Around the current log4shell situation i need a way to find out if i have vulnerable classes in my packaged products. What is the easiest way to find if the following classes are contained in jar files packaged in EAR or WAR files?
- JndiLookup.class
- JMSAppenderBase.class
- JMSAppender.class
CodePudding user response:
One solution would be the following bat script:
@echo off
echo extraction step 1
"C:\Program Files\7-Zip\7z.exe" e -r -aos -bd -otmp *
echo creating filelist
"C:\Program Files\7-Zip\7z.exe" l -r -aos -bd tmp/* >filelist.txt
echo cleanup
rmdir /s /q tmp
echo analysis result:
find "JndiLookup.class" filelist.txt
find "JMSAppenderBase.class" filelist.txt
find "JMSAppender.class" filelist.txt
pause