{"id":28486154,"url":"https://github.com/fox-it/log4j-finder","last_synced_at":"2025-07-02T12:32:36.553Z","repository":{"id":44751948,"uuid":"438203240","full_name":"fox-it/log4j-finder","owner":"fox-it","description":"Find vulnerable Log4j2 versions on disk and also inside Java Archive Files (Log4Shell CVE-2021-44228, CVE-2021-45046, CVE-2021-45105)","archived":false,"fork":false,"pushed_at":"2022-12-27T17:57:19.000Z","size":2850,"stargazers_count":436,"open_issues_count":24,"forks_count":95,"subscribers_count":20,"default_branch":"main","last_synced_at":"2025-06-08T01:11:23.985Z","etag":null,"topics":["cve-2021-44228","cve-2021-45046","cve-2021-45105","log4j","log4j-finder","log4j2","log4shell","python"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fox-it.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-12-14T10:04:42.000Z","updated_at":"2025-04-18T15:44:41.000Z","dependencies_parsed_at":"2023-01-31T05:31:05.448Z","dependency_job_id":null,"html_url":"https://github.com/fox-it/log4j-finder","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/fox-it/log4j-finder","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fox-it%2Flog4j-finder","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fox-it%2Flog4j-finder/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fox-it%2Flog4j-finder/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fox-it%2Flog4j-finder/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fox-it","download_url":"https://codeload.github.com/fox-it/log4j-finder/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fox-it%2Flog4j-finder/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263140574,"owners_count":23419906,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve-2021-44228","cve-2021-45046","cve-2021-45105","log4j","log4j-finder","log4j2","log4shell","python"],"created_at":"2025-06-08T01:10:23.956Z","updated_at":"2025-07-02T12:32:36.538Z","avatar_url":"https://github.com/fox-it.png","language":"Python","funding_links":[],"categories":["📦 Legacy \u0026 Inactive Projects"],"sub_categories":[],"readme":"# log4j-finder\n\nA Python3 script to scan the filesystem to find Log4j2 that is vulnerable to _Log4Shell_ (`CVE-2021-44228` \u0026 `CVE-2021-45046` \u0026 `CVE-2021-45105`). \nIt scans recursively both on disk and inside (nested) Java Archive files (JARs).\n\n![log4j-finder results](screenshot.png?raw=true \"Output of log4j-finder\")\n\n## How it works\n\nlog4j-finder identifies `log4j2` libraries on your filesystem using a list of *known bad* and *known good* MD5 hashes of specific files (currently only `JndiManager.class`) present in `log4j2-core-*` packages; the main package that is affected by `log4shell`. It searches for these files inside Java Archive files and on the filesystem. The `log4j2` version is then identified based on the MD5 hash of this file.\n\nTo optimize scanning speed, it searches the filesystem and processes ONLY the following filenames:\n\n * All files with `Java ARchive` file extensions in the filename (also nested in these archives):\n    *  `*.jar`, `*.war`, `*.ear`\n * Filenames that we have *known bad* and *good* hashes for (also inside above archives, and nested):\n    *  `JndiManager.class`\n\nIf the file matches one of the extensions mentioned above, it will check inside these archives (all in memory, nothing is unpacked) to search for the filenames that the script has *known* hashes for. It also looks inside nested archives, for example, a `JAR` file in a `WAR` file.\n\nThe script does NOT scan other archive file extensions such as `7z`, `RAR`, `TAR`, `BZ2`, etc. So, for example, if a `JAR` file is inside a `7z` file, the script will not find it. The rationale is that Java can only load `Java ARchive` formats so we only scan those.\n\nUnknown MD5 hashes are shown as `UNKNOWN`; this could happen if a non `log4j2` Java package uses the same filename that this script searches for.\nIt's most likely not `log4j2` if the identified file path does not contain references to `org/apache/logging/log4j`. However, manual verification is still recommended.\n\n## Downloading and running\n\nYou can install log4j-finder using one of the following methods:\n\n### Using the release binary\n\nYou can download the correct binary for your Operating System:\n\n * Windows latest (signed): [log4j-finder-signed.exe](https://github.com/fox-it/log4j-finder/releases/latest/download/log4j-finder-signed.exe)\n   * Non signed binaries are also available but can trigger your AntiVirus due to it being a [PyInstaller](https://pyinstaller.readthedocs.io/en/stable/) executable. You can also generate the executable yourself, see \"Generating log4j-finder executables\" on how to do this.