix 3
Please add support argument, for line in the csv report when nothing is found on host

1 line from the host with the verdict for example CLEAN. It will help for mass rolling scanning of hosts to have also a list of scanned hosts.

"2022-01-25 00:00:00","1.2120220125","192.192.192.192","localhost.localdomain","Linux","6.x86_64","x86_64","Package","CLEAN","","",""

opened by trust1345 3
Automatic generation of the output file name using the hostname_ip.csv template

FR For mass scanning of a host group by a scanner, it would be great if the name of the output file (when using some key) was generated automatically using the hostname_ip.csv template. This will allow you to collect all the received files into one directory (without thinking about the coincidence of file names) and executing, for example cat ./*.csv > report_all.csv to get a general report.

Thanks for the scanner.

opened by trust1345 3
FR add CSV output for massive scan

FR IIt would be great if there was a -c (csv output) option so that you could wrap the scanner in ansible wrapper and use it on a group of machines. Earlier we wrapped the scanner https://github.com/mergebase/log4j-detector but it doesn't keep up with updates a bit and runs slower (there are also problems with memory consumption). As a result, looks like this. This output is quite convenient for fast processing of a large group of hosts. I have attached an example file. In the attached file, the separator is "@", but you can use for example "," role1.4-output.csv

PS. I think it would also be a good idea to make an exception on all Linux hosts /proc by default, this will reduce the speed of scanning (and accessing swap, when touching /proc), but will not worsen its results.

Thanks for the scanner, it's the best.

opened by trust1345 3
Single binary for windows

For all versions of windows, you can make one common binary file. All versions of windows contain 32 subsystems, so such a binary file will work on all Windows systems.

In order to support all versions of windows from windows 7, you need to use version 3.7.9 to build with pyinstaller

opened by trust1345 2
Please add an argument, that will add to each line of the csv output ( --csv-out ) additional information

Please add an argument, that will add to each line of the csv output ( --csv-out ) information about the passed path argument, when the scanner starts, exclude path, and the time spent on scanning the host (even when the verdict is CLEAN), total scanned files and folders.

This information will be useful for analyzing the scanner's work statistics.

Example in attach. localhost_10.10.10.10.csv

opened by trust1345 1
Please add verdict for Log4J-1.1.1

When the scanner finds Log4J-1.1.1 the verdict turns out to be just an empty space. I think that you need to add a status that would indicate in such cases the need for manual verification, for example manual or add an existing CVE.

2019-06-19 10:10:10 1.2120220117 333.333.333.333 server.com Windows 2022 AMD64 Package ...\lib\log4j-core.jar contains Log4J-1.1.1 <= 1.2.17, JMSAppender.class not found 1.1.1

opened by trust1345 1

Skip reparse points on Windows

import ctypes
def isLink(path):
    if os.path.exists(path):
        if os.path.isdir(path):
            FILE_ATTRIBUTE_REPARSE_POINT = 0x0400
            attributes = ctypes.windll.kernel32.GetFileAttributesW(unicode(path))
            return (attributes & FILE_ATTRIBUTE_REPARSE_POINT) > 0
    return False

opened by HynekPetrak 0

Current scaner binary builds, using pyinstaller
Built a scanner of the current version (1c14e73) using pyInstaller (one binary file, does not require python to run)

Windows 32 bit version, should work on all versions of Windows OS (32-bit and 64-bit) both client and server, starting from w7 and above

Linux 32 bit version, (one binary file, does not require python to run) but there is a dependency on the glibc version on the system.

Linux 64 bit version, (one binary file, does not require python to run) but there is a dependency on the glibc version on the system.

It may be useful to anyone.

Windows run example: test_log4shell_1.2120220209.exe all --csv-out --no-csv-header --csv-clean

Linux 32 bit run example: test_log4shell_1.2120220209.bin32 / --exclude-dirs /proc --csv-out --no-csv-header --csv-clean

Linux 64 bit run example: test_log4shell_1.2120220209.bin64 / --exclude-dirs /proc --csv-out --no-csv-header --csv-clean

After the work is completed, a short-hostname_ip.csv file with the scan results will appear in the directory from which the file was run.

test_log4shell_1.2120220209_32.zip test_log4shell_1.2120220209_64.zip test_log4shell_1.2120220209_exe.zip
opened by trust1345 0
Please add support 3 CVE (log4j)
CVE-2017-5645

CVE-2021-42550

CVE-2020-9488

It is especially important to detect CVE-2021-42550

Maybe in the documentation (readme) such a table will be useful

| Detect | CVE | CVSSv3 | Severity | java | lib from | lib to | lib fix | | | :----- | :------------- | :----- | :------- | :---- | :--------- | :----------------------------- | :------------------ | :-- | | x | CVE-2021-44228 | 10,0 | Critical | 8 | 2.0-beta9 | 2.14.1 | 2.15.0 | | | - | CVE-2017-5645 | 9,8 | Critical | 7 | 2.0-alpha1 | 2.8.1 | 2.8.2 | | | x | CVE-2021-45046 | 9,0 | Critical | 7/8 | 2.0-beta9 | 2.15.0 excluding 2.12.2 | 2.12.2/2.16.0 | | | x | CVE-2021-4104 | 7,5 | High | - | 1.0 | 1.x | nofix | | | x | CVE-2021-44832 | 6,6 | Medium | 6/7/8 | 2.0-alpha7 | 2.17.0, excluding 2.3.2/2.12.4 | 2.3.2/2.12.4/2.17.1 | | | - | CVE-2021-42550 | 6,6 | Medium | - | 1.0 | 1.2.7 | 1.2.8 | | | x | CVE-2021-45105 | 5,9 | Medium | 6/7/8 | 2.0-beta9 | 2.16.0, excluding 2.12.3 | 2.3.1/2.12.3/2.17.0 | | | - | CVE-2020-9488 | 3,7 | Low | 7/8 | 2.0-alpha1 | 2.13.1 | 2.12.3/2.13.2 | |
opened by trust1345 29

Releases(v1.22)

v1.22(Feb 23, 2022)
Version 1.22-20220222

Added: Reading library version and name (log4j, log4j-core, reload4j) from MANIFEST.MF as well as from pom.properties

Performance improvements by additional 15%

Added: Autodetecting all local drives in mswin with all parameter

Added: --no-csv-header to omit csv header to allow easier merging of results from multiple hosts

Added: Detecting CVE-2017-5645 (9.8), CVE-2019-17571 (9.8), CVE-2022-23307 (8.1), CVE-2022-23305 (9.8), CVE-2022-23305 (9.8), CVE-2022-23302 (8.1), improved detection of CVE-2017-5645

Added: --threads parameter to manually tune number of scanning threads

Added: --cvs-clean parameter in order to write "CLEAN" line to csv output in case no log4j library detected

Added: --cvs-stats parameter in order to write "STATS" line to csv output with runtime in seconds and number of files and folders scanned

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64(6.60 MB)
test_log4shell-mswin32.exe(5.90 MB)
test_log4shell-mswin64.exe(7.46 MB)
v1.21(Jan 9, 2022)
Version 1.21-20220109

Fixed bug: --fix command in version 1.19 and 1.20 could corrupt .jar archives.

Performance improvement via multithreaded scanning

Fixed searching within extracted log4j folders on Windows

Removed mmap access due to incompatibility with Windows.

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin32.zip(5.63 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.18(Jan 7, 2022)
Version 1.18-20220107

Code readability and performance improvements

Added parameter --file-log [LOGFILE] to enable logging to log file, default is log4shell-finder.log.

Added parameter --progress [SEC] to enable progress reporting every SEC seconds, default is 10 seconds.

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin32.zip(5.63 MB)
test_log4shell-mswin64.zip(7.17 MB)
1.17(Jan 5, 2022)
Version 1.17-20220105

Reworked status reporting, now listing all CVEs relevant for specific version of log4j.

Added --no-error to suppress file system error messages (e.g. Access Denied, corrupted zip archive).

Suppressed STRANGE status reporting by default - STRANGE are mainly source packages, that do not contain class binaries.

Added --strange to report also STRANGE instances.

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.16(Dec 30, 2021)
Version 1.16

Fixed detection of 2.12.3 extracted

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.15(Dec 30, 2021)
Version 1.15

Added support for versions 2.3.2, 2.12.4 and 2.17.1

Reporting actual CVEs instead of VULNERABLE or NOTOKAY status

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.13(Dec 28, 2021)
Version 1.13

Do not use version 1.11 and 1.12. They may corrupt .jar archives with --fix command

Added additional possible "JAR" file extensions.

Fixed bug: --fix command could corrupt .jar archives.

minor fix: status for 2.12.2 as NOTOKAY

added --fix parameter with attempt to fix the vulnerability by renaming JndiLookup.class to JndiLookup.vulne. At the moment it can handle .class files on disk and within 1st level archives. Class cannot be renamed in archives imbedded in other archives (nested).

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.10(Dec 22, 2021)
Version 1.10-20211222

added detection of 2.12.3 and 2.3.1

added option to disable default logging to file --no-file-log

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.8(Dec 22, 2021)
added host information to the json file

possibility to save output to csv with --csv-out

if you omit file names for --json-out or --csv-out then the file name has a form: hostname_ipaddress.<csv|json>

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.6(Dec 21, 2021)
Version 1.6-20211221

added checks for JMSAppender.class within v1.x version

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.5(Dec 20, 2021)
Version 1.5-20211220

bugfix for --exlude-dirs

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.4(Dec 20, 2021)
Version 1.4-20211220

added option --same-fs to skip mounted volumes while scanning.

findings can be saved in json format with --json-out <filename>

skip folder with --exclude-dirs DIR [DIR ...] parameter

use - as folder name to source folder names from stdin, e.g. echo "/home" | test_log4shell.py -

Source code(tar.gz)
Source code(zip)
test_log4shel-mswin64l.zip(7.17 MB)
test_log4shell-linux64.zip(6.51 MB)
v1.3(Dec 19, 2021)

Version 1.3 - handle elastic packages with shaded class names.
Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.46 MB)
test_log4shell-mswin64.zip(7.15 MB)
v1.2(Dec 19, 2021)
Version 1.2-20211219

now extracting exact version from pom.properties for jar/war.. packages.

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.46 MB)
test_log4shell-mswin.zip(7.15 MB)
1.1(Dec 19, 2021)

Version 1.1
Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.46 MB)
test_log4shell-mswin.zip(7.15 MB)

Owner

Hynek Petrak

GitHub

Scans all drives for log4j jar files and gets their version from the manifest

log4shell_scanner Scans all drives for log4j jar files and gets their version from the manifest. Windows and Windows Server only.

1 Dec 29, 2021

Find vulnerable Log4j2 versions on disk and also inside Java Archive Files (Log4Shell CVE-2021-44228)

log4j-finder A Python3 script to scan the filesystem to find Log4j2 that is vulnerable to Log4Shell (CVE-2021-44228) It scans recursively both on disk

431 Dec 22, 2022

Python3 script for scanning CVE-2021-44228 (Log4shell) vulnerable machines.

Log4j_checker.py (CVE-2021-44228) Description This Python3 script tries to look for servers vulnerable to CVE-2021-44228, also known as Log4Shell, a v

8 Feb 27, 2022

Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading

log4j-detect Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading The script

187 Jan 3, 2023

Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading

log4j-detect Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading The script

1 Dec 15, 2021

open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability

CVE-2021-44228-log4jVulnScanner-metasploit open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability pre

7 Nov 9, 2022

zip-brute Zip File Password Cracking with Using Password List

Zip brute is a python script that cracks zip that are password protected using a wordlist dictionary.

13 Nov 3, 2022

A scanner and a proof of sample exploit for log4j RCE CVE-2021-44228

1.Create a Sample Vulnerable Application . 2.Start a netcat listner . 3.Run the exploit . 5.Use jdk1.8.0_20 for better results . Exploit-db - https://

7 Aug 6, 2022

A script to search, scrape and scan for Apache Log4j CVE-2021-44228 affected files using Google dorks

Log4j dork scanner This is an auto script to search, scrape and scan for Apache Log4j CVE-2021-44228 affected files using Google dorks. Installation:

5 Dec 27, 2022

Northwave Log4j CVE-2021-44228 checker

Northwave Log4j CVE-2021-44228 checker Friday 10 December 2021 a new Proof-of-Concept 1 addressing a Remote code Execution (RCE) vulnerability in the

