Skip to content

How to scan for Log4j vulnerability using these tools

Independent security researchers have once again come to the rescue of System admins by creating tools which can scan for log4j vulnerabilities in different Java installations as well as applications. Also some of these tools can also inspect JAR & WAR archives to check for class files that might be vulnerable.These are some of the tools that can be used to scan for the log4j vulnerabilities (The list would be updated then and there)

Local log4j vuln scanner: This is written in Go language and can be directly executed via binaries which can be downloaded from here for Windows,Linux and Mac OS. Once you download it place it in the folder or path where you want to scan the files for log4j vulnerability and execute the below commands as shown

local-log4j-vuln-scanner.exe /

Here in the below example, I am scanning SonarQube files which shows Elastic search is vulnerable as it has references to log4j library,


log4shell-detector : This tool is a simply one that has been written using Python. All you have to do is copy download the Python file from here and execute it as shown below

Python -p ./

Once it is scanned, it will show the list of files that are affected and how many exploitation attempts are deducted at the end as shown below