Associated Vulnerability
Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Readme
log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch. It also supports nested JAR file scanning and patch.
### Download
* [log4j2-scan 1.3.1 (Windows x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v1.3.1/logpresso-log4j2-scan-1.3.1-win64.7z)
* If native executable doesn't work, use the JAR instead. 32bit is not supported.
* [log4j2-scan 1.3.1 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v1.3.1/logpresso-log4j2-scan-1.3.1-linux.tar.gz)
* If native executable doesn't work, use the JAR instead. 32bit is not supported.
* [log4j2-scan 1.3.1 (Any OS, 10KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v1.3.1/logpresso-log4j2-scan-1.3.1.jar)
### How to use
Just run log4j2-scan.exe or log4j2-scan with target directory path.
Usage
```
Logpresso CVE-2021-44228 Vulnerability Scanner 1.3.1 (2021-12-15)
Usage: log4j2-scan [--fix] target_path
--fix
Backup original file and remove JndiLookup.class from JAR recursively.
--force-fix
Do not prompt confirmation. Don't use this option unless you know what you are doing.
--trace
Print all directories and files while scanning.
--exclude [path_prefix]
Exclude specified paths. You can specify multiple --exclude [path_prefix] pairs
--exclude-config [file_path]
Specify exclude path list in text file. Paths should be separated by new line. Prepend # for comment.
--all-drives
Scan all drives on Windows
--drives c,d
Scan specified drives on Windows. Spaces are not allowed here.
```
On Windows
```
log4j2-scan [--fix] target_path
```
On Linux
```
./log4j2-scan [--fix] target_path
```
On UNIX (AIX, Solaris, and so on)
```
java -jar logpresso-log4j2-scan-1.3.1.jar [--fix] target_path
```
If you add `--fix` option, this program will copy vulnerable original JAR file to .bak file, and create new JAR file without `org/apache/logging/log4j/core/lookup/JndiLookup.class` entry. In most environments, JNDI lookup feature will not be used. However, you must use this option at your own risk. It is necessary to shutdown any running JVM process before applying patch. Start affected JVM process after fix.
If you want to automate patch job, use `--force-fix` option. With this option, this program will no longer prompt for confirmation.
`(mitigated)` tag will be displayed if `org/apache/logging/log4j/core/lookup/JndiLookup.class` entry is removed from JAR file.
If you add `--trace` option, this program will print all visited directories and files. Use this option only for debugging.
On Windows:
```
CMD> log4j2-scan.exe D:\tmp
[*] Found CVE-2021-44228 vulnerability in D:\tmp\elasticsearch-7.16.0\bin\elasticsearch-sql-cli-7.16.0.jar, log4j 2.11.1
[*] Found CVE-2021-44228 vulnerability in D:\tmp\elasticsearch-7.16.0\lib\log4j-core-2.11.1.jar, log4j 2.11.1
[*] Found CVE-2021-44228 vulnerability in D:\tmp\flink-1.14.0\lib\log4j-core-2.14.1.jar, log4j 2.14.1
[*] Found CVE-2021-44228 vulnerability in D:\tmp\logstash-7.16.0\logstash-core\lib\jars\log4j-core-2.14.0.jar, log4j 2.14.0
[*] Found CVE-2021-44228 vulnerability in D:\tmp\logstash-7.16.0\vendor\bundle\jruby\2.5.0\gems\logstash-input-tcp-6.2.1-java\vendor\jar-dependencies\org\logstash\inputs\logstash-input-tcp\6.2.1\logstash-input-tcp-6.2.1.jar, log4j 2.9.1
[*] Found CVE-2021-44228 vulnerability in D:\tmp\solr-7.7.3\solr-7.7.3\contrib\prometheus-exporter\lib\log4j-core-2.11.0.jar, log4j 2.11.0
[*] Found CVE-2021-44228 vulnerability in D:\tmp\solr-7.7.3\solr-7.7.3\server\lib\ext\log4j-core-2.11.0.jar, log4j 2.11.0
[*] Found CVE-2021-44228 vulnerability in D:\tmp\solr-8.11.0\contrib\prometheus-exporter\lib\log4j-core-2.14.1.jar, log4j 2.14.1
[*] Found CVE-2021-44228 vulnerability in D:\tmp\solr-8.11.0\server\lib\ext\log4j-core-2.14.1.jar, log4j 2.14.1
Scanned 5047 directories and 26251 files
Found 9 vulnerable files
Completed in 0.42 seconds
```
### How it works
Run in 5 steps:
1. Find all .jar, .war, .ear files recursively.
2. Find `META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties` entry from JAR file.
3. Read groupId, artifactId, and version.
4. Compare log4j2 version and print vulnerable version.
5. If --fix option is used, backup vulnerable file and patch it.
* For example, original vulnerable.jar is copied to vulnerable.jar.bak
### Contact
If you have any question or issue, create an issue in this repository.
File Snapshot
[4.0K] /data/pocs/f27d48aed232aa5065b685f2164d14ce5f72d72a
├── [ 11K] LICENSE
├── [5.8K] logo.png
├── [1.2K] pom.xml
├── [4.4K] README.md
└── [4.0K] src
└── [4.0K] main
└── [4.0K] java
└── [4.0K] com
└── [4.0K] logpresso
└── [4.0K] scanner
└── [ 18K] Log4j2Scanner.java
6 directories, 5 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →