Searches filesystem for CVE-2021-44228 and CVE-2021-45046 vulnerable instances of log4j library, including embedded (jar/war/zip) packaged ones.

Last update: Jan 04, 2023

Overview

log4shell_finder

Detects Log4J versions on your file-system within any application that are vulnerable to CVE-2021-44228 and CVE-2021-45046. It is able to even find instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Python runs, too!

Currently reports log4j-core versions 2.12.2 and 2.17.0 as SAFE, 2.16.0 as NOTOKAY and all other versions as VULNERABLE (although it does report pre-2.0-beta9 as "MAYBESAFE").

log4j v1.x may appear in the log either as OLDUNSAFE or OLDSAFE depending on presence of JMSAppender.class.

Can correctly detect log4j inside executable spring-boot jars/wars, dependencies blended into uber jars, shaded jars, and even exploded jar files just sitting uncompressed on the file-system (aka *.class).

It can also handle shaded class files - extensions .esclazz (elastic) and .classdata (Azure).

Changelog

Version 1.6-20211221

added checks for JMSAppender.class within log4j v1.x instances

Version 1.5-20211220

fixed bug where --exclude-dirs skipped the given directory, but not it's subdirectories

Version 1.4-20211220

added option --same-fs to skip mounted volumes while scanning.
findings can be saved in json format with --json-out <filename>
skip folder with --exclude-dirs DIR [DIR ...] parameter
use - as folder name to source folder names from stdin, e.g. echo "/home" | test_log4shell.py -

Version 1.3-20211219

handle elastic's SHADED_CLASS_EXTENSION ".esclazz"

Version 1.2-20211219

get exact log4j version from pom.properties

Usage

Either run from a python interpreter or use the Windows/Linux binaries from the dist folder.

# ./test_log4shell.py --help
usage:  Type "test_log4shell.py --help" for more information
        On Windows "test_log4shell.py c:\ d:\"
        On Linux "test_log4shell.py /"

Searches file system for vulnerable log4j version.

positional arguments:
  folders               List of folders or files to scan. Use "-" to read list of files from stdin.

optional arguments:
  -h, --help            show this help message and exit
  --exclude-dirs DIR [DIR ...]
                        Don't search directories containing these strings (multiple supported)
  --same-fs             Don't scan mounted volumens.
  --json-out [FILENAME]
                        Save results to json file.
  -d, --debug           Increase verbosity, mainly for debugging purposes.

Does not require any extra python libraries.

Compile binaries

The binaries were produces with:

