• Home
  • |
  • Blog
  • |
  • How to Detect CVE-2021-44228 Log4Shell Vulnerability in Your Server?
How to Detect CVE-2021-44228 Log4Shell Vulnerability

Log4Shell vulnerability is considered the most significant vulnerability of the year because of its ease of exploitability with a CVSS score of 10.0. The vulnerability allows attackers to carry out the unauthenticated, remote code execution on any application it uses the Log4j library. The worst is Log4j library is part of a wide range of applications. This made the millions of machines vulnerable to the CVE-2021-44228 Log4Shell Vulnerability. We have seen the summary of the CVE-2021-44228 Log4Shell Vulnerability with permanent fix and mitigation actions in our previous post. However, before you fix CVE-2021-44228 Log4Shell Vulnerability, it is important to detect the vulnerable machines on your network. Let’s see how to detect CVE-2021-44228 Log4Shell Vulnerability in your server.

We have created this post to let all of you know how to detect the CVE-2021-44228 Log4Shell Vulnerability on your network. Let’s get started.

The vulnerability affects anybody who’s using the log4j packages log4j-core, log4j-api. You may need to check the version as different versions will have different mitigation advisories.

Log4j VersionsMitigation Advisories
>=2.10The vulnerability can be mitigated just by setting system property “log4j2.formatMsgNoLookups” to “true”
OR
the environment variable “LOG4J_FORMAT_MSG_NO_LOOKUPS” to true.
>=2.7 and <=2.14.1All “PatternLayout” patterns can be modified to specify the message converter as “%m{nolookups}” instead of just “%m”.
<=2.10.0The mitigation is to remove the “JndiLookup” class from the classpath:zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
<1.xIt is not confirmed that v1 is also vulnerable. However, it is vulnerable to another RCE CVE-2019-1757 vulnerability. We recommend upgrading to v2.15.0.

If you are searching for a command to check the Log4j version, then you may end up with no results. There is no such command that will tell you the version of Log4j installed on your system. Some applications ship the libraries directly as a jar file and some will contain them in archives. You may need to prep inside the jar or archive to see the version of Log4j.

1. Search For Files On The File System

Searching the file by name ‘Log4j’ in the file system is the simplest way to detect CVE-2021-44228 Log4Shell Vulnerability. This is a less accurate method of detection. However it is the most convenient and easiest way.

# find / -name log4j*

2. Scan The Package

There is a command line utility to check .jar and .war files and report if anything looks vulnerable. The tool matches the hashes of known vulnerable Log4j classes with the Log4j classes found on the server. The auto scan tool is available for download here. Please make sure that you download the correct version for your operating system.

Download the Log4j scanning tool using the wget command

  1. Download the Log4j scanning tool using the wget command

    # wget https://github.com/lunasec-io/lunasec/releases/download/v1.0.0-log4shell/lunasec_1.0.0-log4shell_Linux_x86_64.tar.gz


    Download the Log4j scanning tool

  2. Extract the downloaded log4shell tool

    # tar -xzf lunasec_1.0.0-log4shell_Linux_x86_64.tar.gz


    Extract the downloaded tool

  3. Scan the system using the log4shell tool

    After extracting the log4shell tool, run the tool using “./log4shell  scan” commend.
    command syntax: ./log4shell scan <directory or jar file>


    Linux:
    # ./log4shell scan /opt/splunk/


    Windows:
    > log4shell.exe scan /opt/splunk/


    Scan the system using the log4shell tool

3. Scan for Vulnerable JAR files Using LunaSec

LunaSec is an end-to-end security system designed to protect your application by transparently encrypting sensitive data, from browser to database. It works seamlessly by storing your sensitive data and then giving you back a Token (a UUID) to retrieve data with later. LunaSec builds on that concept to offer many security and compliance features. Click here and ask for the demo.

LunaSec can also be used to check the vulnerable JAR files. However, this method may not effective in as much as previous two.

  1. Download the LunaSec app from the Git page.

# git clone https://github.com/lunasec-io/lunasec.git
  1. Change the directory to lunasec/tools/log4shell-jar-scripts

# cd lunasec/tools/log4shell-jar-scripts
  1. Run the setup.sh

# ./setup.sh
  1. Search for Vulnerable JAR Files

# ./find-bad-deps.sh /path/to/folder/to/scan

IoCs of CVE-2021-44228 Log4Shell Vulnerability:

MD5SHA 1SHA 2Log4j Jar files
2addabe2ceca2145955c02a6182f7fc5685125b7b8bbd7c2f58259937090ac2ae9bcb129bf4f41403280c1b115650d470f9b260a5c9042c04d9bcc2a6ca504a66379b2d6./apache-log4j-2.0-alpha2-bin/log4j-core-2.0-alpha2.jar
5b1d4e4eea828a724c8b0237326829b37058796a0aa49ea21ea2cc7bf9dece0d3b8942ae58e9f72081efff9bdaabd82e3b3efe5b1b9f1666cefe28f429ad7176a6d770ae./apache-log4j-2.0-beta1-bin/log4j-core-2.0-beta1.jar
ce9e9a27c2a5caa47754999eb9c549b8b5f9c15e1fb18d84193ac10e4bfb88af1724f5cded285ad5ac6a8cf13461d6c2874fdcd3bf67002844831f66e21c2d0adda43fa4./apache-log4j-2.0-beta2-bin/log4j-core-2.0-beta2.jar
1538d8c342e3e2a31cd16e01e386527680b690d982b030fb2f04854407744ff44e0b72eadbf88c623cc2ad99d82fa4c575fb105e2083465a47b84d64e2e1a63e183c274e./apache-log4j-2.0-beta3-bin/log4j-core-2.0-beta3.jar
9cb138881a317a7f49c74c3e462f35f48f87799c2bd24c120812ed3d5271b743cfc999b5a38ddff1e797adb39a08876932bc2538d771ff7db23885fb883fec526aff4fc8./apache-log4j-2.0-beta4-bin/log4j-core-2.0-beta4.jar
578ffc5bcccb29f6be2d23176c0425e0b853dec96e815981280fb9a1cc08332a6ed946f97d86841489afd1097576a649094ae1efb79b3147cd162ba019861dfad4e9573b./apache-log4j-2.0-beta5-bin/log4j-core-2.0-beta5.jar
5b73a0ad257c57e7441778edee4620a71fb514bfbec10815d68953ed2fc4dd8c98ee245f4bfb0d5022dc499908da4597f3e19f9f64d3cc98ce756a2249c72179d3d75c47./apache-log4j-2.0-beta6-bin/log4j-core-2.0-beta6.jar
e32489039dab38637557882cca0653d7a727fe8e718b18d541f67077c99b2ca129f77065473f15c04122dad810c919b2f3484d46560fd2dd4573f6695d387195816b02a6./apache-log4j-2.0-beta7-bin/log4j-core-2.0-beta7.jar
db025370dbe801ac623382edb2336edef6ed9c56c8d58c4670059ddf417df23c9a78ff30b3fae4f84d4303cdbad4696554b4e8d2381ad3faf6e0c3c8d2ce60a4388caa02./apache-log4j-2.0-beta8-bin/log4j-core-2.0-beta8.jar
152ecb3ce094ac5bc9ea39d6122e2814678861ba1b2e1fccb594bb0ca03114bb05da9695dcde6033b205433d6e9855c93740f798951fa3a3f252035a768d9f356fde806d./apache-log4j-2.0-beta9-bin/log4j-core-2.0-beta9.jar
cd70a1888ecdd311c1990e784867ce1e7621fe28ce0122d96006bdb56c8e2cfb2a3afb9285338f694c844c8b66d8a1b981bcf38627f95579209b2662182a009d849e1a4c./apache-log4j-2.0-bin/log4j-core-2.0.jar
088df113ad249ab72bf19b7f00b863d54363cdf913a584fe8fa72cf4c0eaae181ef7d1ebdb3906edad6009d1886ec1e2a198249b6d99820a3575f8ec80c6ce57f08d521a./apache-log4j-2.0-rc1-bin/log4j-core-2.0-rc1.jar
de8d01cc15fd0c74fea8bbb668e289f52e8d52acfc8c2bbbaa7baf9f3678826c354f5405ec411a34fee49692f196e4dc0a905b25d0667825904862fdba153df5e53183e0./apache-log4j-2.0-rc2-bin/log4j-core-2.0-rc2.jar
