v1.22-20220222

Version 1.22-20220222

• Added: Reading library version and name (log4j, log4j-core, reload4j) from MANIFEST.MF as well as from pom.properties
• Performance improvements by additional 15%
• Added: Autodetecting all local drives in mswin with all parameter
• Added: --no-csv-header to omit csv header to allow easier merging of results from multiple hosts
• Added: Detecting CVE-2017-5645 (9.8), CVE-2019-17571 (9.8), CVE-2022-23307 (8.1), CVE-2022-23305 (9.8), CVE-2022-23305 (9.8), CVE-2022-23302 (8.1), improved detection of CVE-2017-5645
• Added: --threads parameter to manually tune number of scanning threads
• Added: --cvs-clean parameter in order to write "CLEAN" line to csv output in case no log4j library detected
• Added: --cvs-stats parameter in order to write "STATS" line to csv output with runtime in seconds and number of files and folders scanned

v1.21-20220109

Version 1.21-20220109

• Fixed bug: --fix command in version 1.19 and 1.20 could corrupt .jar archives.
• Performance improvement via multithreaded scanning
• Fixed searching within extracted log4j folders on Windows
• Removed mmap access due to incompatibility with Windows.

v1.18-20220107

Version 1.18-20220107

• Code readability and performance improvements
• Added parameter --file-log [LOGFILE] to enable logging to log file, default is log4shell-finder.log.
• Added parameter --progress [SEC] to enable progress reporting every SEC seconds, default is 10 seconds.

v1.17-20220105

Version 1.17-20220105

• Reworked status reporting, now listing all CVEs relevant for specific version of log4j.
• Added --no-error to suppress file system error messages (e.g. Access Denied, corrupted zip archive).
• Suppressed STRANGE status reporting by default - STRANGE are mainly source packages, that do not contain class binaries.
• Added --strange to report also STRANGE instances.

v1.16-20211230

Version 1.16

• Fixed detection of 2.12.3 extracted

v1.15-20211230

Version 1.15

• Added support for versions 2.3.2, 2.12.4 and 2.17.1
• Reporting actual CVEs instead of VULNERABLE or NOTOKAY status

v1.13-20211228

Version 1.13

Do not use version 1.11 and 1.12. They may corrupt .jar archives with --fix command

• Added additional possible "JAR" file extensions.
• Fixed bug: --fix command could corrupt .jar archives.
• minor fix: status for 2.12.2 as NOTOKAY
• added --fix parameter with attempt to fix the vulnerability by renaming JndiLookup.class to JndiLookup.vulne.
  At the moment it can handle .class files on disk and within 1st level archives.
  Class cannot be renamed in archives imbedded in other archives (nested).

v1.10-20211222

Version 1.10-20211222

• added detection of 2.12.3 and 2.3.1
• added option to disable default logging to file --no-file-log

v1.8-20211222

• added host information to the json file
• possibility to save output to csv with --csv-out
• if you omit file names for --json-out or --csv-out then the file name has a form: hostname_ipaddress.<csv|json>

v1.6-20211221

Version 1.6-20211221

• added checks for JMSAppender.class within v1.x version