pip install pyinstaller
pyinstaller -F ./test_log4shell.py

Sample run

# ./test_log4shell.py ../war/ --exclude-dirs /mnt --same-fs
[2021-12-21 11:16:43,373] [INFO] [I] Starting ./test_log4shell.py ver. 1.6-20211220
[2021-12-21 11:16:43,408] [INFO] [I] Parameters: ./test_log4shell.py ../war/ --exclude-dirs /mnt --same-fs
[2021-12-21 11:16:43,416] [INFO] [I] 'hostname': '<redacted>', 'fqdn': '<redacted>', 'ip': '<redacted>', 'system': 'Linux', 'release': '5.4.0-58-generic', 'version': '#64-Ubuntu SMP Wed Dec 9 08:16:25 UTC 2020', 'machine': 'x86_64', 'cpu': 'x86_64'
[2021-12-21 11:16:43,416] [INFO] [I] Analyzing paths (could take a long time).
[2021-12-21 11:16:43,776] [INFO] [*] [MAYBESAFE] Package /home/hynek/war/elastic-apm-java-aws-lambda-layer-1.28.1.zip:elastic-apm-agent-1.28.1.jar contains Log4J-2.12.1 <= 2.0-beta8 (JndiLookup.class not present)
[2021-12-21 11:16:43,850] [INFO] [*] [MAYBESAFE] Package /home/hynek/war/elastic-apm-agent-1.28.1.jar contains Log4J-2.12.1 <= 2.0-beta8 (JndiLookup.class not present)
[2021-12-21 11:16:43,916] [INFO] [+] [VULNERABLE] Package /home/hynek/war/spring-boot-application.jar:BOOT-INF/lib/log4j-core-2.14.1.jar contains Log4J-2.14.1 >= 2.10.0
[2021-12-21 11:16:44,288] [INFO] [+] [VULNERABLE] Package /home/hynek/war/apache-log4j-2.14.0-bin.zip:apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar contains Log4J-2.14.0 >= 2.10.0
[2021-12-21 11:16:44,335] [INFO] [*] [STRANGE] Package /home/hynek/war/apache-log4j-2.14.0-bin.zip:apache-log4j-2.14.0-bin/log4j-core-2.14.0-sources.jar contains pom.properties for Log4J-2.14.0, but classes missing
[2021-12-21 11:16:44,557] [INFO] [*] [STRANGE] Package /home/hynek/war/apache-log4j-2.14.0-bin.zip:apache-log4j-2.14.0-bin/log4j-core-2.14.0-tests.jar contains pom.properties for Log4J-2.14.0, but classes missing
[2021-12-21 11:16:44,659] [INFO] [+] [OLDUNSAFE] Package /home/hynek/war/log4j-samples/old-hits/log4j-1.1.3.jar contains Log4J-1.x <= 1.2.17, JMSAppender.class found
[2021-12-21 11:16:44,664] [INFO] [+] [OLDUNSAFE] Package /home/hynek/war/log4j-samples/old-hits/log4j-1.2.17.jar contains Log4J-1.2.17 <= 1.2.17, JMSAppender.class found
[2021-12-21 11:16:44,668] [INFO] [*] [MAYBESAFE] Package /home/hynek/war/log4j-samples/old-hits/log4j-core-2.0-beta2.jar contains Log4J-2.0-beta2 <= 2.0-beta8 (JndiLookup.class not present)
[2021-12-21 11:16:44,670] [INFO] [+] [OLDUNSAFE] Folder /home/hynek/war/log4j-samples/old-hits/log4j-1.2.17/org/apache/log4j contains Log4J-1.x <= 1.2.17, JMSAppender.class found
[2021-12-21 11:16:44,694] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/log4j-core-2.15.0.jar contains Log4J-2.15.0 == 2.15.0
[2021-12-21 11:16:44,706] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/log4j-core-2.9.1.jar contains Log4J-2.9.1 >= 2.0-beta9 (< 2.10.0)
[2021-12-21 11:16:44,718] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/log4j-core-2.10.0.zip contains Log4J-2.10.0 >= 2.10.0
[2021-12-21 11:16:44,725] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/log4j-core-2.0-beta9.jar contains Log4J-2.0-beta9 >= 2.0-beta9 (< 2.10.0)
[2021-12-21 11:16:44,737] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/log4j-core-2.10.0.jar contains Log4J-2.10.0 >= 2.10.0
[2021-12-21 11:16:44,818] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/uber/infinispan-embedded-query-8.2.12.Final.jar contains Log4J-2.5 >= 2.0-beta9 (< 2.10.0)
[2021-12-21 11:16:44,966] [INFO] [+] [VULNERABLE] Folder /home/hynek/war/log4j-samples/true-hits/uber/expanded/org/apache/logging/log4j/core contains Log4J-2.x >= 2.0-beta9 (< 2.10.0)
[2021-12-21 11:16:45,094] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/shaded/clt-1.0-SNAPSHOT.jar contains Log4J-2.14.1 >= 2.10.0
[2021-12-21 11:16:45,108] [INFO] [+] [VULNERABLE] Folder /home/hynek/war/log4j-samples/true-hits/shaded/expanded/clt/shaded/l/core contains Log4J-2.x >= 2.10.0
