Table of Contents
December 14, 2021
|5m
How to Detect CVE-2021-44228 Log4Shell Vulnerability in Your Server?
Log4Shell vulnerability is considered the most significant vulnerability of the year because of its ease of exploitability with a CVSS score of 10.0. The vulnerability allows attackers to carry out the unauthenticated, remote code execution on any application it uses the Log4j library. The worst is Log4j library is part of a wide range of applications. This made the millions of machines vulnerable to the CVE-2021-44228 Log4Shell Vulnerability. We have seen the summary of the CVE-2021-44228 Log4Shell Vulnerability with permanent fix and mitigation actions in our previous post. However, before you fix CVE-2021-44228 Log4Shell Vulnerability, it is important to detect the vulnerable machines on your network. Let’s see how to detect CVE-2021-44228 Log4Shell Vulnerability in your server.
We have created this post to let all of you know how to detect the CVE-2021-44228 Log4Shell Vulnerability on your network. Let’s get started.
The vulnerability affects anybody who’s using the log4j packages log4j-core, log4j-api. You may need to check the version as different versions will have different mitigation advisories.
| Log4j Versions | Mitigation Advisories |
| >=2.10 | The vulnerability can be mitigated just by setting system property “log4j2.formatMsgNoLookups” to “true” OR the environment variable “LOG4J_FORMAT_MSG_NO_LOOKUPS” to true. |
| >=2.7 and <=2.14.1 | All “PatternLayout” patterns can be modified to specify the message converter as “%m{nolookups}” instead of just “%m”. |
| <=2.10.0 | The mitigation is to remove the “JndiLookup” class from the classpath:zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class. |
| <1.x | It is not confirmed that v1 is also vulnerable. However, it is vulnerable to another RCE CVE-2019-1757 vulnerability. We recommend upgrading to v2.15.0. |
If you are searching for a command to check the Log4j version, then you may end up with no results. There is no such command that will tell you the version of Log4j installed on your system. Some applications ship the libraries directly as a jar file and some will contain them in archives. You may need to prep inside the jar or archive to see the version of Log4j.
1. Search For Files On The File System
Searching the file by name ‘Log4j’ in the file system is the simplest way to detect CVE-2021-44228 Log4Shell Vulnerability. This is a less accurate method of detection. However it is the most convenient and easiest way.
# find / -name log4j*
2. Scan The Package
There is a command line utility to check .jar and .war files and report if anything looks vulnerable. The tool matches the hashes of known vulnerable Log4j classes with the Log4j classes found on the server. The auto scan tool is available for download here. Please make sure that you download the correct version for your operating system.
Step 1. Download the Log4j scanning tool using the wget command
Step 2. Extract the downloaded log4shell tool
# tar -xzf lunasec_1.0.0-log4shell_Linux_x86_64.tar.gz
Step 3. Scan the system using the log4shell tool
After extracting the log4shell tool, run the tool using “./log4shell scan” commend.command syntax: ./log4shell scan <directory or jar file>
Linux:
# ./log4shell scan /opt/splunk/
Windows:
> log4shell.exe scan /opt/splunk/
3. Scan for Vulnerable JAR files Using LunaSec
LunaSec is an end-to-end security system designed to protect your application by transparently encrypting sensitive data, from browser to database. It works seamlessly by storing your sensitive data and then giving you back a Token (a UUID) to retrieve data with later. LunaSec builds on that concept to offer many security and compliance features. Click here and ask for the demo.
LunaSec can also be used to check the vulnerable JAR files. However, this method may not effective in as much as previous two.
Step 1. Download the LunaSec app from the Git page.