fbfa5f33ab4b29a6fdd52473ee7b834d895130076efaf6dcafb741ed7e97f2d346903708a00a54e3fb8cb83fab38f8714f240ecc13ab9c492584aa571aec5fc71b48732d./apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar
8c0cf3eb047154a4f8e16daf5a20931913521c5364501478e28c77a7f86b90b6ed5dbb77c584d1000591efa391386264e0d43ec35f4dbb146cad9390f73358d9c84ee78d./apache-log4j-2.0.2-bin/log4j-core-2.0.2.jar
8d331544b2e7b20ad166debca2550d7331823dcde108f2ea4a5801d1acc77869d76965338bdb662843c1f4b120fb4c25a5636008085900cdf9947b1dadb9b672ea6134dc./apache-log4j-2.1-bin/log4j-core-2.1.jar
5e4bca5ed20b94ab19bb65836da93f96c707664e020218f8529b9a5e55016ee15f0f82acc830cde8f929c35dad42cbdb6b28447df69ceffe99937bf420d32424df4d076a./apache-log4j-2.2-bin/log4j-core-2.2.jar
110ab3e3e4f3780921e8ee5dde3373ad58a3e964db5307e30650817c5daac1e8c8ede6486ae3b0cb657e051f97835a6432c2b0f50a651b36b6d4af395bbe9060bb4ef4b2./apache-log4j-2.3-bin/log4j-core-2.3.jar
0079c907230659968f0fc0e41a6abcf90d99532ba3603f27bebf4cdd3653feb0e0b84cf6535e19bf14d8c76ec00a7e8490287ca2e2597cae2de5b8f1f65eb81ef1c2a4c6./apache-log4j-2.4-bin/log4j-core-2.4.jar
f0c43adaca2afc71c6cc80f851b38818a5334910f90944575147fd1c1aef9f407c24db9942de36e61d454afff5e50e6930961c85b55d681e23931efd248fd9b9b9297239./apache-log4j-2.4.1-bin/log4j-core-2.4.1.jar
dd0e3e0b404083ec69618aabb50b8ac07ed845de1dfe070d43511fab321784e6c41183984f53e4d52efcccdc446017426c15001bb0fe444c7a6cdc9966f8741cf210d997./apache-log4j-2.5-bin/log4j-core-2.5.jar
5523f144faef2bfca08a3ca8b2becd6aa7cb258b9c36f49c148834a3a35b53fe73c28777df00277045338ceaa6f70a7b8eee178710b3ba51eac28c1142ec802157492de6./apache-log4j-2.6-bin/log4j-core-2.6.jar
48f7f3cda53030a87e8c387d8d1e42652b557bf1023c3a3a0f7f200fafcd7641b89cbb8328433734bd9e3121e0a0b78238d5131837b9dbe26f1a930bc872bad44e68e44e./apache-log4j-2.6.1-bin/log4j-core-2.6.1.jar
472c8e1fbaa0e61520e025c255b5d16800a91369f655eb1639c6aece5c5eb5108db18306cf65f0d33640f2cd0a0b06dd86a5c6353938ccb25f4ffd14116b4884181e0392./apache-log4j-2.6.2-bin/log4j-core-2.6.2.jar
2b63e0e5063fdaccf669a1e26384f3fda3f2b4e64c61a7fc1ed8f1e5ba371933404ed98a5bb84e110d5f18cee47021a024d358227612dd6dac7b97fa781f85c6ad3ccee4./apache-log4j-2.7-bin/log4j-core-2.7.jar
c6d233bc8e9cfe5da690059d27d9f88f2be463a710be42bb6b4831b980f0d270b98ff233ccf02bb919e1a44b13b366ea1b203f98772650475f2a06e9fac4b3c957a7c3fa./apache-log4j-2.8-bin/log4j-core-2.8.jar
547bb3ed2deb856d0e3bbd77c27b96254ac28ff2f1ddf05dae3043a190451e8c46b73c31815a73e20e90a413662eefe8594414684df3d5723edcd76070e1a5aee864616e./apache-log4j-2.8.1-bin/log4j-core-2.8.1.jar
4a5177a172764bda6f4472b94ba17ccb979fc0cf8460302e4ffbfe38c1b66a99450b0bb710ef331115cbbd18b5be3f3761e046523f9c95c103484082b18e67a7c36e570c./apache-log4j-2.8.2-bin/log4j-core-2.8.2.jar
a27e67868b69b7223576d6e8511659ddff857555cec4635c272286a260dbd7979c89d5b8dc815be299f81c180aa8d2924f1b015f2c46686e866bc410e72de75f7cd41aae./apache-log4j-2.9.0-bin/log4j-core-2.9.0.jar
