{"id":20038578,"url":"https://github.com/yahoo/check-log4j","last_synced_at":"2025-08-21T02:30:52.621Z","repository":{"id":43093798,"uuid":"438738205","full_name":"yahoo/check-log4j","owner":"yahoo","description":"To determine if a host is vulnerable to log4j CVE‐2021‐44228","archived":false,"fork":false,"pushed_at":"2023-03-21T02:57:11.000Z","size":46,"stargazers_count":172,"open_issues_count":0,"forks_count":26,"subscribers_count":10,"default_branch":"master","last_synced_at":"2025-04-08T01:51:14.394Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/yahoo.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGES","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"Code_of_Conduct.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-12-15T18:47:39.000Z","updated_at":"2025-03-22T10:41:15.000Z","dependencies_parsed_at":"2024-11-13T10:40:50.322Z","dependency_job_id":null,"html_url":"https://github.com/yahoo/check-log4j","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":"yahoo/.github","purl":"pkg:github/yahoo/check-log4j","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yahoo%2Fcheck-log4j","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yahoo%2Fcheck-log4j/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yahoo%2Fcheck-log4j/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yahoo%2Fcheck-log4j/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/yahoo","download_url":"https://codeload.github.com/yahoo/check-log4j/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yahoo%2Fcheck-log4j/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271416676,"owners_count":24755930,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-21T02:00:08.990Z","response_time":74,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-13T10:30:07.932Z","updated_at":"2025-08-21T02:30:52.370Z","avatar_url":"https://github.com/yahoo.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"check-log4j\n===========\n\nThis tool will try to determine if the host it is\nrunning on is likely vulnerable to the latest reason\nthat [the internet is on\nfire](https://istheinternetonfire.com): the [log4j\nRCE](https://logging.apache.org/log4j/2.x/security.html)\n[CVE‐2021‐44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).\n\nThis is different from other tools that attempt to\nverify whether a specific service is vulnerable by\ntriggering the exploit and e.g., tracking pingbacks on\na DNS canary token.  That approach tells you whether a\n_service_ is vulnerable, but it doesn't even tell you\nwhich _specific systems_: the payload may have been\nproxied on to another system and from there logged via\n`log4j` on yet another one.  So inspection of the\nservice does not tell you that that specific host is\nvulnerable.\n\nOn the other hand, host owners may not know whether\nthey have a vulnerable version of `log4j` on their\nsystem: The `log4j` package may be pulled in as a\ndependency by various packages, or included inside a\nJava application jar.\n\nThe `check-log4j` tool attempts to give host owners a\ntool to determine likely vulnerability by looking at\nrunning java processes and inside of any common Java\narchive files found.\n\nPlease see the [manual\npage](./doc/check-log4j.1.txt) for full\ndetails.\n\nInstallation\n============\n\nTo install the command and manual page somewhere\nconvenient, run `make install`; the Makefile defaults\nto '/usr/local' but you can change the PREFIX:\n\n```\n$ make PREFIX=~ install\n```\n\nFAQ\n===\n\n## Dude, this is a shell script. You suck. Why isn't this written in $MyFavoriteLanguage?\n\n`check-log4j` is intended to run on any Unix-like\nsystem without depending on any particular language\nruntime.  It's not pretty, but hey.\n\n## Why does it say \"Possibly vulnerable\"?\n\nActual vulnerability depends on runtime configuration.\n`check-log4j` basically checks whether the file\n`JndiLookup.class` is found in any archive files.  If so,\nthe system becomes suspect.  If `check-log4j` can\ndetermine that this might be a `log4j-2.16.x` version,\nit will remain silent, but otherwise, it simply\ndoesn't know whether that class might be used or\njust sits there as an unused dependency or what.\n\n## This doesn't work on my system, explodes in some way, or doesn't correctly detect a vulnerable host!\n\nI'm sorry.  Please let me know about this via email or\na GitHub issue or, better yet, a pull request with a\nfix.\n\n\nDocumentation\n=============\n\n```\nNAME\n     check-log4j -- try to determine if a host is vulnerable to log4j\n     CVE-2021-44228\n\nSYNOPSIS\n     check-log4j [-Vhv] [-j jar] [-p path] [-s skip]\n\nDESCRIPTION\n     The check-log4j tool attempts to determine whether the host it is exe-\n     cuted on is vulnerable to the log4j RCE vulnerability identified as\n     CVE-2021-4428.\n\n     Since this vulnerability is in a specific Java class that may be inside\n     nested Java archive files, check-log4j may be somewhat intrusive to run\n     and should be executed with care and consideration of the system's load.