\n * Linux x86_64 latest: [log4j-finder](https://github.com/fox-it/log4j-finder/releases/latest/download/log4j-finder)\n\nIf you are on Linux you can also download the latest release and run using one of the following ways:\n\n```bash\ncurl -L https://github.com/fox-it/log4j-finder/releases/latest/download/log4j-finder -o log4j-finder\nchmod +x log4j-finder\nsudo ./log4j-finder\n```\n\n```bash\nwget https://github.com/fox-it/log4j-finder/releases/latest/download/log4j-finder -O log4j-finder\nchmod +x log4j-finder\nsudo ./log4j-finder\n```\n\n### Using Python 3\n\nFor distribution with Python 3.6+ installed, one following methods also work:\n\n```bash\ncurl -L https://github.com/fox-it/log4j-finder/raw/main/log4j-finder.py -o log4j-finder.py\nsudo python3 log4j-finder.py\n```\n\n```bash\nwget https://github.com/fox-it/log4j-finder/raw/main/log4j-finder.py\nsudo python3 log4j-finder.py\n```\n\n```bash\ngit clone https://github.com/fox-it/log4j-finder\ncd log4j-finder\nsudo python3 log4j-finder.py\n```\n\n## Generating log4j-finder executables\n\n### Auto generated executables\n\nThere is a [GitHub Action](https://github.com/fox-it/log4j-finder/blob/main/.github/workflows/pyinstaller.yaml) in the repository that automatically generates a Windows and Linux binary of the `log4j-finder.py` script using  [PyInstaller](https://pyinstaller.readthedocs.io/en/stable/) on every commit. The build artifacts of these workflow runs are used to attach to the [Releases](https://github.com/fox-it/log4j-finder/releases/) page.\n\nWe are aware that some Anti Virus vendors don't like the Windows binaries, in that case we recommend using generating the executable yourself using the following steps (note that we now also provide signed binaries).\n\n### Generating the Windows executable\n\n1. If you don't have Python 3.6 or higher installed, download it first from https://www.python.org/downloads/\n\n   * Choose `Python 3.8.10` if you want your binary to work on Windows 7:\n     * Download [Python 3.8.10 Windows installer (32 bit)](https://www.python.org/ftp/python/3.8.10/python-3.8.10.exe)\n     * Download [Python 3.8.10 Windows installer (64-bit)](https://www.python.org/ftp/python/3.8.10/python-3.8.10-amd64.exe)\n   * Ensure that during install you choose: `Add Python 3.x to PATH`, this makes the following steps much easier.\n\n2. Open a command prompt and use `pip` to install the `pyinstaller` package:\n\n   ```bash\n   pip install pyinstaller\n   \n   # In the output you will see where pyinstaller is installed, for example:\n   # C:\\Users\\User\\AppData\\Roaming\\Python\\Python310\\Scripts\n   #\n   # Verify using --version\n   C:\\Users\\User\\AppData\\Roaming\\Python\\Python310\\Scripts\\pyinstaller.exe --version\n   4.7\n   ```\n3. Optionally install the `colorama` package to add support for colors:\n\n   ```bash\n   pip install colorama\n   ```\n\n3.  Download the latest version of the `log4j-finder.py` script and then run PyInstaller:\n\n   ```bash\n   pyinstaller --onefile --hidden-import colorama log4j-finder.py\n   ```\n\nThe Windows executable is then in the `dist` directory: `dist\\log4j-finder.exe`\n\n### Generating the Linux executable\n\nExample given for Debian 11:\n\n```bash\n# Install PyInstaller using pip3\nsudo apt update\nsudo apt install python3-pip git\npip3 install --user pyinstaller\n\n# Git clone and build using PyInstaller\ngit clone https://github.com/fox-it/log4j-finder\ncd log4j-finder\n~/.local/bin/pyinstaller --onefile log4j-finder.spec\n\n# Verify that the binary works\n./dist/log4j-finder --help\n```\n\n## Usage\n\nExample usage to scan a path (defaults to /):\n```bash\n$ python3 log4j-finder.py /path/to/scan\n```\n\nOr directly a JAR file:\n```bash\n$ python3 log4j-finder.py /path/to/jarfile.jar\n```\n\nOr multiple directories and or files:\n```bash\n$ python3 log4j-finder.py /path/to/dir1 /path/to/dir2 /path/to/jarfile.jar\n```\n\nExclude files or directories:\n```bash\n$ python3 log4j-finder.py / --exclude \"/*/.dontgohere\" --exclude \"/home/user/*.war\"\n```\n\nNote that on Windows it only scans the root `c:\\` drive if you don't give any extra arguments.\nWe recommend specifying the drives you need to scan on the commandline such as (drives that don't exist are skipped):\n\n```bash\nlog4j-finder.exe c:\\ d:\\ e:\\ f:\\\n```\n\nFiles or directories that cannot be accessed (Permission denied errors) are not printed.\n\nIf you want to see more output, you can give the `-v` flag for verbose, or `-vv` for debug mode (only recommended for debugging purposes).\n\nApplication arguments:\n```bash\npositional arguments:\n  PATH                  Directory or file(s) to scan (recursively) (default:\n                        ['/'])\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -v, --verbose         verbose output (-v is info, -vv is debug) (default: 0)\n  -n, --no-color        disable color output (default: False)\n  -q, --quiet           be more quiet, disables banner and summary (default:\n                        False)\n  -b, --no-banner       disable banner (default: False)\n  -V, --version         show program's version number and exit\n  -e PATTERN, --exclude PATTERN\n                        exclude files/directories by pattern (can be used\n                        multiple times) (default: None)\n```\nFiles are scanned recursively, both on disk and in (nested) Java Archive Files\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffox-it%2Flog4j-finder","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffox-it%2Flog4j-finder","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffox-it%2Flog4j-finder/lists"}