log4j-finder
Find vulnerable Log4j2 versions on disk and also inside Java Archive Files (Log4Shell CVE-2021-44228, CVE-2021-45046, CVE-2021-45105) (by fox-it)
log4j-detector
A public open sourced tool. Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too! TAG_OS_TOOL, OWNER_KELLY, DC_PUBLIC (by mergebase)
| log4j-finder | log4j-detector | |
|---|---|---|
| 2 | 8 | |
| 435 | 631 | |
| 0.0% | 0.0% | |
| 0.0 | 0.0 | |
| over 1 year ago | about 2 years ago | |
| Python | Java | |
| MIT License | GNU General Public License v3.0 or later |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
log4j-finder
Posts with mentions or reviews of log4j-finder.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2021-12-18.
-
Well it's Log4J Patch Day. Again. (2.17 now available to fix infinite recursion bug)
I customized a copy of log4j-finder a bit and we used it to scan Linux and Windows machines pretty quickly.
-
Scan for log4j/log4shell
I prefer https://github.com/fox-it/log4j-finder
log4j-detector
Posts with mentions or reviews of log4j-detector.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2021-12-13.
-
Continuing log4j detection
If you don't have server scanning tools like Nessus or Tenable that are capable of detecting log4j (nested or mitigsted), you could set up ad-hoc scanning with an open source tool like https://github.com/mergebase/log4j-detector
- Show HN: Log4j-detector – Finds all Log4j versions on a given file-system
-
Does Log4J require Java to be installed?
No- if you want to determine if a server is vulnerable this is actually the best script which is currently out there: https://github.com/mergebase/log4j-detector
-
Log4j Windows Scanner
There's also https://github.com/mergebase/log4j-detector, which is from MergeBase (a software composition analysis company).
- Welp, how's your LOG4J remediation coming along?
- log4j-detector: Detects log4j versions on your file-system, including deeply recursively nested copies (zips inside zips inside zips).
- Detects Log4j versions on your file-system
- Log4j 0day being exploited (mega thread/ overview)
What are some alternatives?
When comparing log4j-finder and log4j-detector you can also consider the following projects:
log4j-shell-poc - A Proof-Of-Concept for the CVE-2021-44228 vulnerability.
log4j-scanner - Log4j 2 (CVE-2021-44228) vulnerability scanner for Windows OS
log4jpwn - log4j rce test environment and poc
Logout4Shell - Use Log4Shell vulnerability to vaccinate a victim server against Log4Shell
log4shell - Operational information regarding the log4shell vulnerabilities in the Log4j logging library.
log4jshield - Log4j Shield - fast ⚡, scalable and easy to use Log4j vulnerability CVE-2021-44228 finder and patcher
CVE-2021-44228-Scanner - Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228
PowerShellSnippets
Log4j-RCE-Scanner - Remote command execution vulnerability scanner for Log4j.