a3a6bc23ffc5615efcb637e9fd8be7ec8c59f9db4e5eebf7e99aa0ed2eb129bd5d8ef4f89275f5d57709e2204900d3dae2727f5932f85d3813ad31c9d351def03dd3d03d./apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar
0042e7de635dc1c6c0c5a1ebd2c1c416989bbd2b84eba4b88a4b2a889393fac5b297e1dff35ccc9978797a895e5bee58fa8c3b7ad6d5ee55386e9e532f141ee8ed2e937d./apache-log4j-2.10.0-bin/log4j-core-2.10.0.jar
90c12763ac2a49966dbb9a6d98be361d3b1c23b9117786e23cc3be6224b484d77c50c1f25256517e6237b888c65c8691f29219b6658d800c23e81d5167c4a8bbd2a0daa3./apache-log4j-2.11.0-bin/log4j-core-2.11.0.jar
71d3394226547d81d1bf6373a5b0e53a38b9c3790c99cef205a890db876c89fd9238706cd4485176aea67cc85f5ccc45bb66166f8bfc715ae4a695f0d870a1f8d848cc3d./apache-log4j-2.11.1-bin/log4j-core-2.11.1.jar
8da9b75725fb3357cb9872adf7711f9f5bcfefcd7474c2f439576a1839ea0aeeec07f3b63fcc4c1f2f806acfc395144c98b8ba2a80fe1bf5e3ad3397588bbd2610a37100./apache-log4j-2.11.2-bin/log4j-core-2.11.2.jar
7943c49b634b404144557181f550a59c73fe23297ccf73bad25a04e089d9627f8bf3041f057a48fe378586b6913d29b4b10162b4b5045277f1be66b7a01fb7e30bd05ef3./apache-log4j-2.12.0-bin/log4j-core-2.12.0.jar
df949e7d73479ab717e5770814de0ae9c28f281548582ec68376e66dbde48be24fcdb4575dbd6bb2381bf54563ea15bc9fbb6d7094eaf7184e6975c50f8996f77bfc3f2c./apache-log4j-2.12.1-bin/log4j-core-2.12.1.jar
2803991d51c98421be35d2db4ed3c2acef568faca168deee9adbe6f42ca8f4de6ca4557bc39b0ea14e7766440c59e5ae5f48adee038d9b1c7a1375b376e966ca12c22cd3./apache-log4j-2.13.0-bin/log4j-core-2.13.0.jar
5ff1dab00c278ab8c7d46aadc60b40745eb5ab96f8fc087135ef969ed99c76b64d255d446f38a25482d82cd118c4255f25b9d78d96821d22bab498cdce9cda7a563ca992./apache-log4j-2.13.1-bin/log4j-core-2.13.1.jar
b8e0d2779abbf38586b869f8b8e2eb4616f7b2f63b0290281294c2cbc4f26ba32f71de3454962835992e303928aa909730ce3a50e311068c0960c708e82ab76701db5e6b./apache-log4j-2.13.2-bin/log4j-core-2.13.2.jar
46e660d79456e6f751c22b94976f6ad56556d71742808e4324eabc500bd7f2cc8c004440e5e9b0f8d72f4e7b9022b7a83c673334d7967981191d2d98f9c57dc97b4caae1./apache-log4j-2.13.3-bin/log4j-core-2.13.3.jar
62ad26fbfb783183663ba5bfdbfb5ace94bc1813a537b3b5c04f9b4adead3c434f364a7068d793940c28ddff6670be703690dfdf9e77315970c42c4af40ca7261a8570fa./apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar
3570d00d9ceb3ca645d6927f15c03a62c476bd8acb6e7e55f14195a88fa8802687fcf5429da0f5ca7c8eab693d090ae759275b9db4ca5acdbcfe4a63d3871e0b17367463./apache-log4j-2.14.1-bin/log4j-core-2.14.1.jar
f5e2d2a9543ee3c4339b6f90b6cb01fce7dc681a6da4f2f203dccd1068a1ea090f67a057006fc6623fbb961084243cfc327c885f3c57f2eba8ee05fbc4e93e5358778c85./log4j-2.0-alpha1/log4j-core-2.0-alpha1.jar

We hope this post will help you learning how to detect CVE-2021-44228 Log4Shell vulnerability on your machines. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.