As we all know, at least four or five Log4j JAR files end up being in the classpath. How can I tell which version I am using?
Log4j 2.18. 0 is the latest release of Log4j.
The Log4j logging settings are stored in the file app_data /conf/server/log4j. properties, where app_data is the application data folder. You can edit this file directly on the server or open it by clicking Settings > Logging.
I came here after learning my servers may be vulnerable to the new Log4j exploit (CVE-2021-44228). So I needed to know whether I had an outdated/vulnerable build of Log4j version 2 installed.
Previous answers here do not help with detecting old versions, because they are for letting already-running Java code figure out which version of Log4j that code uses, whereas I need to know if any Java app could be using a vulnerable version.
Here's what I did instead:
sudo find / -name 'log4j*'
This lists all Log4j related files on my (Linux) server. That showed me a few 1.x versions, which are not vulnerable to this specific CVE, and one 2.15.0 file, which already contains the fix for the CVE.
If you run this and find file or folder names that have 2.x, where x < 15, then you are likely vulnerable, and need to figure out how to update your files ASAP.
I was warned that this is not enough of a test for my purpose because the Log4j files may be hidden inside a .jar file, which the find
command would not discover.
Here's a public project that attempts to scan all .jar files, in order to find Log4j code inside archives as well: Log4-detector
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With