log4j-scanner
A scanning tool to check if the system is vuln and report it to the log4j-collector which will display the data at the log4j-collector-frontend.
Algorithm Autor
This tool is based on the local-log4j-vuln-scanner from Hillu. (Leave a star to support him)
Introduction
This is a simple tool that can be used to find vulnerable instances of log4j 1.x and 2.x (CVE-2019-17571, CVE-2021-44228) in installations of Java software such as web applications. JAR and WAR archives are inspected and class files that are known to be vulnerable are flagged. The scan happens recursively: WAR files containing WAR files containing JAR files containing vulnerable class files ought to be flagged properly.
The scan tool currently checks for known build artifacts that have been obtained through Maven. From-source rebuilds as they are done for Linux distributions may not be recognized.
After the scan is complete, the results are reported to the log4j-collector api. Make sure you set the --api flag to the correct URL.
## Usage
./log4j-scanner [--api] [--verbose] [--quiet] [--ignore-v1] [--log logfilename] [--exclude path] [ paths ... ]
Example
./log4j-scanner --api http://localhost:8080/log4j-collector/api/v1/log4j-scanner/scan --verbose --log vulns.log /path/to/jar/files
Output
log4j-scanner - a simple local log4j vulnerability scanner based on github.com/hillu/local-log4j-vuln-scanner
Scan finished
Vulnerable files:
../../../../IdeaProjects/log4shell-vulnerable-app/vuln.jar::BOOT-INF/lib/log4j-core-2.14.1.jar
Data posted to https://log4j-collector.example.com:8080/api/v1/reports
Building from source
Install the following dependencies:
- go
Run the following command to build the tool:
go build -o log4j-scanner .