{"id":13834944,"url":"https://github.com/mergebase/log4j-detector","last_synced_at":"2025-07-10T07:31:05.811Z","repository":{"id":43273502,"uuid":"437419010","full_name":"mergebase/log4j-detector","owner":"mergebase","description":"A public open sourced tool.  Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too!  TAG_OS_TOOL, OWNER_KELLY, DC_PUBLIC","archived":false,"fork":false,"pushed_at":"2022-03-10T18:44:50.000Z","size":829,"stargazers_count":638,"open_issues_count":41,"forks_count":98,"subscribers_count":28,"default_branch":"master","last_synced_at":"2024-11-20T20:38:56.823Z","etag":null,"topics":["cve-2021-44228","cve-2021-45046","cve-2021-45105","cybersecurity","detector","log4j","log4shell","pentest","sca","scanner","vulnerability-scanner"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mergebase.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.TXT","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-12-12T00:29:03.000Z","updated_at":"2024-11-12T20:26:27.000Z","dependencies_parsed_at":"2022-09-15T21:51:57.996Z","dependency_job_id":null,"html_url":"https://github.com/mergebase/log4j-detector","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/mergebase/log4j-detector","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mergebase%2Flog4j-detector","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mergebase%2Flog4j-detector/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mergebase%2Flog4j-detector/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mergebase%2Flog4j-detector/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mergebase","download_url":"https://codeload.github.com/mergebase/log4j-detector/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mergebase%2Flog4j-detector/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264545157,"owners_count":23625403,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve-2021-44228","cve-2021-45046","cve-2021-45105","cybersecurity","detector","log4j","log4shell","pentest","sca","scanner","vulnerability-scanner"],"created_at":"2024-08-04T14:00:54.094Z","updated_at":"2025-07-10T07:31:00.803Z","avatar_url":"https://github.com/mergebase.png","language":"Java","funding_links":[],"categories":["Detection \u0026 Remediation"],"sub_categories":[],"readme":"\u003ch1\u003e\u003cimg src='https://raw.githubusercontent.com/mergebase/log4j-detector/master/images/mergebase-small.png' alt='mergebase logo' /\u003e\u003c/a\u003e\u003c/h1\u003e\n\n\u003ch1\u003eLog4-detector\u003c/h1\u003e\n\nScanner that detects vulnerable Log4J versions to help teams assess their exposure to **[CVE-2021-44228](https://mergebase.com/vulnerability/CVE-2021-44228/) (CRITICAL)**, [CVE-2021-45046](https://mergebase.com/vulnerability/CVE-2021-45046/), [CVE-2021-45105](https://mergebase.com/vulnerability/CVE-2021-45105/), and [CVE-2021-44832](https://mergebase.com/vulnerability/CVE-2021-44832/). Can search for Log4J instances by carefully examining the complete file-system, including all installed applications. It is able to find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too!\n\n# Table of Contents\n- [Introduction](#itemdetector)\n- [Example Usage](#itemexample)\n- [More Example Usage](#itemmore)\n- [Understanding The Results](#itemresults)\n- [Usage](#itemusage)\n- [Build From Source ](#itembuild)\n- [Testing](#itemtesting)\n- [License](#itemlicense)\n- [Frequently Asked Questions](#faq)\n  - [How Does It Work?](#itemwork)\n  - [This Scanner Only Reports Hits Against The `log4j-core` Library. What About `log4j-api`? ](#itemapi)\n  - [Why Report About 2.10.0, 2.15.0, and 2.16.0 ? ](#item2.10.0)\n  - [What are those \"file1.war!/path/to/file2.zip!/path/to/file3.jar!