This information should enable product owners, developers and other parties to evaluate whether an application is affected by the Log4j vulnerability or not.
Please be aware that we are not able to provide further support. This document is subject to change and could be updated if new information becomes available.
As Bosch Cyber Defense Center we currently suggest the usage of https://github.com/logpresso/CVE-2021-44228-Scanner. LogPresso is a operating system independent CLI tool (Apache v2 Licence) which scans folders or JAR files for the CVE-2021-44228 vulnerability.
There are existing binaries for Linux and Windows as well as an OS indipendent JAR file. The latest releases can be found here: https://github.com/logpresso/CVE-2021-44228-Scanner/releases/latest. The application will then be run with the target as argument:
https://github.com/logpresso/CVE-2021-44228-Scanner (Win, Lin, Java)
./log4j2-scan apache-log4j-2.8.2-bin
[*] Found CVE-2021-44228 vulnerability in /home/andy/Projects/LOG4J/CVE-2021-44228-Scanner/apache-log4j-2.8.2-bin/log4j-core-2.8.2.jar, log4j 2.8.2
[*] Found CVE-2021-44228 vulnerability in /home/andy/Projects/LOG4J/CVE-2021-44228-Scanner/apache-log4j-2.8.2-bin/log4j-core-2.8.2-sources.jar, log4j 2.8.2 (mitigated)
[*] Found CVE-2021-44228 vulnerability in /home/andy/Projects/LOG4J/CVE-2021-44228-Scanner/apache-log4j-2.8.2-bin/log4j-core-2.8.2-tests.jar, log4j 2.8.2 (mitigated)
For more detailed information please check the GitHub Repository.
Remarks:
Detection Rate:
While we are not aware of any tool with a 100% detection rate, LogPresso proofs to have the highest rate within our tests. If you are aware of a solution with a higher detection rate, please let us know.
Know Issues:
AV Detection on BCN Clients:
Sometimes the file will be blocked on BCN-Managed Windows Devices. This issue is currently being investigated by MPS. Please use a non managed client (like VM) in the meantime. 