Menu
in

log4jscanner by Google for Log4j 2 Vulnerability

A log4j vulnerability filesystem scanner and Go package for analyzing JAR files.

Command-line tool

This project includes a scanner that walks the directory, printing any detected JARs to stdout.

$ log4jscanner ./jar/testdata
./jar/testdata/bad_jar_in_jar.jar
./jar/testdata/log4j-core-2.1.jar
./jar/testdata/log4j-core-2.12.1.jar
./jar/testdata/log4j-core-2.14.0.jar
./jar/testdata/log4j-core-2.15.0.jar
./jar/testdata/vuln-class.jar

Optionally, the –rewrite flag can actively remove the vulnerable class from detected JARs in place.

$ zipinfo /tmp/vuln-class.jar | grep Jndi
-rw-r--r--  3.0 unx     2937 bx defN 20-Nov-06 14:03 lookup/JndiLookup.class
-rw-r--r--  3.0 unx     5029 bx defN 20-Nov-06 14:03 net/JndiManager.class
-rw-r--r--  3.0 unx      249 bx defN 20-Nov-06 14:03 net/JndiManager$1.class
-rw-r--r--  3.0 unx     1939 bx defN 20-Nov-06 14:03 net/JndiManager$JndiManagerFactory.class
$ log4jscanner --rewrite /tmp
/tmp/vuln-class.jar
$ zipinfo /tmp/vuln-class.jar | grep Jndi
-rw-r--r--  3.0 unx     5029 bx defN 20-Nov-06 14:03 net/JndiManager.class
-rw-r--r--  3.0 unx      249 bx defN 20-Nov-06 14:03 net/JndiManager$1.class
-rw-r--r--  3.0 unx     1939 bx defN 20-Nov-06 14:03 net/JndiManager$JndiManagerFactory.class

On MacOS, you can scan the entire data directory with:

$ sudo log4jscanner /System/Volumes/Data

The scanner can also skip directories bypassing glob patterns. On Linux, you may choose to scan the entire root filesystem, but skip site-specific paths (e.g. the /data/* directory). By default, log4jscanner will not scan magic filesystems, such as /proc and /sys.

$ sudo log4jscanner --skip '/data/*' /

For heavy customization, such as reporting to external endpoints, much of the tool’s logic is exposed through the jar.Walker API.

False positives

False positives have been observed for the scanner. Use caution when rewriting JARs automatically or taking other mitigations based on scan results.

If you do hit a false positive, please open an issue.

Get Log4jScanner

Written by SH

Leave a Reply

Exit mobile version