log4j-finder/README.md

# log4j-finder

A Python3 script to scan the filesystem to find Log4j2 that is vulnerable to _Log4Shell_ (`CVE-2021-44228` & `CVE-2021-45046`). 
It scans recursively both on disk and inside (nested) Java Archive files (JARs).

![log4j-finder results](screenshot.png?raw=true "Output of log4j-finder")

## How it works

log4j-finder identifies `log4j2` libraries on your filesystem using a list of *known bad* and *known good* MD5 hashes of specific files (currently only `JndiManager.class`) present in `log4j2-core-*` packages; the main package that is affected by `log4shell`. It searches for these files inside Java Archive files and on the filesystem. The `log4j2` version is then identified based on the MD5 hash of this file.

To optimize scanning speed, it searches the filesystem and processes ONLY the following filenames:

 * All files with `Java ARchive` file extensions in the filename (also nested in these archives):
    *  `*.jar`, `*.war`, `*.ear`
 * Filenames that we have *known bad* and *good* hashes for (also inside above archives, and nested):
    *  `JndiManager.class`

If the file matches one of the extensions mentioned above, it will check inside these archives (all in memory, nothing is unpacked) to search for the filenames that the script has *known* hashes for. It also looks inside nested archives, for example, a `JAR` file in a `WAR` file.

The script does NOT process other archive file extensions such as `7z`, `RAR`, `TAR`, `BZ2`, etc. So, for example, if a `JAR` file is inside a `7z` file, the script will not find it. The rationale is that Java can only load `Java ARchive` formats so we only process those.

Unknown MD5 hashes are shown as `UNKNOWN`; this could happen if a non `log4j2` Java package uses the same filename that this script searches for.
It's most likely not `log4j2` if the identified file path does not contain references to `org/apache/logging/log4j`. However, manual verification is still recommended.

## Downloading and running

You can install log4j-finder using one of the following methods:

### Using the release binary

You can download the correct binary for your Operating System:

 * Windows latest: [log4j-finder.exe](https://github.com/fox-it/log4j-finder/releases/latest/download/log4j-finder.exe)
   * This can trigger your AntiVirus due to it being a [PyInstaller](https://pyinstaller.readthedocs.io/en/stable/) executable. You can also generate the executable yourself, see "Generating log4j-finder executables" on how to do this.
 * Linux x86_64 latest: [log4j-finder](https://github.com/fox-it/log4j-finder/releases/latest/download/log4j-finder)

If you are on Linux you can also download the latest release and run using one of the following ways:

```bash
curl -L https://github.com/fox-it/log4j-finder/releases/latest/download/log4j-finder -o log4j-finder
chmod +x log4j-finder
sudo ./log4j-finder
```

```bash
wget https://github.com/fox-it/log4j-finder/releases/latest/download/log4j-finder -O log4j-finder
chmod +x log4j-finder
sudo ./log4j-finder
```

### Using Python 3

For distribution with Python 3.6+ installed, one following methods also work:

```bash
curl -L https://github.com/fox-it/log4j-finder/raw/main/log4j-finder.py -o log4j-finder.py
sudo python3 log4j-finder.py
```

```bash
wget https://github.com/fox-it/log4j-finder/raw/main/log4j-finder.py
sudo python3 log4j-finder.py
```

```bash
git clone https://github.com/fox-it/log4j-finder
cd log4j-finder
sudo python3 log4j-finder.py
```

## Generating log4j-finder executables

### Auto generated executables

There is a [GitHub Action](https://github.com/fox-it/log4j-finder/blob/main/.github/workflows/pyinstaller.yaml) in the repository that automatically generates a Windows and Linux binary of the `log4j-finder.py` script using  [PyInstaller](https://pyinstaller.readthedocs.io/en/stable/) on every commit. The build artifacts of these workflow runs are used to attach to the [Releases](https://github.com/fox-it/log4j-finder/releases/) page.

We are aware that some Anti Virus vendors don't like the Windows binaries, in that case we recommend using generating the executable yourself using the following steps.

### Generating the Windows executable

1. If you don't have Python 3.6 or higher installed, download it first from https://www.python.org/downloads/

   * Ensure that during install you choose: `Add Python 3.x to PATH`, this makes the following steps much easier.

2. Open a command prompt and use `pip` to install the `pyinstaller` package:

   ```bash
   pip install pyinstaller
   
   # In the output you will see where pyinstaller is installed, for example:
   # C:\Users\User\AppData\Roaming\Python\Python310\Scripts
   #
   # Verify using --version
   C:\Users\User\AppData\Roaming\Python\Python310\Scripts\pyinstaller.exe --version
   4.7
   ```
3. Optionally install the `colorama` package to add support for colors:

   ```bash
   pip install colorama
   ```

3.  Download the latest version of the `log4j-finder.py` script and then run PyInstaller:

   ```bash
   pyinstaller --onefile --hidden-import colorama log4j-finder.py
   ```

The Windows executable is then in the `dist` directory: `dist\log4j-finder.exe`

### Generating the Linux executable

Example given for Debian 11:

```bash
# Install PyInstaller using pip3
sudo apt update
sudo apt install python3-pip git
pip3 install --user pyinstaller

# Git clone and build using PyInstaller
git clone https://github.com/fox-it/log4j-finder
cd log4j-finder
~/.local/bin/pyinstaller --onefile log4j-finder.spec

# Verify that the binary works
./dist/log4j-finder --help
```

