How to Find Dangerous Log4j Libraries

The Apache log4j logging library has become the COVID-19 of technology. No sooner than we fix one version than another pops up to annoy us. As of Dec. 21, the latest patched Log4j is version Log4j 2.17.0. If you have that installed in the right places, you’re good.
At this time, there are three separate Log4j security problems. CVE-2021-45046, the original, which scored the perfect 10, and CVE-2021-44228, its much less dangerous cousin. Together, these make up the Log4Shell vulnerability. In addition, there’s another separate log4j denial of service (DoS) attack, CVE-2021-45105.
Finding the Pesky Library
The trick, of course, is finding that pesky Apache logging library. Log4j is used everywhere on Earth… and Mars too. Yes, unpatched Log4j is on the Mars-based Ingenuity helicopter.
Security boffins have spent the last two weeks digging around trying to second guess the dependencies of every outsourced Java project IT has ever signed off. All too much of that code is hidden away in Java Archive Files (JARs).
As Josh Bressers, Anchore vice president of security explained, “One of the challenges the log4j vulnerability poses is actually finding it. Java applications and dependencies are usually in some sort of packaging format that makes the distribution and running really easy, but it can make figuring out what’s inside of those software packages difficult.”
You see, Bressers continued, “When working within Java, dependencies are cataloged as Java archive files, typically called JAR files. These are packages that can then be used as a Java library, but the issue here is that JAR files can start to look like Russian nesting dolls. A JAR file can contain JAR files, and those also contain JAR files. It’s basically JAR files all the way down.”
“All hope is not lost though!” concluded Bressers. You can use two Anchore open-source projects Syft and Grype, to detect and identify log4j, even if it’s buried in the third circle of JAR files.
Other Tools, Programs Available
There are other tools you can use to try to spot vulnerable versions of log4j. Some major security overview scanners now include tools for finding potentially vulnerable log4j libraries. These include: Cyber CNS, F-Security Elements, LionGuard, Microsoft Defender for Endpoint, Qualys Application Scanning, and Tanium.
There are also programs, almost all of which are open source, that can be used just to find log4j libraries.
In alphabetical order these are:
- Amazon Inspector and AWS: Amazon Web Services‘ Amazon Inspector automatically scans for the vulnerability in your Amazon EC2 instances and Amazon Elastic Container Registry Images (Amazon ECR). Scanning is triggered by events such as new software packages, new instances, and new common vulnerability and exposure (CVEs) being published.
- Arctic Wolf‘s open source Log4Shell Deep Scan is available on GitHub. It detects both CVE-2021-45046 and CVE-2021-44228, the first two within nested JAR; WAR, a JAR file used to package web applications; and Enterprise Application aRchive (EAR), a Jakarta file format.
- Bi.Zone Log4j_Detector uses a YARA rule to scan the memory of Java processes for Log4j signatures. YARA is a pattern-matching program for identifying and classifying malware. It outputs a list of hosts containing applications running log4j2.
- Cybersecurity & Infrastructure Security Agency (CISA) CVE-2021-44228_scanner. This CERT created scanner searches for the JndiLookup.class in JAR, WAR, and EAR files. It comes as both a PowerShell and Python3 script.
- JFrog is offering four different open source scanners. These are available for download now via GitHub in both Java and Python. These scans for calls to log4j logging functions in .java source files and compiled .jars.
- NCC Group RIFT log4j-finder is an open source Python scanner for log4j. It searches recursively both on disk and inside, nested JARs.
- Profero Log4jScanner is an open source tool for scanning internal subnets for vulnerable log4j web services. It does this by sending a Java Naming and Directory Interface (JNDI) payload to each discovered web service to a list of common HTTP/S ports.
- Trend Micro Log4j Vulnerability Tester. This web-based program is designed to work on application endpoints. Unlike the other test programs, it runs as a service off the Trend Microservers and the source code isn’t available.
Good hunting! And may all your patches be made before the holidays.