/path/to/log4j.jar\" results about? ](#itemwar)\n  - [What About Log4J 1.2.x ?](#item1.2.x)\n  - [How Can I Be Sure This Isn't A Trojan Pretending To Be A Log4J Detector?](#itemtrojan)\n- [What Is MergeBase All About?](#item)\n\n\n\n# Introduction \u003ca name=\"itemdetector\"\u003e\u003c/a\u003e\n\nCurrently reports [log4j-core](https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/) versions 2.3.2, 2.12.4, and 2.17.1 as **\\_SAFE\\_**, 2.3.1, 2.12.2, 2.12.3, 2.15.0, 2.16.0, and 2.17.0 as **\\_OKAY\\_** and all other versions as **\\_VULNERABLE\\_**\n(although it does report pre-2.0-beta9 as **\\_POTENTIALLY_SAFE\\_**). It reports older [log4j-1.x](https://repo1.maven.org/maven2/log4j/log4j/) versions as **\\_OLD\\_**.\n\nCan correctly detect log4j inside executable spring-boot jars/wars, dependencies blended\ninto [uber jars](https://mergebase.com/blog/software-composition-analysis-sca-vs-java-uber-jars/), shaded jars, and even\nexploded jar files just sitting uncompressed on the file-system (aka *.class).\n\nWe currently maintain a collection of [log4j-samples](https://github.com/mergebase/log4j-samples) we use for testing.\n\n# Example Usage: \u003ca name=\"itemmore\"\u003e\u003c/a\u003e\n\n```\njava -jar log4j-detector-2021.12.29.jar ./samples \n\n-- github.com/mergebase/log4j-detector v2021.12.29 (by mergebase.com) analyzing paths (could take a while).\n-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.\nfalse-hits/log4j-core-2.12.2.jar contains Log4J-2.x   == 2.12.2 _OKAY_\nfalse-hits/log4j-core-2.12.3.jar contains Log4J-2.x   == 2.12.3 _OKAY_\nfalse-hits/log4j-core-2.12.4.jar contains Log4J-2.x   == 2.12.4 _SAFE_\nfalse-hits/log4j-core-2.15.0.jar contains Log4J-2.x   == 2.15.0 _OKAY_\nfalse-hits/log4j-core-2.16.0.jar contains Log4J-2.x   == 2.16.0 _OKAY_\nfalse-hits/log4j-core-2.17.0.jar contains Log4J-2.x   == 2.17.0 _OKAY_\nfalse-hits/log4j-core-2.17.1.jar contains Log4J-2.x   \u003e= 2.17.1 _SAFE_\nfalse-hits/log4j-core-2.3.1.jar contains Log4J-2.x   == 2.3.1 _OKAY_\nfalse-hits/log4j-core-2.3.2.jar contains Log4J-2.x   == 2.3.2 _SAFE_\ntrue-hits/log4j-core-2.0-beta9.jar contains Log4J-2.x   \u003e= 2.0-beta9 (\u003c 2.10.0) _VULNERABLE_\ntrue-hits/log4j-core-2.10.0.jar contains Log4J-2.x   \u003e= 2.10.0 _VULNERABLE_\ntrue-hits/log4j-core-2.10.0.zip contains Log4J-2.x   \u003e= 2.10.0 _VULNERABLE_\ntrue-hits/log4j-core-2.11.0.jar contains Log4J-2.x   \u003e= 2.10.0 _VULNERABLE_\ntrue-hits/log4j-core-2.11.1.jar contains Log4J-2.x   \u003e= 2.10.0 _VULNERABLE_\ntrue-hits/log4j-core-2.11.2.jar contains Log4J-2.x   \u003e= 2.10.0 _VULNERABLE_\ntrue-hits/log4j-core-2.12.0.jar contains Log4J-2.x   \u003e= 2.10.0 _VULNERABLE_\ntrue-hits/log4j-core-2.12.1.jar contains Log4J-2.x   \u003e= 2.10.0 _VULNERABLE_\ntrue-hits/log4j-core-2.14.0.jar contains Log4J-2.x   \u003e= 2.10.0 _VULNERABLE_\ntrue-hits/log4j-core-2.14.1.jar contains Log4J-2.x   \u003e= 2.10.0 _VULNERABLE_\ntrue-hits/log4j-core-2.2.jar contains Log4J-2.x   \u003e= 2.0-beta9 (\u003c 2.10.0) _VULNERABLE_\ntrue-hits/log4j-core-2.3.jar contains Log4J-2.x   \u003e= 2.0-beta9 (\u003c 2.10.0) _VULNERABLE_\ntrue-hits/log4j-core-2.4.1.jar contains Log4J-2.x   \u003e= 2.0-beta9 (\u003c 2.10.0) _VULNERABLE_\ntrue-hits/log4j-core-2.4.jar contains Log4J-2.x   \u003e= 2.0-beta9 (\u003c 2.10.0) _VULNERABLE_\ntrue-hits/log4j-core-2.9.1.jar contains Log4J-2.x   \u003e= 2.0-beta9 (\u003c 2.10.0) _VULNERABLE_\nold-hits/log4j-1.1.3.jar contains Log4J-1.x   \u003c= 1.2.17 _OLD_\nold-hits/log4j-1.2.17.jar contains Log4J-1.x   \u003c= 1.2.17 _OLD_\nold-hits/log4j-core-2.0-beta2.jar contains Log4J-2.x   \u003c= 2.0-beta8 _POTENTIALLY_SAFE_ (Did you remove JndiLookup.class?)\n```\n\n# Understanding The Results \u003ca name=\"itemresults\"\u003e\u003c/a\u003e\n\n**\\_VULNERABLE\\_** -\u003e You need to upgrade or remove this file.