Today I received the notifications from AWS about the security vulnerabilities related to Log4j.
How do I check if Log4j is installed on my server? I installed many third-party packages and maybe some of them contain it. Is there a command to run on my server to check if Log4j is installed?
1. Try this script to get a hint:
echo "checking for log4j vulnerability...";
if [ "$(locate log4j|grep -v log4js)" ]; then
echo "### maybe vulnerable, those files contain the name:";
locate log4j|grep -v log4js;
if [ "$(dpkg -l|grep log4j|grep -v log4js)" ]; then
echo "### maybe vulnerable, installed packages:";
dpkg -l|grep log4j;
if [ "$(which java)" ]; then
echo "java is installed, so note that Java applications often bundle their libraries inside jar/war/ear files, so there still could be log4j in such applications.";
echo "If you see no output above this line, you are safe. Otherwise check the listed files and packages.";
run in one line with
wget https://raw.githubusercontent.com/rubo77/log4j_checker_beta/main/log4j_checker_beta.sh -q -O - |bash
2. There is no command that will surely tell you that. Some applications ship the libraries they use directly as a jar file, some will contain them in an archive. And even then you don’t know which version is shipped and how it is used. The only way to be sure you mitigate the CVE is to read the security announcements and release notes of your applications and follow their advisories.
3. I you have installed all your packages by using apt or apt-get, you can check it by running:
dpkg -l | grep log4
If you have used other means to install Java applications, you can try to search for the JAR file:
find / -name 'log4j*'
4. Note that this is a Java library, so if you are not running any Java application (and by extension, if you don’t have Java installed), you are safe. “Didier L”
5. if locate is installed, this is much faster. And scan for results not containing log4js use:
locate log4j|grep -v log4js