Skip to main content

Log4Shell vulnerability is considered the most significant vulnerability of the year because of its ease of exploitability with a CVSS score of 10.0. The vulnerability allows attackers to carry out the unauthenticated, remote code execution on any application it uses the Log4j library. The worst is Log4j library is part of a wide range of applications. This made the millions of machines vulnerable to the CVE-2021-44228 Log4Shell Vulnerability. We have seen the summary of the CVE-2021-44228 Log4Shell Vulnerability with permanent fix and mitigation actions in our previous post. However, before you fix CVE-2021-44228 Log4Shell Vulnerability, it is important to detect the vulnerable machines on your network. Let’s see how to detect CVE-2021-44228 Log4Shell Vulnerability in your server.

We have created this post to let all of you know how to detect the CVE-2021-44228 Log4Shell Vulnerability on your network. Let’s get started.

The vulnerability affects anybody who’s using the log4j packages log4j-core, log4j-api. You may need to check the version as different versions will have different mitigation advisories.

Log4j Versions Mitigation Advisories
>=2.10 The vulnerability can be mitigated just by setting system property “log4j2.formatMsgNoLookups” to “true”
OR
the environment variable “LOG4J_FORMAT_MSG_NO_LOOKUPS” to true.
>=2.7 and <=2.14.1 All “PatternLayout” patterns can be modified to specify the message converter as “%m{nolookups}” instead of just “%m”.
<=2.10.0 The mitigation is to remove the “JndiLookup” class from the classpath:zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
<1.x It is not confirmed that v1 is also vulnerable. However, it is vulnerable to another RCE CVE-2019-1757 vulnerability. We recommend upgrading to v2.15.0.

If you are searching for a command to check the Log4j version, then you may end up with no results. There is no such command that will tell you the version of Log4j installed on your system. Some applications ship the libraries directly as a jar file and some will contain them in archives. You may need to prep inside the jar or archive to see the version of Log4j.

1. Search For Files On The File System

Searching the file by name ‘Log4j’ in the file system is the simplest way to detect CVE-2021-44228 Log4Shell Vulnerability. This is a less accurate method of detection. However it is the most convenient and easiest way.

# find / -name log4j*

2. Scan The Package

There is a command line utility to check .jar and .war files and report if anything looks vulnerable. The tool matches the hashes of known vulnerable Log4j classes with the Log4j classes found on the server. The auto scan tool is available for download here. Please make sure that you download the correct version for your operating system.

Download the Log4j scanning tool using the wget command

  1. Download the Log4j scanning tool using the wget command# wget https://github.com/lunasec-io/lunasec/releases/download/v1.0.0-log4shell/lunasec_1.0.0-log4shell_Linux_x86_64.tar.gz


    Download the Log4j scanning tool
  2. Extract the downloaded log4shell tool
    # tar -xzf lunasec_1.0.0-log4shell_Linux_x86_64.tar.gz


    Extract the downloaded tool
  3. Scan the system using the log4shell toolAfter extracting the log4shell tool, run the tool using “./log4shell  scan” commend.
    command syntax: ./log4shell scan <directory or jar file>


    Linux:
    # ./log4shell scan /opt/splunk/


    Windows:
    > log4shell.exe scan /opt/splunk/


    Scan the system using the log4shell tool

 

See Also How Are Threat Actors Abusing Apple’s TCC Protection Using XCSSET Malware Attacks?

3. Scan for Vulnerable JAR files Using LunaSec

LunaSec is an end-to-end security system designed to protect your application by transparently encrypting sensitive data, from browser to database. It works seamlessly by storing your sensitive data and then giving you back a Token (a UUID) to retrieve data with later. LunaSec builds on that concept to offer many security and compliance features. Click herand ask for the demo.

LunaSec can also be used to check the vulnerable JAR files. However, this method may not effective in as much as previous two.

  1. Download the LunaSec app from the Git page.

# git clone https://github.com/lunasec-io/lunasec.git
  1. Change the directory to lunasec/tools/log4shell-jar-scripts

# cd lunasec/tools/log4shell-jar-scripts
  1. Run the setup.sh

# ./setup.sh
  1. Search for Vulnerable JAR Files

# ./find-bad-deps.sh /path/to/folder/to/scan

IoCs of CVE-2021-44228 Log4Shell Vulnerability:

MD5 SHA 1 SHA 2 Log4j Jar files
2addabe2ceca2145955c02a6182f7fc5 685125b7b8bbd7c2f58259937090ac2ae9bcb129 bf4f41403280c1b115650d470f9b260a5c9042c04d9bcc2a6ca504a66379b2d6 ./apache-log4j-2.0-alpha2-bin/log4j-core-2.0-alpha2.jar
5b1d4e4eea828a724c8b0237326829b3 7058796a0aa49ea21ea2cc7bf9dece0d3b8942ae 58e9f72081efff9bdaabd82e3b3efe5b1b9f1666cefe28f429ad7176a6d770ae ./apache-log4j-2.0-beta1-bin/log4j-core-2.0-beta1.jar
ce9e9a27c2a5caa47754999eb9c549b8 b5f9c15e1fb18d84193ac10e4bfb88af1724f5cd ed285ad5ac6a8cf13461d6c2874fdcd3bf67002844831f66e21c2d0adda43fa4 ./apache-log4j-2.0-beta2-bin/log4j-core-2.0-beta2.jar
1538d8c342e3e2a31cd16e01e3865276 80b690d982b030fb2f04854407744ff44e0b72ea dbf88c623cc2ad99d82fa4c575fb105e2083465a47b84d64e2e1a63e183c274e ./apache-log4j-2.0-beta3-bin/log4j-core-2.0-beta3.jar
9cb138881a317a7f49c74c3e462f35f4 8f87799c2bd24c120812ed3d5271b743cfc999b5 a38ddff1e797adb39a08876932bc2538d771ff7db23885fb883fec526aff4fc8 ./apache-log4j-2.0-beta4-bin/log4j-core-2.0-beta4.jar
578ffc5bcccb29f6be2d23176c0425e0 b853dec96e815981280fb9a1cc08332a6ed946f9 7d86841489afd1097576a649094ae1efb79b3147cd162ba019861dfad4e9573b ./apache-log4j-2.0-beta5-bin/log4j-core-2.0-beta5.jar
5b73a0ad257c57e7441778edee4620a7 1fb514bfbec10815d68953ed2fc4dd8c98ee245f 4bfb0d5022dc499908da4597f3e19f9f64d3cc98ce756a2249c72179d3d75c47 ./apache-log4j-2.0-beta6-bin/log4j-core-2.0-beta6.jar
e32489039dab38637557882cca0653d7 a727fe8e718b18d541f67077c99b2ca129f77065 473f15c04122dad810c919b2f3484d46560fd2dd4573f6695d387195816b02a6 ./apache-log4j-2.0-beta7-bin/log4j-core-2.0-beta7.jar
db025370dbe801ac623382edb2336ede f6ed9c56c8d58c4670059ddf417df23c9a78ff30 b3fae4f84d4303cdbad4696554b4e8d2381ad3faf6e0c3c8d2ce60a4388caa02 ./apache-log4j-2.0-beta8-bin/log4j-core-2.0-beta8.jar
152ecb3ce094ac5bc9ea39d6122e2814 678861ba1b2e1fccb594bb0ca03114bb05da9695 dcde6033b205433d6e9855c93740f798951fa3a3f252035a768d9f356fde806d ./apache-log4j-2.0-beta9-bin/log4j-core-2.0-beta9.jar
cd70a1888ecdd311c1990e784867ce1e 7621fe28ce0122d96006bdb56c8e2cfb2a3afb92 85338f694c844c8b66d8a1b981bcf38627f95579209b2662182a009d849e1a4c ./apache-log4j-2.0-bin/log4j-core-2.0.jar
088df113ad249ab72bf19b7f00b863d5 4363cdf913a584fe8fa72cf4c0eaae181ef7d1eb db3906edad6009d1886ec1e2a198249b6d99820a3575f8ec80c6ce57f08d521a ./apache-log4j-2.0-rc1-bin/log4j-core-2.0-rc1.jar
de8d01cc15fd0c74fea8bbb668e289f5 2e8d52acfc8c2bbbaa7baf9f3678826c354f5405 ec411a34fee49692f196e4dc0a905b25d0667825904862fdba153df5e53183e0 ./apache-log4j-2.0-rc2-bin/log4j-core-2.0-rc2.jar