125 Dec 9, 2022

Python script that sends CVE-2021-44228 log4j payload requests to url list

scan4log4j Python script that sends CVE-2021-44228 log4j payload requests to url list [VERY BETA] using Supply your url list to urls.txt Put your payl

5 Nov 9, 2022

A proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228)

CVE-2021-44228 – Log4j RCE Unauthenticated About This is a proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228). This vulnerability

20 Nov 11, 2022

Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228

log4j-honeypot-flask Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228 This can be

144 Nov 19, 2022

Tools for investigating Log4j CVE-2021-44228

Log4jTools Tools for investigating Log4j CVE-2021-44228 FetchPayload.py (Get java payload from ldap path provided in JNDI lookup). Example command: Re

91 Dec 29, 2022

Log4j command generator: Generate commands for CVE-2021-44228

Log4j command generator Generate commands for CVE-2021-44228. Description The vulnerability exists due to the Log4j processor's handling of log messag

1 Jan 3, 2022

log4j-tools: CVE-2021-44228 poses a serious threat to a wide range of Java-based applications

log4j-tools Quick links Click to find: Inclusions of log4j2 in compiled code Calls to log4j2 in compiled code Calls to log4j2 in source code Overview

171 Dec 25, 2022

Scans for Log4j versions effected by CVE-2021-44228

check_mkExtension to check for log4j2 CVE-2021-44228 This Plugin wraps around logpresso/CVE-2021-44228-Scanner (Apache License 2.0) How it works Run i

4 Jun 30, 2022

An automated header extensive scanner for detecting log4j RCE CVE-2021-44228

log4j An automated header extensive scanner for detecting log4j RCE CVE-2021-44228 Usage $ python3 log4j.py -l urls.txt --dns-log REPLACE_THIS.dnslog.

2 Dec 16, 2021

CVE-2021-44228 log4j 2.x rce漏洞检测工具

#1 使用说明 CVE-2021-44228 log4j 2.x rce漏洞检测工具，对目标链接发起get请求并利用dnslog探测是否有回显 $ python3 log4j-scan.py -h

4 Jan 13, 2022

Searches filesystem for CVE-2021-44228 and CVE-2021-45046 vulnerable instances of log4j library, including embedded (jar/war/zip) packaged ones.

Related tags

Overview

log4shell_finder

Changelog

Version 1.6-20211221

Version 1.5-20211220

Version 1.4-20211220

Version 1.3-20211219

Version 1.2-20211219

Usage

Compile binaries

Sample run

Comments

Built a scanner of the current version (1c14e73) using pyInstaller (one binary file, does not require python to run)

Releases(v1.22)

v1.22(Feb 23, 2022)

v1.21(Jan 9, 2022)

v1.18(Jan 7, 2022)

1.17(Jan 5, 2022)

v1.16(Dec 30, 2021)

v1.15(Dec 30, 2021)

v1.13(Dec 28, 2021)

v1.10(Dec 22, 2021)

v1.8(Dec 22, 2021)

v1.6(Dec 21, 2021)

v1.5(Dec 20, 2021)

v1.4(Dec 20, 2021)

v1.3(Dec 19, 2021)

v1.2(Dec 19, 2021)

1.1(Dec 19, 2021)

Owner

Hynek Petrak

Scans all drives for log4j jar files and gets their version from the manifest

Find vulnerable Log4j2 versions on disk and also inside Java Archive Files (Log4Shell CVE-2021-44228)

Python3 script for scanning CVE-2021-44228 (Log4shell) vulnerable machines.

Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading

Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading

open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability

zip-brute Zip File Password Cracking with Using Password List

A scanner and a proof of sample exploit for log4j RCE CVE-2021-44228

A script to search, scrape and scan for Apache Log4j CVE-2021-44228 affected files using Google dorks

Northwave Log4j CVE-2021-44228 checker

Python script that sends CVE-2021-44228 log4j payload requests to url list

A proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228)

Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228

Tools for investigating Log4j CVE-2021-44228

Log4j command generator: Generate commands for CVE-2021-44228

log4j-tools: CVE-2021-44228 poses a serious threat to a wide range of Java-based applications

Scans for Log4j versions effected by CVE-2021-44228

An automated header extensive scanner for detecting log4j RCE CVE-2021-44228

CVE-2021-44228 log4j 2.x rce漏洞检测工具