[2021-12-21 11:16:45,150] [INFO] [+] [VULNERABLE] Folder /home/hynek/war/log4j-samples/true-hits/exploded/2.12.1/org/apache/logging/log4j/core contains Log4J-2.x >= 2.10.0
[2021-12-21 11:16:46,054] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.zip:WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.10.0 >= 2.10.0
[2021-12-21 11:16:47,528] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.jar:WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.10.0 >= 2.10.0
[2021-12-21 11:16:48,999] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.ear:WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.10.0 >= 2.10.0
[2021-12-21 11:16:50,449] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.war:WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.10.0 >= 2.10.0
[2021-12-21 11:16:51,044] [INFO] [+] [NOTOKAY] Package /home/hynek/war/log4j-samples/false-hits/log4j-core-2.16.0.jar contains Log4J-2.16.0 == 2.16.0
[2021-12-21 11:16:51,058] [INFO] [-] [SAFE] Package /home/hynek/war/log4j-samples/false-hits/log4j-core-2.12.2.jar contains Log4J-2.12.2 == 2.12.2
[2021-12-21 11:16:51,223] [INFO] [-] [SAFE] Package /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin.zip:apache-log4j-2.17.0-bin/log4j-core-2.17.0.jar contains Log4J-2.17.0 >= 2.17.0
[2021-12-21 11:16:51,266] [INFO] [*] [STRANGE] Package /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin.zip:apache-log4j-2.17.0-bin/log4j-core-2.17.0-sources.jar contains pom.properties for Log4J-2.17.0, but classes missing
[2021-12-21 11:16:51,477] [INFO] [*] [STRANGE] Package /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin.zip:apache-log4j-2.17.0-bin/log4j-core-2.17.0-tests.jar contains pom.properties for Log4J-2.17.0, but classes missing
[2021-12-21 11:16:51,658] [INFO] [*] [STRANGE] Package /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin/log4j-core-2.17.0-tests.jar contains pom.properties for Log4J-2.17.0, but classes missing
[2021-12-21 11:16:51,681] [INFO] [-] [SAFE] Package /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin/log4j-core-2.17.0.jar contains Log4J-2.17.0 >= 2.17.0
[2021-12-21 11:16:51,691] [INFO] [*] [STRANGE] Package /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin/log4j-core-2.17.0-sources.jar contains pom.properties for Log4J-2.17.0, but classes missing
[2021-12-21 11:16:51,702] [INFO] [-] [SAFE] Folder /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin/exploded/org/apache/logging/log4j/core contains Log4J-2.x >= 2.17.0
[2021-12-21 11:16:51,747] [INFO] [-] [SAFE] Folder /home/hynek/war/log4j-samples/false-hits/exploded/2.12.2/org/apache/logging/log4j/core contains Log4J-2.x == 2.12.2
[2021-12-21 11:16:51,813] [INFO] [+] [VULNERABLE] Package /home/hynek/war/BOOT-INF/lib/log4j-core-2.14.1.jar contains Log4J-2.14.1 >= 2.10.0
[2021-12-21 11:16:51,916] [INFO] [+] [VULNERABLE] Folder /home/hynek/war/BOOT-INF/lib/org/apache/logging/log4j/core contains Log4J-2.x >= 2.10.0
[2021-12-21 11:16:52,013] [INFO] [+] [VULNERABLE] Package /home/hynek/war/app/spring-boot-application.jar:BOOT-INF/lib/log4j-core-2.14.1.jar contains Log4J-2.14.1 >= 2.10.0
[2021-12-21 11:16:52,478] [INFO] [*] [STRANGE] Package /home/hynek/war/apache-log4j-2.14.0-bin/log4j-core-2.14.0-tests.jar contains pom.properties for Log4J-2.14.0, but classes missing
[2021-12-21 11:16:52,507] [INFO] [+] [VULNERABLE] Package /home/hynek/war/apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar contains Log4J-2.14.0 >= 2.10.0
[2021-12-21 11:16:52,530] [INFO] [*] [STRANGE] Package /home/hynek/war/apache-log4j-2.14.0-bin/log4j-core-2.14.0-sources.jar contains pom.properties for Log4J-2.14.0, but classes missing
[2021-12-21 11:16:52,555] [INFO] [+] [OLDUNSAFE] Package /home/hynek/war/HelloLogging/target/whoiscrawler/WEB-INF/lib/log4j-1.2.17.jar contains Log4J-1.2.17 <= 1.2.17, JMSAppender.class found
[2021-12-21 11:16:52,556] [INFO] [I] Finished, found 18 vulnerable or unsafe log4j instances.

