-2

I have read here that the log4j library can be "nested" within other files that are deployed with an application.

I can find files with 'log4j' in the filename but don't know how to find log4j in these "nested jars". Is there a way to do this from the command line?

update

This question has moved to SuperUser here.

Kevin Olree
  • 298
  • 3
  • 10
  • I'd use powershell. Searching through files for a string. https://stackoverflow.com/questions/8153750/how-to-search-a-string-in-multiple-files-and-return-the-names-of-files-in-powers – JonR85 Dec 14 '21 at 21:33
  • This question is being discussed on [meta](https://meta.stackoverflow.com/q/413774/10952503) – Elikill58 Dec 15 '21 at 21:48

1 Answers1

-1

Run the following command search for log4j jar files in an application:

dir /s /b <application_root>\*log4j*.jar

If any files are displayed, check the version number that is part of the file name. For example Tomcat\webapps\ROOT\WEB-INF\lib\log4j-core-2.15.0.jar is version 2.15.

If the version is between 2 and 2.14 (2.15 is not vulnerable), the application is vulnerable to CVE-2021-44228 and one of the following mitigations must be applied.

Codebling
  • 10,764
  • 2
  • 38
  • 66
  • Thank you for your answer but I have specifically asked about finding log4j inside nested jar files from the command line. These would not show up in a filename search. – Kevin Olree Dec 14 '21 at 21:55
  • @KevinOlree It looks like you're looking for a 3rd party library that does not use maven and bundles log4j jars. Nesting .jars is not a common practice and I believe it requires a custom class loader. Do you have any examples of 3rd party libraries that do this? If you're worried about that, you may as well also search for nested log4j class files – Codebling Dec 14 '21 at 22:10