License: MIT


log4j-checker tool helps identify whether a certain system runs a vulnerable version of the log4j library. Download it and run on each suspected system in your organization.
Please refer to the usage section for more details.

About At-Bay

At-Bay is an insurance company designed to help businesses understand and address digital risk by combining world-class technology with industry-leading insurance expertise. We question, analyze, and monitor the risk of every company in our portfolio and support our brokers and our insureds throughout our partnership.


The project is licensed under MIT License.

Supported Operating Systems

  • linux (amd64)
  • freebsd/darwin (MacOS) (amd64)


To automatically scan all running Java processes, you would need an installation of jps.
First verify your Java version (from cmd: java -version) and install the appropriate JDK using:

# on Debian/Ubuntu systems
sudo apt install openjdk-VERSION-jdk-headless

Alternatively, specify (multiple pairs of) --include PATH argument to scan specific directories but not the currently running Java processes

Legal Disclaimer

This project is made for non-commercial and ethical testing purposes only. Usage of log4j-checker for attacking targets is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.


download a precompiled binary from the releases page
or use Golang build tool: GOOS=linux GOARCH=amd64 go build from the root of this repository.


To scan all running Java processes, we recommend running the tool as with root permissions:

Usage of sudo ./log4j-scanner-amd64-darwin-v1.0.3.bin:
  -exclude value
        path to exclude. example: -exclude PATH [-exclude ANOTHER]
        ignore log4j 1.x versions checks
  -include value
        path to include. example: -include PATH [-include ANOTHER]
  -log string
        log file to write output to
        verbose output. without this flag, no output unless vulnerable


Please report issues in the project issues page.


View Github