Comments

Several improvements to the scanner
Thanks for the scanner, it's great. As part of our use, we have made a few minor improvements to it, maybe they will be useful to everyone.

CVSS score change according to nvd.nist.gov

UTF8 patch, fixes problems on Windows systems with a non-UTF 8 locale installed in path

all new argument, for windows version (close to similar --same-fs on Linux) remove header to --cvs-out, it is not needed when you do multiple system scans, and then combine the file into one. For example, running on a host group (Windows) from a network drive with the parameter log4shell.exe all --csv-out and after scanning the collection to 1 report type *.csv > all.csv (for Windows) cat .csv > all.csv(for Linux)

some changes to cvs output, it becomes more convenient log4shell_1.22.2.6.zip
opened by trust1345 8
Doesn't scale well to multiple CPU cores
I've been running this on our AMD Threadripper 2990WX machine and since it took more than 5 minutes, I started to investigate why.

It looks like the disk is bored and only one CPU core is loaded with 100%, all other cores are also idling.

I didn't have a look at the source code but maybe a two-pass approach might speed things up:

Build a list of all files to be scanned. This probably cannot be parallelized much

Go through the list in several threads so it's not just one CPU core doing all the work
opened by jachstet-sea 5
Thanks for implementing --csv-stats. It works a little differently than I expected. Is it possible to correct this.

Thanks for implementing --csv-stats. It works a little differently than I expected. Is it possible to correct this. I liked the proposed implementation. 1 separate row for each host, instead of adding statistics to each row by adding extra columns (when the --csv-stats argument is specified). This approach is better than I originally suggested.

launched on https://github.com/HynekPetrak/log4shell-finder/commit/75cb4f129110f5da8e8132698ed2b52ad34c405c test_log4shell_1.2120220126.py all --csv-out --no-csv-header --no-error --csv-clean --csv-stats output2.csv output1.csv

Proposed format output1-expected.csv output2-expected.csv Also in the proposed output, I propose to slightly change the output of --csv-clean, for unification

thank you in advance.

opened by trust1345 4
Windows: "all" argument to scan all local drives doesn't work on pre-build binary

Hi,

I tried the pre-build windows binary from the dist Folder and realized that the all option to scan all local drives (https://github.com/HynekPetrak/log4shell-finder/commit/a5cfac0a1fd5678a8c144e59d0e862d274d08965) doesn't work, no drives where found, so nothing was scanned until I had to defined c:\ d:\ instead.

I tried to build the binary on my own with pyinstaller and was running into the same issue, by checking the code I assumed that there might be a problem with the win32api and win32file import so drives will become none.

At least for me it was necessary to run pyinstaller --hidden-import win32api --hidden-import win32file -F ./test_log4shell.py to enforce that those modules will be included in the binary. Afterwards the all option was working as expected, every available drives was found and scanned.

Cheers Dominik

opened by wombelix 3
CVE-2022-23307 (chainsaw) detection shouldn't depend on CVE-2022-23302 (jmssink)?

Hi,

the detection for CVE-2022-23307 was introduced in commit https://github.com/HynekPetrak/log4shell-finder/commit/b271f275547f2879ca21e57c38150c1fb1bf2c92 and later changed in commit https://github.com/HynekPetrak/log4shell-finder/commit/b04487e92dd361a9cbc98350f42878e884b2c735.

In the first commit, there was no dependency to any other CVE, in the second one the dependency to JMSSINK was added. As far I understand CVE-2022-23307 and based on my tests, this change / dependency avoids the detection in most cases and therefore should be reverted to the initial state?

Cheers Dominik

opened by wombelix 3
Please add support argument, for line in the csv report when nothing is found on host

1 line from the host with the verdict for example CLEAN. It will help for mass rolling scanning of hosts to have also a list of scanned hosts.

"2022-01-25 00:00:00","1.2120220125","192.192.192.192","localhost.localdomain","Linux","6.x86_64","x86_64","Package","CLEAN","","",""

opened by trust1345 3
Automatic generation of the output file name using the hostname_ip.csv template

FR For mass scanning of a host group by a scanner, it would be great if the name of the output file (when using some key) was generated automatically using the hostname_ip.csv template. This will allow you to collect all the received files into one directory (without thinking about the coincidence of file names) and executing, for example cat ./*.csv > report_all.csv to get a general report.

