0

Around the current log4shell situation i need a way to find out if i have vulnerable classes in my packaged products. What is the easiest way to find if the following classes are contained in jar files packaged in EAR or WAR files?

  • JndiLookup.class
  • JMSAppenderBase.class
  • JMSAppender.class
fl0w
  • 3,593
  • 30
  • 34
  • For .ear and .war files it’s easy: `jar tf MyApplication.ear | grep log4j` (Unix) or `jar tf MyApplication.ear | findstr "log4j"` (Windows). Of course, you also need to extract and check every .war file inside an .ear file. – VGR Dec 17 '21 at 15:44

1 Answers1

0

One solution would be the following bat script:

@echo off
echo extraction step 1
"C:\Program Files\7-Zip\7z.exe" e -r -aos -bd -otmp *
echo creating filelist
"C:\Program Files\7-Zip\7z.exe" l -r -aos -bd tmp/* >filelist.txt
echo cleanup
rmdir /s /q tmp
echo analysis result:
find "JndiLookup.class" filelist.txt
find "JMSAppenderBase.class" filelist.txt
find "JMSAppender.class" filelist.txt
pause
fl0w
  • 3,593
  • 30
  • 34