## Usage

Example usage to scan a path (defaults to /):
```bash
$ python3 log4j-finder.py /path/to/scan
```

Or directly a JAR file:
```bash
$ python3 log4j-finder.py /path/to/jarfile.jar
```

Or multiple directories and or files:
```bash
$ python3 log4j-finder.py /path/to/dir1 /path/to/dir2 /path/to/jarfile.jar
```

Note that on Windows it only scans the root `c:\` drive if you don't give any extra arguments.
We recommend specifying the drives you need to scan on the commandline such as (drives that don't exist are skipped):

```bash
log4j-finder.exe c:\ d:\ e:\ f:\
```

Files or directories that cannot be accessed (Permission denied errors) are not printed.
If you want to see more output, you can give the `-v` flag for verbose, or `-vv` for debug mode (only recommended for debugging purposes).
first commit 2021-12-14 11:05:33 +01:00			`# log4j-finder`
Initial commit 2021-12-14 11:40:41 +01:00
Add `CVE-2021-45046` to the README 2021-12-15 22:10:51 +00:00			A Python3 script to scan the filesystem to find Log4j2 that is vulnerable to _Log4Shell_ (`CVE-2021-44228` & `CVE-2021-45046`).
Update README.md with instructions for creating PyInstaller executables 2021-12-16 22:11:15 +01:00			`It scans recursively both on disk and inside (nested) Java Archive files (JARs).`
Initial commit 2021-12-14 11:40:41 +01:00
			`![log4j-finder results](screenshot.png?raw=true "Output of log4j-finder")`

Added "How it works" section to README.md 2021-12-17 11:16:46 +01:00			`## How it works`

			log4j-finder identifies `log4j2` libraries on your filesystem using a list of known bad and known good MD5 hashes of specific files (currently only `JndiManager.class`) present in `log4j2-core-*` packages; the main package that is affected by `log4shell`. It searches for these files inside Java Archive files and on the filesystem. The `log4j2` version is then identified based on the MD5 hash of this file.

Emphasis NOT and ONLY and added Rationale 2021-12-17 11:31:32 +01:00			`To optimize scanning speed, it searches the filesystem and processes ONLY the following filenames:`
Added "How it works" section to README.md 2021-12-17 11:16:46 +01:00
			* All files with `Java ARchive` file extensions in the filename (also nested in these archives):
			* `.jar`, `.war`, `*.ear`
			`* Filenames that we have known bad and good hashes for (also inside above archives, and nested):`
			* `JndiManager.class`

Emphasis NOT and ONLY and added Rationale 2021-12-17 11:31:32 +01:00			If the file matches one of the extensions mentioned above, it will check inside these archives (all in memory, nothing is unpacked) to search for the filenames that the script has known hashes for. It also looks inside nested archives, for example, a `JAR` file in a `WAR` file.
Added "How it works" section to README.md 2021-12-17 11:16:46 +01:00
Emphasis NOT and ONLY and added Rationale 2021-12-17 11:31:32 +01:00			The script does NOT process other archive file extensions such as `7z`, `RAR`, `TAR`, `BZ2`, etc. So, for example, if a `JAR` file is inside a `7z` file, the script will not find it. The rationale is that Java can only load `Java ARchive` formats so we only process those.
Added "How it works" section to README.md 2021-12-17 11:16:46 +01:00
			Unknown MD5 hashes are shown as `UNKNOWN`; this could happen if a non `log4j2` Java package uses the same filename that this script searches for.
			It's most likely not `log4j2` if the identified file path does not contain references to `org/apache/logging/log4j`. However, manual verification is still recommended.

Update README.md with instructions on running 2021-12-15 12:30:23 +01:00			`## Downloading and running`

			`You can install log4j-finder using one of the following methods:`

			`### Using the release binary`

			`You can download the correct binary for your Operating System:`

			`* Windows latest: [log4j-finder.exe](https://github.com/fox-it/log4j-finder/releases/latest/download/log4j-finder.exe)`
Update README.md with instructions for creating PyInstaller executables 2021-12-16 22:11:15 +01:00			`* This can trigger your AntiVirus due to it being a [PyInstaller](https://pyinstaller.readthedocs.io/en/stable/) executable. You can also generate the executable yourself, see "Generating log4j-finder executables" on how to do this.`
			`* Linux x86_64 latest: [log4j-finder](https://github.com/fox-it/log4j-finder/releases/latest/download/log4j-finder)`
Update README.md with instructions on running 2021-12-15 12:30:23 +01:00
			`If you are on Linux you can also download the latest release and run using one of the following ways:`

			```bash
			`curl -L https://github.com/fox-it/log4j-finder/releases/latest/download/log4j-finder -o log4j-finder`
			`chmod +x log4j-finder`
			`sudo ./log4j-finder`
			```