Thanks for the scanner.

opened by trust1345 3
FR add CSV output for massive scan

FR IIt would be great if there was a -c (csv output) option so that you could wrap the scanner in ansible wrapper and use it on a group of machines. Earlier we wrapped the scanner https://github.com/mergebase/log4j-detector but it doesn't keep up with updates a bit and runs slower (there are also problems with memory consumption). As a result, looks like this. This output is quite convenient for fast processing of a large group of hosts. I have attached an example file. In the attached file, the separator is "@", but you can use for example "," role1.4-output.csv

PS. I think it would also be a good idea to make an exception on all Linux hosts /proc by default, this will reduce the speed of scanning (and accessing swap, when touching /proc), but will not worsen its results.

Thanks for the scanner, it's the best.

opened by trust1345 3
Single binary for windows

For all versions of windows, you can make one common binary file. All versions of windows contain 32 subsystems, so such a binary file will work on all Windows systems.

In order to support all versions of windows from windows 7, you need to use version 3.7.9 to build with pyinstaller

opened by trust1345 2
Please add an argument, that will add to each line of the csv output ( --csv-out ) additional information

Please add an argument, that will add to each line of the csv output ( --csv-out ) information about the passed path argument, when the scanner starts, exclude path, and the time spent on scanning the host (even when the verdict is CLEAN), total scanned files and folders.

This information will be useful for analyzing the scanner's work statistics.

Example in attach. localhost_10.10.10.10.csv

opened by trust1345 1
Please add verdict for Log4J-1.1.1

When the scanner finds Log4J-1.1.1 the verdict turns out to be just an empty space. I think that you need to add a status that would indicate in such cases the need for manual verification, for example manual or add an existing CVE.

2019-06-19 10:10:10 1.2120220117 333.333.333.333 server.com Windows 2022 AMD64 Package ...\lib\log4j-core.jar contains Log4J-1.1.1 <= 1.2.17, JMSAppender.class not found 1.1.1

opened by trust1345 1

Skip reparse points on Windows

import ctypes
def isLink(path):
    if os.path.exists(path):
        if os.path.isdir(path):
            FILE_ATTRIBUTE_REPARSE_POINT = 0x0400
            attributes = ctypes.windll.kernel32.GetFileAttributesW(unicode(path))
            return (attributes & FILE_ATTRIBUTE_REPARSE_POINT) > 0
    return False

opened by HynekPetrak 0

Current scaner binary builds, using pyinstaller
Built a scanner of the current version (1c14e73) using pyInstaller (one binary file, does not require python to run)

Windows 32 bit version, should work on all versions of Windows OS (32-bit and 64-bit) both client and server, starting from w7 and above

Linux 32 bit version, (one binary file, does not require python to run) but there is a dependency on the glibc version on the system.

Linux 64 bit version, (one binary file, does not require python to run) but there is a dependency on the glibc version on the system.

It may be useful to anyone.

Windows run example: test_log4shell_1.2120220209.exe all --csv-out --no-csv-header --csv-clean

Linux 32 bit run example: test_log4shell_1.2120220209.bin32 / --exclude-dirs /proc --csv-out --no-csv-header --csv-clean

Linux 64 bit run example: test_log4shell_1.2120220209.bin64 / --exclude-dirs /proc --csv-out --no-csv-header --csv-clean

After the work is completed, a short-hostname_ip.csv file with the scan results will appear in the directory from which the file was run.

test_log4shell_1.2120220209_32.zip test_log4shell_1.2120220209_64.zip test_log4shell_1.2120220209_exe.zip
opened by trust1345 0
Please add support 3 CVE (log4j)
CVE-2017-5645