\n     Please see DETAILS for more information.\n\nOPTIONS\n     The following options are supported by check-log4j:\n\n     -V\t      Print version number and exit.\n\n     -h\t      Print a short help message and exit.\n\n     -j jar   Check only this archive, nothing else.  Can be specified multi-\n\t      ple times for multiple JAR (or other zip formatted archive)\n\t      files.\n\n     -p path  Limit filesystem traversal to this directory.  Can be specified\n\t      multiple times.  If not specified, check-log4j will default to\n\t      '/'.\n\n     -s skip  Skip the given checks.  Valid arguments are 'files', 'packages',\n\t      and 'processes'.\n\n     -v\t      Be verbose.  Can be specified multiple times.\n\nDETAILS\n     CVE-2021-4428 describes a possible remote code execution (RCE) vulnera-\n     bility in the popular log4j framework.  Simply causing the vulnerable\n     system to log a specifically crafted message can the attacker gain com-\n     mand execution and information disclosure capabilities.  This vulnerabil-\n     ity relies on an insecure default setting applying to the Java Naming and\n     Directory Interface (JNDI).\n\n     Specifically, a system that contains the JndiLookup.class may enable the\n     attack path in question.\n\n     To determine whether a host is vulnerable, the check-log4j tool will per-\n     form the following checks:\n     o\t check for the existence of likely vulnerable packages\n     o\t check for the existence of java processes using the 'JndiLookup'\n\t class\n\n     The discovery process may include running find(1), lsof(1), or rpm(1);\n     please use the -s flag to skip any checks that might have a negative\n     impact on your host.\n\n     The output of the command attempts to be human readable and provide suf-\n     ficient information to judge whether the host requires attention.\n\nENVIRONMENT\n     The following environment variables influence the behavior of\n     check-log4j:\n\n     CHECK_LOG4J_FIND_OPTS_PRE\n\t\t   Additional options to pass to find(1) prior to the path\n\t\t   name(s).\n\n\t\t   By default, check-log4j runs \"find / -type f -name\n\t\t   '*.[ejw]ar'\"; the contents of this variable are placed\n\t\t   immediately after the 'find' and before the path name(s).\n\n     CHECK_LOG4J_FIND_OPTS_POST\n\t\t   Additional options to pass to find(1) immediately after the\n\t\t   path name(s).\n\nEXAMPLES\n     Sample invocation on a non-vulnerable host:\n\n\t   $ check-log4j\n\t   No obvious indicators of vulnerability found.\n\t   $\n\n     Sample invocation only looking at processes\n\n\t   $ ./check-log4j.sh -s files -s packages -v -v\n\t   =\u003e Running all checks...\n\t   ==\u003e Skipping package check.\n\t   ==\u003e Looking for jars...\n\t   ==\u003e Skipping files check.\n\t   ==\u003e Checking all found jars...\n\t   check-log4j.sh 1.0 localhost: Possibly vulnerable jar 'BOOT-INF/lib/log4j-core-2.14.1.jar' (inside of /home/jans/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar) used by process 15569.\n\n\t   $\n\n     Sample invocation searching only /var and /usr/local/lib and skipping\n     package and process checks:\n\n\t   $ check-log4j -p /var -p /usr/local/lib -s packages -s processes\n\t   Possibly vulnerable jar '/usr/local/lib/jars/log4j-core-2.15.0.jar'.\n\t   Possibly vulnerable jar '/usr/local/lib/jars/log4j-core-2.15.jar'.\n\t   Possibly vulnerable jar '/usr/local/lib/jars/log4j-core-2.jar'.\n\t   Possibly vulnerable jar '/usr/local/lib/jars/log4j-core.jar'.\n\n\t   $\n\n     Note version comparisons are only done for packages, which is why the\n     above output incudes files ending in a seemingly non-vulnerable version.\n\n     To avoid mountpoint traversal on a Unix system where find(1) requires the\n     -x flag to precede the paths:\n\n\t   $ env CHECK_LOG4J_FIND_OPTS_PRE=\"-x\" check-log4j\n\t   No obvious indicators of vulnerability found.\n\n     To only search files newer than '/tmp/foo':\n\n\t   $ env CHECK_LOG4J_FIND_OPTS_POST=\"-newer /tmp/foo\" check-log4j\n\t   No obvious indicators of vulnerability found.\n\nEXIT STATUS\n     check-log4j will return 0 if the host was found not to be vulnerable and\n     not in need of any update; it will return 1 if a vulnerable jar or pack-\n     age was detected.\n\n     If no vulnerability to CVE-2021-44228 / CVE-2021-45046 was found, but\n     versions below the desired minimum were found, check-log4j will return 2.\n\nSEE ALSO\n     find(1), lsof(1), rpm(1)\n\nHISTORY\n     check-log4j was originally written by Jan Schaumann \u003cjans@yahooinc.com\u003e\n     in December 2021.\n\nBUGS\n     Please file bugs and feature requests via GitHub pull requests and issues\n     or by emailing the author.\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyahoo%2Fcheck-log4j","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fyahoo%2Fcheck-log4j","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyahoo%2Fcheck-log4j/lists"}