\n\n**\\_OKAY\\_** -\u003e We report this for Log4J versions 2.3.1, 2.12.2, 2.12.3, 2.15.0, 2.16.0, and 2.17.0. We recommend upgrading to 2.17.1.\n\n**\\_SAFE\\_** -\u003e We currently only report this for Log4J versions 2.3.2, 2.12.4, and 2.17.1 (and greater).\n\n**\\_OLD\\_** -\u003e You are safe from CVE-2021-44228, but should plan to upgrade because Log4J 1.2.x has been EOL for 7 years and has several known-vulnerabilities.\n\n**\\_POTENTIALLY_SAFE\\_** -\u003e The \"JndiLookup.class\" file is not present, either because your version of Log4J is very old (pre 2.0-beta9), or because someone already removed this file. Make sure it was someone in your team or company that removed \"JndiLookup.class\" if that's the case, because attackers have been known to remove this file themselves to prevent additional competing attackers from gaining access to compromised systems.\n\n# Usage \u003ca name=\"itemusage\"\u003e\u003c/a\u003e\n\n```\njava -jar log4j-detector-2021.12.29.jar \n\nUsage: java -jar log4j-detector-2021.12.29.jar [--verbose] [--json] [--stdin] [--exclude=X] [paths to scan...]\n\n  --json       - Output STDOUT results in JSON.  (Errors/warning still emitted to STDERR)\n  --stdin      - Read STDIN for paths to explore (one path per line)\n  --exclude=X  - Where X is a JSON list containing full paths to exclude. Must be valid JSON.\n\n                 Example: --exclude='[\"/dev\", \"/media\", \"Z:\\TEMP\"]'\n\nExit codes:  0 = No vulnerable Log4J versions found.\n             1 = At least one legacy Log4J 1.x version found.\n             2 = At least one vulnerable Log4J version found.\n\nAbout - MergeBase log4j detector (version 2021.12.29)\nDocs  - https://github.com/mergebase/log4j-detector \n(C) Copyright 2021 Mergebase Software Inc. Licensed to you via GPLv3.\n```\n\n# Build From Source: \u003ca name=\"itembuild\"\u003e\u003c/a\u003e\n\n```\ngit clone https://github.com/mergebase/log4j-detector.git\ncd log4j-detector/\nmvn install\njava -jar target/log4j-detector-latest.jar\n```\n# Testing: \u003ca name=\"itemtesting\"\u003e\u003c/a\u003e\n\nWe maintain a collection of log4j samples here:  https://github.com/mergebase/log4j-samples\n\n# License \u003ca name=\"itemlicense\"\u003e\u003c/a\u003e\n\nGPL version 3.0\n\n# Frequently Asked Questions \u003ca name=\"faq\"\u003e\u003c/a\u003e\n\n# How Does It Work? \u003ca name=\"itemwork\"\u003e\u003c/a\u003e\n\nThe Java compiler stores String literals directly in the compiled *.class files. If log4j-detector detects a file\nnamed \"JndiManager.class\"\non your file-system, it then examines that file for this String: \"Invalid JNDI URI - {}\". Turns out that specific String\nliteral is only present in the patched version of Log4J (version 2.15.0). Any versions of Log4J without that String are\nvulnerable.\n\nThis same technique of examining *.class files for String literals is further extended to accurately detect safe\nversions 2.3.2, 2.12.4, and 2.17.1.\n\n## This Scanner Only Reports Hits Against The `log4j-core` Library. What About `log4j-api`? \u003ca name=\"itemapi\"\u003e\u003c/a\u003e\n\nMany scanners (including GitHub's own [Dependabot](https://github.com/dependabot)) currently report both \"`log4j-core`\" and \"`log4j-api`\" libraries as vulnerable.  These scanners are incorrect. There is currently no existing version of the \"`log4j-api`\" library that can be exploited by any of these vulnerabilities.\n\nAt [MergeBase](https://mergebase.com/) we pride ourselves on our scan accuracy. You're already busy enough patching and defending your systems. We don't want you to waste your time with false positives. That's why we don't report any hits against `log4j-api`.\n\n\n## Why Report About 2.3.1, 2.10.0, 2.12.2, 2.12.3, 2.15.0, 2.16.0, and 2.17.0 ? \u003ca name=\"item2.10.0\"\u003e\u003c/a\u003e\n\nVersion 2.10.0 is important because that's the first version where Log4J's vulnerable \"message lookup feature\" can be disabled via Log4J configuration.