As Spyderbat worked with customers on the recent Log4Shell vulnerability, it became clear that a simple tool was needed to accurately find existing running Java packages that are vulnerable in their environments. This is echoed in the Dec 22nd alert by the Cybersecurity and Infrastructure Agency (CISA) and other agencies specifying to:
- Identify assets affected by Log4Shell and other Log4j-related vulnerabilities
- Upgrade Log4j assets and affected products to the latest version as soon as patches are available and remain alert to vendor software updates, and
- Initiating hunt and incident response procedures to detect possible Log4Shell exploitation.
Since Log4j is a back-end component for logging in Java applications, it is not always clear where it is used. Spyderbat has open-sourced the following Log4jtool to the security community - that can be run on Linux systems and scans if any vulnerable Java packages are present.
How to Use Log4jtool
Visit the site here to download the tool, then it’s as simple as just running:
Optionally you can provide a path if you don’t wish to scan your entire filesystem:
sudo ./log4jtool -p /my/path/
The tool iterates through the file system looking for .war, .jar, and .ear files and then looks for the version of Log4j that they may contain. It doesn't alter anything at all. It inspects the files and looks within them for nested copies of Log4j as well.
If Java packages are found, the output looks like this:
File: /test/log4j/log4j-1.2.12.jar contains version: 1.2.12 which is not-vulnerable
File: /testx/apache-tomcat-8.5.73/webapps/log4shell-demo.war contains version: 2.14.1 which is vulnerable
For those learning about the recent Log4j exploits, see our earlier blog exposing the log4j exploit here.
Spyderbat customers are encouraged to follow our how-to guide to detect Log4J in their Linux environments.