Skip to content
/ log4shell-hunter Public

Scanner that scans local files for log4shell vulnerability. Does bytecode analysis so it does not rely on metadata. Will find vulnerable log4j even it has been self-compiled/repackaged/shaded/nested (e.g. uberjar, fatjar) and even obfuscated.

License

GPL-3.0 license
7 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

pfichtner/log4shell-hunter

BranchesTags

Repository files navigation

log4shell-hunter

Java CI with Maven GitLicense Known Vulnerabilities codecov BCH compliance FOSSA Status

Are you afraid of having JARs or even commercial (e.g. closed source) applications where a vulnerable version of log4j is included (shaded) or that your coders copied vulnerable log4j classes in some of their projects? This is where most scanners will have false negatives because they rely on metadata like pom.xml describing the log4j version.

This scanner does bytecode analysis! So it does not depend on:

  • fingerprinted jar files
  • fingerprinted class files
  • class names (e.g. JndiLookup)
  • poms/pom entries

So log4shell-hunter will find vulnerable log4j versions even if:

  • log4j's source has been compiled by third-parties (no matter what compiler/compiler version)
  • log4j (or parts of it) has/have been included/copied in/to other jars
  • log4j was repacked (uberjar, fatjar), even if packages have been renamed, e.g. org.apache.logging -> org.acme.foo.logger.bar

The scanner analyzes jars and tries to detect:

  • classes that are annotated with log4j's Plugin annotation org.apache.logging.log4j.core.config.plugins.Plugin.
  • This even works if the Plugin has renamed or even obfuscated (depending on the log4shell-hunter's mode parameter)

Usage

Example usage

find \( -name "*.jar" -o -name "*.zip" -o -name "*.ear" -o -name "*.war" \) -exec java -jar log4shell-hunter-0.0.3.jar -m obfuscatorComparator {} \;

Example output

./log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.war
> Possible 2.1+ match found in class org.apache.logging.log4j.core.lookup.JndiLookup in resource /WEB-INF/lib/log4j-core-2.10.0.jar

Mode can be se to one of defaultComparator, repackageComparator, obfuscatorComparator.

  • defaultComparator: Log4j classes have to match exactly the expected class+package name. Same apply for their methods.
  • repackageComparator: Log4j classes have to match the expected names where package name will be ignored. Method names have to match exactly (default)
  • obfuscatorComparator: log4shell-hunter does not depend on any class or method names but tries to detect log4 classes by some criteria. This mode will find even repackaged log4js even if the jar has been obfuscated

Build from source

git clone https://github.com/pfichtner/log4shell-hunter.git
cd log4shell-hunter/
# build using included maven wrapper 
# of course you can use your locally installed "mvn" instead of the maven wrapper "./mvnw"
./mvnw package 
java -jar target/log4shell-hunter-0.0.3.jar

License

GNU General Public License v3.0

About

Scanner that scans local files for log4shell vulnerability. Does bytecode analysis so it does not rely on metadata. Will find vulnerable log4j even it has been self-compiled/repackaged/shaded/nested (e.g. uberjar, fatjar) and even obfuscated.

Topics

java log4j scanner vulnerability-scanner cve-2021-44228 log4j-rce log4shell cve-2021-45046 cve-2021-45105

Resources

Readme

License

GPL-3.0 license
Activity

Stars

7 stars

Watchers

3 watching

Forks

4 forks
Report repository

Releases 3

Fix for log4j 2.12.x and 2.17.x Latest
Mar 3, 2024
+ 2 releases

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages