A log4j vulnerability filesystem scanner and Go package for analyzing JAR files.
Command-line tool
This project includes a scanner that walks the directory, printing any detected JARs to stdout.
$ log4jscanner ./jar/testdata ./jar/testdata/bad_jar_in_jar.jar ./jar/testdata/log4j-core-2.1.jar ./jar/testdata/log4j-core-2.12.1.jar ./jar/testdata/log4j-core-2.14.0.jar ./jar/testdata/log4j-core-2.15.0.jar ./jar/testdata/vuln-class.jar
Optionally, the –rewrite flag can actively remove the vulnerable class from detected JARs in place.
$ zipinfo /tmp/vuln-class.jar | grep Jndi -rw-r--r-- 3.0 unx 2937 bx defN 20-Nov-06 14:03 lookup/JndiLookup.class -rw-r--r-- 3.0 unx 5029 bx defN 20-Nov-06 14:03 net/JndiManager.class -rw-r--r-- 3.0 unx 249 bx defN 20-Nov-06 14:03 net/JndiManager$1.class -rw-r--r-- 3.0 unx 1939 bx defN 20-Nov-06 14:03 net/JndiManager$JndiManagerFactory.class $ log4jscanner --rewrite /tmp /tmp/vuln-class.jar $ zipinfo /tmp/vuln-class.jar | grep Jndi -rw-r--r-- 3.0 unx 5029 bx defN 20-Nov-06 14:03 net/JndiManager.class -rw-r--r-- 3.0 unx 249 bx defN 20-Nov-06 14:03 net/JndiManager$1.class -rw-r--r-- 3.0 unx 1939 bx defN 20-Nov-06 14:03 net/JndiManager$JndiManagerFactory.class
On MacOS, you can scan the entire data directory with:
$ sudo log4jscanner /System/Volumes/Data
The scanner can also skip directories bypassing glob patterns. On Linux, you may choose to scan the entire root filesystem, but skip site-specific paths (e.g. the /data/* directory). By default, log4jscanner will not scan magic filesystems, such as /proc and /sys.
$ sudo log4jscanner --skip '/data/*' /
For heavy customization, such as reporting to external endpoints, much of the tool’s logic is exposed through the jar.Walker API.
False positives
False positives have been observed for the scanner. Use caution when rewriting JARs automatically or taking other mitigations based on scan results.
If you do hit a false positive, please open an issue.
GIPHY App Key not set. Please check settings