log4j-checker tool helps identify whether a certain system runs a vulnerable version of the log4j library. Download it and run on each suspected system in your organization.
Please refer to the usage section for more details.
At-Bay is an insurance company designed to help businesses understand and address digital risk by combining world-class technology with industry-leading insurance expertise. We question, analyze, and monitor the risk of every company in our portfolio and support our brokers and our insureds throughout our partnership.
The project is licensed under MIT License.
Supported Operating Systems
- linux (amd64)
- freebsd/darwin (MacOS) (amd64)
To automatically scan all running Java processes, you would need an installation of jps.
First verify your Java version (from cmd:
java -version) and install the appropriate JDK using:
# on Debian/Ubuntu systems sudo apt install openjdk-VERSION-jdk-headless
Alternatively, specify (multiple pairs of)
--include PATH argument to scan specific directories but not the currently running Java processes
This project is made for non-commercial and ethical testing purposes only. Usage of
log4j-checker for attacking targets is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.
download a precompiled binary from the releases page
or use Golang build tool:
GOOS=linux GOARCH=amd64 go build from the root of this repository.
To scan all running Java processes, we recommend running the tool as with root permissions:
Usage of sudo ./log4j-scanner-amd64-darwin-v1.0.3.bin: -exclude value path to exclude. example: -exclude PATH [-exclude ANOTHER] -ignore-v1 ignore log4j 1.x versions checks -include value path to include. example: -include PATH [-include ANOTHER] -log string log file to write output to -verbose verbose output. without this flag, no output unless vulnerable
Please report issues in the project issues page.