fbfa5f33ab4b29a6fdd52473ee7b834d 895130076efaf6dcafb741ed7e97f2d346903708 a00a54e3fb8cb83fab38f8714f240ecc13ab9c492584aa571aec5fc71b48732d ./apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar
8c0cf3eb047154a4f8e16daf5a209319 13521c5364501478e28c77a7f86b90b6ed5dbb77 c584d1000591efa391386264e0d43ec35f4dbb146cad9390f73358d9c84ee78d ./apache-log4j-2.0.2-bin/log4j-core-2.0.2.jar
8d331544b2e7b20ad166debca2550d73 31823dcde108f2ea4a5801d1acc77869d7696533 8bdb662843c1f4b120fb4c25a5636008085900cdf9947b1dadb9b672ea6134dc ./apache-log4j-2.1-bin/log4j-core-2.1.jar
5e4bca5ed20b94ab19bb65836da93f96 c707664e020218f8529b9a5e55016ee15f0f82ac c830cde8f929c35dad42cbdb6b28447df69ceffe99937bf420d32424df4d076a ./apache-log4j-2.2-bin/log4j-core-2.2.jar
110ab3e3e4f3780921e8ee5dde3373ad 58a3e964db5307e30650817c5daac1e8c8ede648 6ae3b0cb657e051f97835a6432c2b0f50a651b36b6d4af395bbe9060bb4ef4b2 ./apache-log4j-2.3-bin/log4j-core-2.3.jar
0079c907230659968f0fc0e41a6abcf9 0d99532ba3603f27bebf4cdd3653feb0e0b84cf6 535e19bf14d8c76ec00a7e8490287ca2e2597cae2de5b8f1f65eb81ef1c2a4c6 ./apache-log4j-2.4-bin/log4j-core-2.4.jar
f0c43adaca2afc71c6cc80f851b38818 a5334910f90944575147fd1c1aef9f407c24db99 42de36e61d454afff5e50e6930961c85b55d681e23931efd248fd9b9b9297239 ./apache-log4j-2.4.1-bin/log4j-core-2.4.1.jar
dd0e3e0b404083ec69618aabb50b8ac0 7ed845de1dfe070d43511fab321784e6c4118398 4f53e4d52efcccdc446017426c15001bb0fe444c7a6cdc9966f8741cf210d997 ./apache-log4j-2.5-bin/log4j-core-2.5.jar
5523f144faef2bfca08a3ca8b2becd6a a7cb258b9c36f49c148834a3a35b53fe73c28777 df00277045338ceaa6f70a7b8eee178710b3ba51eac28c1142ec802157492de6 ./apache-log4j-2.6-bin/log4j-core-2.6.jar
48f7f3cda53030a87e8c387d8d1e4265 2b557bf1023c3a3a0f7f200fafcd7641b89cbb83 28433734bd9e3121e0a0b78238d5131837b9dbe26f1a930bc872bad44e68e44e ./apache-log4j-2.6.1-bin/log4j-core-2.6.1.jar
472c8e1fbaa0e61520e025c255b5d168 00a91369f655eb1639c6aece5c5eb5108db18306 cf65f0d33640f2cd0a0b06dd86a5c6353938ccb25f4ffd14116b4884181e0392 ./apache-log4j-2.6.2-bin/log4j-core-2.6.2.jar
2b63e0e5063fdaccf669a1e26384f3fd a3f2b4e64c61a7fc1ed8f1e5ba371933404ed98a 5bb84e110d5f18cee47021a024d358227612dd6dac7b97fa781f85c6ad3ccee4 ./apache-log4j-2.7-bin/log4j-core-2.7.jar
c6d233bc8e9cfe5da690059d27d9f88f 2be463a710be42bb6b4831b980f0d270b98ff233 ccf02bb919e1a44b13b366ea1b203f98772650475f2a06e9fac4b3c957a7c3fa ./apache-log4j-2.8-bin/log4j-core-2.8.jar
547bb3ed2deb856d0e3bbd77c27b9625 4ac28ff2f1ddf05dae3043a190451e8c46b73c31 815a73e20e90a413662eefe8594414684df3d5723edcd76070e1a5aee864616e ./apache-log4j-2.8.1-bin/log4j-core-2.8.1.jar
4a5177a172764bda6f4472b94ba17ccb 979fc0cf8460302e4ffbfe38c1b66a99450b0bb7 10ef331115cbbd18b5be3f3761e046523f9c95c103484082b18e67a7c36e570c ./apache-log4j-2.8.2-bin/log4j-core-2.8.2.jar