# git clone https://github.com/lunasec-io/lunasec.git
Step 2. Change the directory to lunasec/tools/log4shell-jar-scripts
# cd lunasec/tools/log4shell-jar-scriptsStep 3. Run the setup.sh
# ./setup.shStep 4. Search for Vulnerable JAR Files
# ./find-bad-deps.sh /path/to/folder/to/scan
IoCs of CVE-2021-44228 Log4Shell Vulnerability:
| MD5 | SHA 1 | SHA 2 | Log4j Jar files |
| 2addabe2ceca2145955c02a6182f7fc5 | 685125b7b8bbd7c2f58259937090ac2ae9bcb129 | bf4f41403280c1b115650d470f9b260a5c9042c04d9bcc2a6ca504a66379b2d6 | ./apache-log4j-2.0-alpha2-bin/log4j-core-2.0-alpha2.jar |
| 5b1d4e4eea828a724c8b0237326829b3 | 7058796a0aa49ea21ea2cc7bf9dece0d3b8942ae | 58e9f72081efff9bdaabd82e3b3efe5b1b9f1666cefe28f429ad7176a6d770ae | ./apache-log4j-2.0-beta1-bin/log4j-core-2.0-beta1.jar |
| ce9e9a27c2a5caa47754999eb9c549b8 | b5f9c15e1fb18d84193ac10e4bfb88af1724f5cd | ed285ad5ac6a8cf13461d6c2874fdcd3bf67002844831f66e21c2d0adda43fa4 | ./apache-log4j-2.0-beta2-bin/log4j-core-2.0-beta2.jar |
| 1538d8c342e3e2a31cd16e01e3865276 | 80b690d982b030fb2f04854407744ff44e0b72ea | dbf88c623cc2ad99d82fa4c575fb105e2083465a47b84d64e2e1a63e183c274e | ./apache-log4j-2.0-beta3-bin/log4j-core-2.0-beta3.jar |
| 9cb138881a317a7f49c74c3e462f35f4 | 8f87799c2bd24c120812ed3d5271b743cfc999b5 | a38ddff1e797adb39a08876932bc2538d771ff7db23885fb883fec526aff4fc8 | ./apache-log4j-2.0-beta4-bin/log4j-core-2.0-beta4.jar |
| 578ffc5bcccb29f6be2d23176c0425e0 | b853dec96e815981280fb9a1cc08332a6ed946f9 | 7d86841489afd1097576a649094ae1efb79b3147cd162ba019861dfad4e9573b | ./apache-log4j-2.0-beta5-bin/log4j-core-2.0-beta5.jar |
| 5b73a0ad257c57e7441778edee4620a7 | 1fb514bfbec10815d68953ed2fc4dd8c98ee245f | 4bfb0d5022dc499908da4597f3e19f9f64d3cc98ce756a2249c72179d3d75c47 | ./apache-log4j-2.0-beta6-bin/log4j-core-2.0-beta6.jar |
| e32489039dab38637557882cca0653d7 | a727fe8e718b18d541f67077c99b2ca129f77065 | 473f15c04122dad810c919b2f3484d46560fd2dd4573f6695d387195816b02a6 | ./apache-log4j-2.0-beta7-bin/log4j-core-2.0-beta7.jar |
| db025370dbe801ac623382edb2336ede | f6ed9c56c8d58c4670059ddf417df23c9a78ff30 | b3fae4f84d4303cdbad4696554b4e8d2381ad3faf6e0c3c8d2ce60a4388caa02 | ./apache-log4j-2.0-beta8-bin/log4j-core-2.0-beta8.jar |
| 152ecb3ce094ac5bc9ea39d6122e2814 | 678861ba1b2e1fccb594bb0ca03114bb05da9695 | dcde6033b205433d6e9855c93740f798951fa3a3f252035a768d9f356fde806d | ./apache-log4j-2.0-beta9-bin/log4j-core-2.0-beta9.jar |
| cd70a1888ecdd311c1990e784867ce1e | 7621fe28ce0122d96006bdb56c8e2cfb2a3afb92 | 85338f694c844c8b66d8a1b981bcf38627f95579209b2662182a009d849e1a4c | ./apache-log4j-2.0-bin/log4j-core-2.0.jar |
| 088df113ad249ab72bf19b7f00b863d5 | 4363cdf913a584fe8fa72cf4c0eaae181ef7d1eb | db3906edad6009d1886ec1e2a198249b6d99820a3575f8ec80c6ce57f08d521a | ./apache-log4j-2.0-rc1-bin/log4j-core-2.0-rc1.jar |
| de8d01cc15fd0c74fea8bbb668e289f5 | 2e8d52acfc8c2bbbaa7baf9f3678826c354f5405 | ec411a34fee49692f196e4dc0a905b25d0667825904862fdba153df5e53183e0 | ./apache-log4j-2.0-rc2-bin/log4j-core-2.0-rc2.jar |