\n\nVersion 2.12.2 is important because it's a Java 7 compatible version of Log4J that is not vulnerable to CVE-2021-44228.\n\nVersions 2.15.0 and 2.16.0 are important because these are the first versions where Log4J's default out-of-the-box configuration is not vulnerable to CVE-2021-44228.\n\nAnd versions 2.3.2, 2.12.4, and 2.17.1 are important because they are not vulnerable to more recently discovered CVEs such as CVE-2021-45046 and CVE-2021-45105.\nDespite these being much less serious vulnerabilities, we anticipate everyone will want to patch to one of 2.3.2, 2.12.4, or 2.17.1.\n\n## What are those \"file1.war!/path/to/file2.zip!/path/to/file3.jar!/path/to/log4j.jar\" results about? \u003ca name=\"itemwar\"\u003e\u003c/a\u003e\n\nThe \"!\" means the log4j-detector entered a zip archive (e.g., *.zip, *.ear, *.war, *.aar, *.jar). Since zip files can\ncontain zip files, a single result might contain more than one \"!\" indicator in its result.\n\nNote:  the log4j-detector only recursively enters zip archives. It does not enter tar or gz or bz2, etc. The main reason\nbeing that Java systems are often configured to execute jars inside jars, but they are never configured to execute other\nfile formats (that I know of!). And so a log4j copy inside a *.tar.gz is probably not reachable for a running Java\nsystem, and hence, not a vulnerability worth reporting.\n\n2nd note:  for zips-inside-zips our scanner does load the inner-zip completely into memory (using ByteArrayInputStream)\nbefore attempting to scan it. You might need to give Java some extra memory if you have extremely large inner-zips on\nyour system (e.g., 1 GB or larger).\n\n## What About Log4J 1.2.x ? \u003ca name=\"item1.2.x\"\u003e\u003c/a\u003e\n\nOnly versions of Log4J 2.x (from 2.0-beta9 to 2.14.1) are vulnerable to CVE-2021-44228.\n\n## How Can I Be Sure This Isn't A Trojan Pretending To Be A Log4J Detector? \u003ca name=\"itemtrojan\"\u003e\u003c/a\u003e\n\nGreat question! Since we include the complete source code here in Github (all 2500 lines of Java), as well as the steps\nto build it, and since this tool has zero dependencies, it shouldn't take too long to carefully study the code to your\nsatisfaction. If you don't trust Maven you can go directly into the \"src/main/java/com/mergebase/log4j\" directory and\ntype \"javac \\*.java\". That works, too!\n\nWe also sign the pre-compiled jar we keep in the root of the repository (./log4j-detector-2021.12.29.jar) with the\nMergeBase code signing key.  Please run \"jarsigner -verbose -verify log4j-detector-2021.12.29.jar\" to confirm this.\n\n# What Is MergeBase All About? \u003ca name=\"itemmergebase\"\u003e\u003c/a\u003e\n\n![MergeBase](images/mergebase-small.png)\n\n[MergeBase](https://mergebase.com/) is an SCA company (Software Composition Analysis) based in Vancouver, Canada. We're\nsimilar to companies like Snyk, Sonatype, Blackduck, etc., in that we help companies detect and manage vulnerable\nopen-source libraries in their software. Check us out! We have great accuracy, great language support, and we're not too\nexpensive, either: [mergebase.com/pricing](https://mergebase.com/pricing/).\n\nWe would be delighted if anyone takes a [2-week free trial](https://mergebase.com/try/) of our SCA product! And if you email our CEO (oscar@mergebase.com) with the subject \"log4j-detector\" we will extend your free trial to 4-weeks.\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmergebase%2Flog4j-detector","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmergebase%2Flog4j-detector","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmergebase%2Flog4j-detector/lists"}