a27e67868b69b7223576d6e8511659dd ff857555cec4635c272286a260dbd7979c89d5b8 dc815be299f81c180aa8d2924f1b015f2c46686e866bc410e72de75f7cd41aae ./apache-log4j-2.9.0-bin/log4j-core-2.9.0.jar
a3a6bc23ffc5615efcb637e9fd8be7ec 8c59f9db4e5eebf7e99aa0ed2eb129bd5d8ef4f8 9275f5d57709e2204900d3dae2727f5932f85d3813ad31c9d351def03dd3d03d ./apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar
0042e7de635dc1c6c0c5a1ebd2c1c416 989bbd2b84eba4b88a4b2a889393fac5b297e1df f35ccc9978797a895e5bee58fa8c3b7ad6d5ee55386e9e532f141ee8ed2e937d ./apache-log4j-2.10.0-bin/log4j-core-2.10.0.jar
90c12763ac2a49966dbb9a6d98be361d 3b1c23b9117786e23cc3be6224b484d77c50c1f2 5256517e6237b888c65c8691f29219b6658d800c23e81d5167c4a8bbd2a0daa3 ./apache-log4j-2.11.0-bin/log4j-core-2.11.0.jar
71d3394226547d81d1bf6373a5b0e53a 38b9c3790c99cef205a890db876c89fd9238706c d4485176aea67cc85f5ccc45bb66166f8bfc715ae4a695f0d870a1f8d848cc3d ./apache-log4j-2.11.1-bin/log4j-core-2.11.1.jar
8da9b75725fb3357cb9872adf7711f9f 5bcfefcd7474c2f439576a1839ea0aeeec07f3b6 3fcc4c1f2f806acfc395144c98b8ba2a80fe1bf5e3ad3397588bbd2610a37100 ./apache-log4j-2.11.2-bin/log4j-core-2.11.2.jar
7943c49b634b404144557181f550a59c 73fe23297ccf73bad25a04e089d9627f8bf3041f 057a48fe378586b6913d29b4b10162b4b5045277f1be66b7a01fb7e30bd05ef3 ./apache-log4j-2.12.0-bin/log4j-core-2.12.0.jar
df949e7d73479ab717e5770814de0ae9 c28f281548582ec68376e66dbde48be24fcdb457 5dbd6bb2381bf54563ea15bc9fbb6d7094eaf7184e6975c50f8996f77bfc3f2c ./apache-log4j-2.12.1-bin/log4j-core-2.12.1.jar
2803991d51c98421be35d2db4ed3c2ac ef568faca168deee9adbe6f42ca8f4de6ca4557b c39b0ea14e7766440c59e5ae5f48adee038d9b1c7a1375b376e966ca12c22cd3 ./apache-log4j-2.13.0-bin/log4j-core-2.13.0.jar
5ff1dab00c278ab8c7d46aadc60b4074 5eb5ab96f8fc087135ef969ed99c76b64d255d44 6f38a25482d82cd118c4255f25b9d78d96821d22bab498cdce9cda7a563ca992 ./apache-log4j-2.13.1-bin/log4j-core-2.13.1.jar
b8e0d2779abbf38586b869f8b8e2eb46 16f7b2f63b0290281294c2cbc4f26ba32f71de34 54962835992e303928aa909730ce3a50e311068c0960c708e82ab76701db5e6b ./apache-log4j-2.13.2-bin/log4j-core-2.13.2.jar
46e660d79456e6f751c22b94976f6ad5 6556d71742808e4324eabc500bd7f2cc8c004440 e5e9b0f8d72f4e7b9022b7a83c673334d7967981191d2d98f9c57dc97b4caae1 ./apache-log4j-2.13.3-bin/log4j-core-2.13.3.jar
62ad26fbfb783183663ba5bfdbfb5ace 94bc1813a537b3b5c04f9b4adead3c434f364a70 68d793940c28ddff6670be703690dfdf9e77315970c42c4af40ca7261a8570fa ./apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar
3570d00d9ceb3ca645d6927f15c03a62 c476bd8acb6e7e55f14195a88fa8802687fcf542 9da0f5ca7c8eab693d090ae759275b9db4ca5acdbcfe4a63d3871e0b17367463 ./apache-log4j-2.14.1-bin/log4j-core-2.14.1.jar
f5e2d2a9543ee3c4339b6f90b6cb01fc e7dc681a6da4f2f203dccd1068a1ea090f67a057 006fc6623fbb961084243cfc327c885f3c57f2eba8ee05fbc4e93e5358778c85 ./log4j-2.0-alpha1/log4j-core-2.0-alpha1.jar

Leave a Reply