CVE-2021-42550

CVE-2020-9488

It is especially important to detect CVE-2021-42550

Maybe in the documentation (readme) such a table will be useful

| Detect | CVE | CVSSv3 | Severity | java | lib from | lib to | lib fix | | | :----- | :------------- | :----- | :------- | :---- | :--------- | :----------------------------- | :------------------ | :-- | | x | CVE-2021-44228 | 10,0 | Critical | 8 | 2.0-beta9 | 2.14.1 | 2.15.0 | | | - | CVE-2017-5645 | 9,8 | Critical | 7 | 2.0-alpha1 | 2.8.1 | 2.8.2 | | | x | CVE-2021-45046 | 9,0 | Critical | 7/8 | 2.0-beta9 | 2.15.0 excluding 2.12.2 | 2.12.2/2.16.0 | | | x | CVE-2021-4104 | 7,5 | High | - | 1.0 | 1.x | nofix | | | x | CVE-2021-44832 | 6,6 | Medium | 6/7/8 | 2.0-alpha7 | 2.17.0, excluding 2.3.2/2.12.4 | 2.3.2/2.12.4/2.17.1 | | | - | CVE-2021-42550 | 6,6 | Medium | - | 1.0 | 1.2.7 | 1.2.8 | | | x | CVE-2021-45105 | 5,9 | Medium | 6/7/8 | 2.0-beta9 | 2.16.0, excluding 2.12.3 | 2.3.1/2.12.3/2.17.0 | | | - | CVE-2020-9488 | 3,7 | Low | 7/8 | 2.0-alpha1 | 2.13.1 | 2.12.3/2.13.2 | |
opened by trust1345 29

Releases(v1.22)

v1.22(Feb 23, 2022)
Version 1.22-20220222

Added: Reading library version and name (log4j, log4j-core, reload4j) from MANIFEST.MF as well as from pom.properties

Performance improvements by additional 15%

Added: Autodetecting all local drives in mswin with all parameter

Added: --no-csv-header to omit csv header to allow easier merging of results from multiple hosts

Added: Detecting CVE-2017-5645 (9.8), CVE-2019-17571 (9.8), CVE-2022-23307 (8.1), CVE-2022-23305 (9.8), CVE-2022-23305 (9.8), CVE-2022-23302 (8.1), improved detection of CVE-2017-5645

Added: --threads parameter to manually tune number of scanning threads

Added: --cvs-clean parameter in order to write "CLEAN" line to csv output in case no log4j library detected

Added: --cvs-stats parameter in order to write "STATS" line to csv output with runtime in seconds and number of files and folders scanned

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64(6.60 MB)
test_log4shell-mswin32.exe(5.90 MB)
test_log4shell-mswin64.exe(7.46 MB)
v1.21(Jan 9, 2022)
Version 1.21-20220109

Fixed bug: --fix command in version 1.19 and 1.20 could corrupt .jar archives.

Performance improvement via multithreaded scanning

Fixed searching within extracted log4j folders on Windows

Removed mmap access due to incompatibility with Windows.

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin32.zip(5.63 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.18(Jan 7, 2022)
Version 1.18-20220107

Code readability and performance improvements

Added parameter --file-log [LOGFILE] to enable logging to log file, default is log4shell-finder.log.

Added parameter --progress [SEC] to enable progress reporting every SEC seconds, default is 10 seconds.

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin32.zip(5.63 MB)
test_log4shell-mswin64.zip(7.17 MB)
1.17(Jan 5, 2022)
Version 1.17-20220105

Reworked status reporting, now listing all CVEs relevant for specific version of log4j.

Added --no-error to suppress file system error messages (e.g. Access Denied, corrupted zip archive).

Suppressed STRANGE status reporting by default - STRANGE are mainly source packages, that do not contain class binaries.

Added --strange to report also STRANGE instances.

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.16(Dec 30, 2021)
Version 1.16

Fixed detection of 2.12.3 extracted

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.15(Dec 30, 2021)
Version 1.15

Added support for versions 2.3.2, 2.12.4 and 2.17.1

Reporting actual CVEs instead of VULNERABLE or NOTOKAY status

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.13(Dec 28, 2021)
Version 1.13

Do not use version 1.11 and 1.12. They may corrupt .jar archives with --fix command

Added additional possible "JAR" file extensions.

Fixed bug: --fix command could corrupt .jar archives.

minor fix: status for 2.12.2 as NOTOKAY

added --fix parameter with attempt to fix the vulnerability by renaming JndiLookup.class to JndiLookup.vulne. At the moment it can handle .class files on disk and within 1st level archives. Class cannot be renamed in archives imbedded in other archives (nested).

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.10(Dec 22, 2021)
Version 1.10-20211222

added detection of 2.12.3 and 2.3.1

added option to disable default logging to file --no-file-log

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.8(Dec 22, 2021)
added host information to the json file

possibility to save output to csv with --csv-out

if you omit file names for --json-out or --csv-out then the file name has a form: hostname_ipaddress.<csv|json>

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.6(Dec 21, 2021)
Version 1.6-20211221

added checks for JMSAppender.class within v1.x version

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.5(Dec 20, 2021)
Version 1.5-20211220

bugfix for --exlude-dirs

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.4(Dec 20, 2021)
Version 1.4-20211220

added option --same-fs to skip mounted volumes while scanning.

findings can be saved in json format with --json-out <filename>

skip folder with --exclude-dirs DIR [DIR ...] parameter

use - as folder name to source folder names from stdin, e.g. echo "/home" | test_log4shell.py -

Source code(tar.gz)
Source code(zip)
test_log4shel-mswin64l.zip(7.17 MB)
test_log4shell-linux64.zip(6.51 MB)
v1.3(Dec 19, 2021)

Version 1.3 - handle elastic packages with shaded class names.
Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.46 MB)
test_log4shell-mswin64.zip(7.15 MB)
v1.2(Dec 19, 2021)
Version 1.2-20211219

now extracting exact version from pom.properties for jar/war.. packages.

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.46 MB)
test_log4shell-mswin.zip(7.15 MB)
1.1(Dec 19, 2021)

Version 1.1
Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.46 MB)
test_log4shell-mswin.zip(7.15 MB)

Owner

Hynek Petrak

GitHub Repository

Searches filesystem for CVE-2021-44228 and CVE-2021-45046 vulnerable instances of log4j library, including embedded (jar/war/zip) packaged ones.

Related tags

Overview

log4shell_finder

Changelog

Version 1.6-20211221

Version 1.5-20211220

Version 1.4-20211220

Version 1.3-20211219

Version 1.2-20211219

Usage

Compile binaries

Sample run

Comments

Built a scanner of the current version (1c14e73) using pyInstaller (one binary file, does not require python to run)

Releases(v1.22)

v1.22(Feb 23, 2022)

v1.21(Jan 9, 2022)

v1.18(Jan 7, 2022)

1.17(Jan 5, 2022)

v1.16(Dec 30, 2021)

v1.15(Dec 30, 2021)

v1.13(Dec 28, 2021)

v1.10(Dec 22, 2021)

v1.8(Dec 22, 2021)

v1.6(Dec 21, 2021)

v1.5(Dec 20, 2021)

v1.4(Dec 20, 2021)

v1.3(Dec 19, 2021)

v1.2(Dec 19, 2021)

1.1(Dec 19, 2021)

Owner

Hynek Petrak

CVE-2021-22005 - VMWare vCenter Server File Upload to RCE

Tinyman exploit finder - Tinyman exploit finder for python

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

Simple tool to create passwords.

Tool to check if your DNS comply to Polish Ministry of Finance gambling domains restrictions

A tool to find good RCE From my series: A powerful Burp extension to make bounties rain

Template for new OSINT command-line tools

A Telegram Bot to force users to join a specific channel before sending messages in a group.

Patching - Interactive Binary Patching for IDA Pro

A collection of write-ups and solutions for Cyber FastTrack Spring 2021.

GRR Rapid Response: remote live forensics for incident response

This repo explains in details about buffer overflow exploit development for windows executable.

Python low-interaction honeyclient

C++ fully undetected shellcode launcher

GitHub Advance Security Compliance Action

A simple tool to audit Unix/*BSD/Linux system libraries to find public security vulnerabilities

Python library to remotely extract credentials on a set of hosts.

Uses Sharphound, Bloodhound and Neo4j to produce an actionable list of attack paths for targeted remediation.

Herramienta para descargar eventos de Sucuri WAF hacia disco.

NexScanner is a tool which allows you to scan a website and find the admin login panel and sub-domains