What will be the best way to search for log4j vulnerability? Is it a search for "log4j" keyword in the source code enough? Does it only affects Java applications? I read somewhere that applications sometimes rename log4j under another name. A quick google search gives several tools than claim can detect the vulnerability.
CodePudding user response:
You can use below scanner to identify vulnerable files in your application.
CodePudding user response:
The vulnerability comes from JndiLookup.class
. In your console use the following command:
sudo grep -r --include "*.jar" JndiLookup.class /
If it returns nothing, you are not vulnerable. But you may encounter such returns:
Fichier binaire /home/myuser/docx2tex/calabash/distro/lib/log4j-core-2.1.jar correspondant
or
grep: /usr/share/texmf-dist/scripts/arara/arara.jar : fichiers binaires correspondent
The first one is clearly vulnerable (version matches), the second one has to be investigated. To mitigate the risk I've immediately removed the JndiLookup.class with the following:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
and
zip -q -d arara.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Applications may continue to work, or not. By the way upgrading to versions using log4J >= 2.17 has to be done. This is the next step, in the meantime you are no more vulnerable.