| fbfa5f33ab4b29a6fdd52473ee7b834d | 895130076efaf6dcafb741ed7e97f2d346903708 | a00a54e3fb8cb83fab38f8714f240ecc13ab9c492584aa571aec5fc71b48732d | ./apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar |
| 8c0cf3eb047154a4f8e16daf5a209319 | 13521c5364501478e28c77a7f86b90b6ed5dbb77 | c584d1000591efa391386264e0d43ec35f4dbb146cad9390f73358d9c84ee78d | ./apache-log4j-2.0.2-bin/log4j-core-2.0.2.jar |
| 8d331544b2e7b20ad166debca2550d73 | 31823dcde108f2ea4a5801d1acc77869d7696533 | 8bdb662843c1f4b120fb4c25a5636008085900cdf9947b1dadb9b672ea6134dc | ./apache-log4j-2.1-bin/log4j-core-2.1.jar |
| 5e4bca5ed20b94ab19bb65836da93f96 | c707664e020218f8529b9a5e55016ee15f0f82ac | c830cde8f929c35dad42cbdb6b28447df69ceffe99937bf420d32424df4d076a | ./apache-log4j-2.2-bin/log4j-core-2.2.jar |
| 110ab3e3e4f3780921e8ee5dde3373ad | 58a3e964db5307e30650817c5daac1e8c8ede648 | 6ae3b0cb657e051f97835a6432c2b0f50a651b36b6d4af395bbe9060bb4ef4b2 | ./apache-log4j-2.3-bin/log4j-core-2.3.jar |
| 0079c907230659968f0fc0e41a6abcf9 | 0d99532ba3603f27bebf4cdd3653feb0e0b84cf6 | 535e19bf14d8c76ec00a7e8490287ca2e2597cae2de5b8f1f65eb81ef1c2a4c6 | ./apache-log4j-2.4-bin/log4j-core-2.4.jar |
| f0c43adaca2afc71c6cc80f851b38818 | a5334910f90944575147fd1c1aef9f407c24db99 | 42de36e61d454afff5e50e6930961c85b55d681e23931efd248fd9b9b9297239 | ./apache-log4j-2.4.1-bin/log4j-core-2.4.1.jar |
| dd0e3e0b404083ec69618aabb50b8ac0 | 7ed845de1dfe070d43511fab321784e6c4118398 | 4f53e4d52efcccdc446017426c15001bb0fe444c7a6cdc9966f8741cf210d997 | ./apache-log4j-2.5-bin/log4j-core-2.5.jar |
| 5523f144faef2bfca08a3ca8b2becd6a | a7cb258b9c36f49c148834a3a35b53fe73c28777 | df00277045338ceaa6f70a7b8eee178710b3ba51eac28c1142ec802157492de6 | ./apache-log4j-2.6-bin/log4j-core-2.6.jar |
| 48f7f3cda53030a87e8c387d8d1e4265 | 2b557bf1023c3a3a0f7f200fafcd7641b89cbb83 | 28433734bd9e3121e0a0b78238d5131837b9dbe26f1a930bc872bad44e68e44e | ./apache-log4j-2.6.1-bin/log4j-core-2.6.1.jar |
| 472c8e1fbaa0e61520e025c255b5d168 | 00a91369f655eb1639c6aece5c5eb5108db18306 | cf65f0d33640f2cd0a0b06dd86a5c6353938ccb25f4ffd14116b4884181e0392 | ./apache-log4j-2.6.2-bin/log4j-core-2.6.2.jar |
| 2b63e0e5063fdaccf669a1e26384f3fd | a3f2b4e64c61a7fc1ed8f1e5ba371933404ed98a | 5bb84e110d5f18cee47021a024d358227612dd6dac7b97fa781f85c6ad3ccee4 | ./apache-log4j-2.7-bin/log4j-core-2.7.jar |
| c6d233bc8e9cfe5da690059d27d9f88f | 2be463a710be42bb6b4831b980f0d270b98ff233 | ccf02bb919e1a44b13b366ea1b203f98772650475f2a06e9fac4b3c957a7c3fa | ./apache-log4j-2.8-bin/log4j-core-2.8.jar |
| 547bb3ed2deb856d0e3bbd77c27b9625 | 4ac28ff2f1ddf05dae3043a190451e8c46b73c31 | 815a73e20e90a413662eefe8594414684df3d5723edcd76070e1a5aee864616e | ./apache-log4j-2.8.1-bin/log4j-core-2.8.1.jar |
| 4a5177a172764bda6f4472b94ba17ccb | 979fc0cf8460302e4ffbfe38c1b66a99450b0bb7 | 10ef331115cbbd18b5be3f3761e046523f9c95c103484082b18e67a7c36e570c | ./apache-log4j-2.8.2-bin/log4j-core-2.8.2.jar |
| a27e67868b69b7223576d6e8511659dd | ff857555cec4635c272286a260dbd7979c89d5b8 | dc815be299f81c180aa8d2924f1b015f2c46686e866bc410e72de75f7cd41aae | ./apache-log4j-2.9.0-bin/log4j-core-2.9.0.jar |
