4

I have a .jar project which may be using Log4j. How can I check the version number of that Log4j?

It's an executable JAR file. I don't have the source code and can't decompile it.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Sourav
  • 139
  • 1
  • 1
  • 9

6 Answers6

4

Decompress the JAR file and look for the manifest file (META-INF\MANIFEST.MF)

unzip -p file.jar META-INF/MANIFEST.MF
Danil Perestoronin
  • 1,063
  • 1
  • 7
  • 9
  • 2
    If the people distributing the OP's application as a JAR have created it as a shaded JAR or a nested JAR, then the main manifest will most likely not contain the version number of log4j. – Stephen C Dec 13 '21 at 11:32
2

There are two ways to do this

Way 1:

jar -tfv my.jar | grep -i log4

  23590 Tue Aug 10 10:51:24 IST 2021 log4j-slf4j-impl-2.13.3.jar
  32722 Tue Aug 10 10:51:24 IST 2021 log4j-web-2.13.3.jar
1714164 Tue Aug 10 10:51:24 IST 2021 log4j-core-2.13.3.jar
  23702 Tue Aug 10 10:51:24 IST 2021 log4j-over-slf4j-1.7.30.jar
 292301 Tue Aug 10 10:51:24 IST 2021 log4j-api-2.13.3.jar
  11259 Tue Aug 10 10:50:10 IST 2021 log4j2.xml

Way 2:

unzip -l my.jar | grep -i log4

    23590  08-10-2021 10:51   log4j-slf4j-impl-2.13.3.jar
    32722  08-10-2021 10:51   log4j-web-2.13.3.jar
  1714164  08-10-2021 10:51   log4j-core-2.13.3.jar
    23702  08-10-2021 10:51   log4j-over-slf4j-1.7.30.jar
   292301  08-10-2021 10:51   log4j-api-2.13.3.jar
    11259  08-10-2021 10:50   log4j2.xml
Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Manoj
  • 63
  • 1
  • 7
1
org.apache.log4j.Layout.class.getPackage().getImplementationVersion()
Bhushan
  • 104
  • 1
  • 9
  • HI, Thank you for help, As told that I don't have the source code. Not sure how I will run this in a class file. – Sourav Dec 13 '21 at 11:14
  • @Sourav - You don't need the source code of either the application or the log4j JAR file to run that. All you need to do is to write some Java code. (Bear in mind: this is a site for Programming questions, so it is assumed that you know how to program. If you are asking this as a non-programming question, you are asking in wrong place.) – Stephen C Dec 13 '21 at 11:28
1

If you have sudo shell access to the server or host, you can get quick and dirty answers with this or something like it:

sudo find / -name "*log4j*" -print -exec unzip -p {} META-INF/MANIFEST.MF \;

As mentioned in other answers this won't work for all JAR files, but it seemed to for me.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
mreppy
  • 667
  • 5
  • 5
0

Decompress the JAR file of your application and check version in the pom.xml/property file present in directory "META-INF\maven\org.apache.logging.log4j\log4j-core"

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Shashank Mahajan
  • 1
  • 2
  • 2
    As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Dec 15 '21 at 05:44
0

If you are on Linux, this can help. It looks for Log4j JAR files, extracts the manifest files of them and prints the Implementation-Version: line which will show you the version of Log4j.

locs=( $(sudo find / -name 'log4j*'|grep jar) )
fcount=${#locs[@]}

echo "Found $fcount jar files"
echo " "

for (( j=0; j<${fcount}; j++ ));
do
   unzip ${locs[$j]} META-INF/MANIFEST.MF
   mv META-INF/MANIFEST.MF META-INF/MANIFEST$j.MF
done

echo " "
for (( j=0; j<${fcount}; j++ ));
do
    echo ${locs[$j]}
    tail -2 META-INF/MANIFEST$j.MF
done
Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Bünyamin Şentürk
  • 620
  • 5
  • 20