			```bash
			`wget https://github.com/fox-it/log4j-finder/releases/latest/download/log4j-finder -O log4j-finder`
			`chmod +x log4j-finder`
			`sudo ./log4j-finder`
			```

			`### Using Python 3`

Update README.md with instructions for creating PyInstaller executables 2021-12-16 22:11:15 +01:00			`For distribution with Python 3.6+ installed, one following methods also work:`
Update README.md with instructions on running 2021-12-15 12:30:23 +01:00
			```bash
			`curl -L https://github.com/fox-it/log4j-finder/raw/main/log4j-finder.py -o log4j-finder.py`
			`sudo python3 log4j-finder.py`
			```

			```bash
			`wget https://github.com/fox-it/log4j-finder/raw/main/log4j-finder.py`
			`sudo python3 log4j-finder.py`
			```

			```bash
			`git clone https://github.com/fox-it/log4j-finder`
			`cd log4j-finder`
			`sudo python3 log4j-finder.py`
			```

Update README.md with instructions for creating PyInstaller executables 2021-12-16 22:11:15 +01:00			`## Generating log4j-finder executables`

			`### Auto generated executables`

			There is a [GitHub Action](https://github.com/fox-it/log4j-finder/blob/main/.github/workflows/pyinstaller.yaml) in the repository that automatically generates a Windows and Linux binary of the `log4j-finder.py` script using [PyInstaller](https://pyinstaller.readthedocs.io/en/stable/) on every commit. The build artifacts of these workflow runs are used to attach to the [Releases](https://github.com/fox-it/log4j-finder/releases/) page.

			`We are aware that some Anti Virus vendors don't like the Windows binaries, in that case we recommend using generating the executable yourself using the following steps.`

			`### Generating the Windows executable`

			`1. If you don't have Python 3.6 or higher installed, download it first from https://www.python.org/downloads/`

			* Ensure that during install you choose: `Add Python 3.x to PATH`, this makes the following steps much easier.

			2. Open a command prompt and use `pip` to install the `pyinstaller` package:

			```bash
			`pip install pyinstaller`

			`# In the output you will see where pyinstaller is installed, for example:`
			`# C:\Users\User\AppData\Roaming\Python\Python310\Scripts`
			`#`
			`# Verify using --version`
			`C:\Users\User\AppData\Roaming\Python\Python310\Scripts\pyinstaller.exe --version`
			`4.7`
			```
			3. Optionally install the `colorama` package to add support for colors:

			```bash
			`pip install colorama`
			```

Fix log2j typo should be log4j Fixes #18 2021-12-16 22:35:02 +01:00			3. Download the latest version of the `log4j-finder.py` script and then run PyInstaller:
Update README.md with instructions for creating PyInstaller executables 2021-12-16 22:11:15 +01:00
			```bash
Fix log2j typo should be log4j Fixes #18 2021-12-16 22:35:02 +01:00			`pyinstaller --onefile --hidden-import colorama log4j-finder.py`
Update README.md with instructions for creating PyInstaller executables 2021-12-16 22:11:15 +01:00			```

Fix log2j typo should be log4j Fixes #18 2021-12-16 22:35:02 +01:00			The Windows executable is then in the `dist` directory: `dist\log4j-finder.exe`
Update README.md with instructions for creating PyInstaller executables 2021-12-16 22:11:15 +01:00
			`### Generating the Linux executable`

			`Example given for Debian 11:`

			```bash
			`# Install PyInstaller using pip3`
			`sudo apt update`
			`sudo apt install python3-pip git`
			`pip3 install --user pyinstaller`

			`# Git clone and build using PyInstaller`
			`git clone https://github.com/fox-it/log4j-finder`
			`cd log4j-finder`
			`~/.local/bin/pyinstaller --onefile log4j-finder.spec`

			`# Verify that the binary works`
			`./dist/log4j-finder --help`
			```

Initial commit 2021-12-14 11:40:41 +01:00			`## Usage`

			`Example usage to scan a path (defaults to /):`
			```bash
			`$ python3 log4j-finder.py /path/to/scan`
			```

			`Or directly a JAR file:`
			```bash
			`$ python3 log4j-finder.py /path/to/jarfile.jar`
			```

			`Or multiple directories and or files:`
			```bash
			`$ python3 log4j-finder.py /path/to/dir1 /path/to/dir2 /path/to/jarfile.jar`
			```

Update README.md with instructions for creating PyInstaller executables 2021-12-16 22:11:15 +01:00			Note that on Windows it only scans the root `c:\` drive if you don't give any extra arguments.
			`We recommend specifying the drives you need to scan on the commandline such as (drives that don't exist are skipped):`

			```bash
			`log4j-finder.exe c:\ d:\ e:\ f:\`
			```

Initial commit 2021-12-14 11:40:41 +01:00			`Files or directories that cannot be accessed (Permission denied errors) are not printed.`
			If you want to see more output, you can give the `-v` flag for verbose, or `-vv` for debug mode (only recommended for debugging purposes).