Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I find out what version of Log4J I am using?

Tags:

java

log4j

As we all know, at least four or five Log4j JAR files end up being in the classpath. How can I tell which version I am using?

like image 383
markthegrea Avatar asked May 25 '16 13:05

markthegrea


People also ask

What is the current version of Log4j?

Log4j 2.18. 0 is the latest release of Log4j.

Where is the Log4j log file?

The Log4j logging settings are stored in the file app_data /conf/server/log4j. properties, where app_data is the application data folder. You can edit this file directly on the server or open it by clicking Settings > Logging.


1 Answers

I came here after learning my servers may be vulnerable to the new Log4j exploit (CVE-2021-44228). So I needed to know whether I had an outdated/vulnerable build of Log4j version 2 installed.

Previous answers here do not help with detecting old versions, because they are for letting already-running Java code figure out which version of Log4j that code uses, whereas I need to know if any Java app could be using a vulnerable version.

Here's what I did instead:

sudo find / -name 'log4j*' 

This lists all Log4j related files on my (Linux) server. That showed me a few 1.x versions, which are not vulnerable to this specific CVE, and one 2.15.0 file, which already contains the fix for the CVE.

If you run this and find file or folder names that have 2.x, where x < 15, then you are likely vulnerable, and need to figure out how to update your files ASAP.

Caution

I was warned that this is not enough of a test for my purpose because the Log4j files may be hidden inside a .jar file, which the find command would not discover.

Update

Here's a public project that attempts to scan all .jar files, in order to find Log4j code inside archives as well: Log4-detector

like image 100
Thomas Tempelmann Avatar answered Oct 25 '22 07:10

Thomas Tempelmann