| a3a6bc23ffc5615efcb637e9fd8be7ec | 8c59f9db4e5eebf7e99aa0ed2eb129bd5d8ef4f8 | 9275f5d57709e2204900d3dae2727f5932f85d3813ad31c9d351def03dd3d03d | ./apache-log4j-2.9.1-bin/log4j-core-2.9.1.jar |
| 0042e7de635dc1c6c0c5a1ebd2c1c416 | 989bbd2b84eba4b88a4b2a889393fac5b297e1df | f35ccc9978797a895e5bee58fa8c3b7ad6d5ee55386e9e532f141ee8ed2e937d | ./apache-log4j-2.10.0-bin/log4j-core-2.10.0.jar |
| 90c12763ac2a49966dbb9a6d98be361d | 3b1c23b9117786e23cc3be6224b484d77c50c1f2 | 5256517e6237b888c65c8691f29219b6658d800c23e81d5167c4a8bbd2a0daa3 | ./apache-log4j-2.11.0-bin/log4j-core-2.11.0.jar |
| 71d3394226547d81d1bf6373a5b0e53a | 38b9c3790c99cef205a890db876c89fd9238706c | d4485176aea67cc85f5ccc45bb66166f8bfc715ae4a695f0d870a1f8d848cc3d | ./apache-log4j-2.11.1-bin/log4j-core-2.11.1.jar |
| 8da9b75725fb3357cb9872adf7711f9f | 5bcfefcd7474c2f439576a1839ea0aeeec07f3b6 | 3fcc4c1f2f806acfc395144c98b8ba2a80fe1bf5e3ad3397588bbd2610a37100 | ./apache-log4j-2.11.2-bin/log4j-core-2.11.2.jar |
| 7943c49b634b404144557181f550a59c | 73fe23297ccf73bad25a04e089d9627f8bf3041f | 057a48fe378586b6913d29b4b10162b4b5045277f1be66b7a01fb7e30bd05ef3 | ./apache-log4j-2.12.0-bin/log4j-core-2.12.0.jar |
| df949e7d73479ab717e5770814de0ae9 | c28f281548582ec68376e66dbde48be24fcdb457 | 5dbd6bb2381bf54563ea15bc9fbb6d7094eaf7184e6975c50f8996f77bfc3f2c | ./apache-log4j-2.12.1-bin/log4j-core-2.12.1.jar |
| 2803991d51c98421be35d2db4ed3c2ac | ef568faca168deee9adbe6f42ca8f4de6ca4557b | c39b0ea14e7766440c59e5ae5f48adee038d9b1c7a1375b376e966ca12c22cd3 | ./apache-log4j-2.13.0-bin/log4j-core-2.13.0.jar |
| 5ff1dab00c278ab8c7d46aadc60b4074 | 5eb5ab96f8fc087135ef969ed99c76b64d255d44 | 6f38a25482d82cd118c4255f25b9d78d96821d22bab498cdce9cda7a563ca992 | ./apache-log4j-2.13.1-bin/log4j-core-2.13.1.jar |
| b8e0d2779abbf38586b869f8b8e2eb46 | 16f7b2f63b0290281294c2cbc4f26ba32f71de34 | 54962835992e303928aa909730ce3a50e311068c0960c708e82ab76701db5e6b | ./apache-log4j-2.13.2-bin/log4j-core-2.13.2.jar |
| 46e660d79456e6f751c22b94976f6ad5 | 6556d71742808e4324eabc500bd7f2cc8c004440 | e5e9b0f8d72f4e7b9022b7a83c673334d7967981191d2d98f9c57dc97b4caae1 | ./apache-log4j-2.13.3-bin/log4j-core-2.13.3.jar |
| 62ad26fbfb783183663ba5bfdbfb5ace | 94bc1813a537b3b5c04f9b4adead3c434f364a70 | 68d793940c28ddff6670be703690dfdf9e77315970c42c4af40ca7261a8570fa | ./apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar |
| 3570d00d9ceb3ca645d6927f15c03a62 | c476bd8acb6e7e55f14195a88fa8802687fcf542 | 9da0f5ca7c8eab693d090ae759275b9db4ca5acdbcfe4a63d3871e0b17367463 | ./apache-log4j-2.14.1-bin/log4j-core-2.14.1.jar |
| f5e2d2a9543ee3c4339b6f90b6cb01fc | e7dc681a6da4f2f203dccd1068a1ea090f67a057 | 006fc6623fbb961084243cfc327c885f3c57f2eba8ee05fbc4e93e5358778c85 | ./log4j-2.0-alpha1/log4j-core-2.0-alpha1.jar |
We hope this post would help you learning how to detect CVE-2021-44228 Log4Shell vulnerability on your machines. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
You may also like these articles:
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
