log4shell
Operational information regarding the log4shell vulnerabilities in the Log4j logging library. (by NCSC-NL)
CVE-2021-44228-Scanner
Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228 (by logpresso)
| log4shell | CVE-2021-44228-Scanner | |
|---|---|---|
| 41 | 17 | |
| 1,876 | 854 | |
| - | -0.1% | |
| 9.9 | 0.0 | |
| almost 2 years ago | about 2 years ago | |
| Python | Java | |
| - | Apache License 2.0 |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
log4shell
Posts with mentions or reviews of log4shell.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2021-12-17.
-
Wetsvoorstel om cyberdreigingsinformatie breder te delen naar Tweede Kamer | Netherlands proposes law change to allow it's NCSC to share information more widely - Bill to share cyber threat information more broadly to the House of Representatives
I hope more organizations and governments do this. They had an excellent resource for Log4J. https://github.com/NCSC-NL/log4shell
- Are older OSs (specifically Mojave) extremely vulnerable to log4j, since they are no longer being patched?
-
Western Digital warns owners of My Cloud hard drives to update immediately
A few
- Log4j2 and consumer routers
-
Log4j UPDATE: 2.16 has a 7.5 DoS, 2.17 released
Nice list - https://github.com/NCSC-NL/log4shell/blob/main/software/README.md
-
Log4J – A 10 step mitigation plan
There are various tools, nicely again enumerated by NCSC-NL at their Github repository with which you can detect whether you are vulnerable. See which one you like best given the situation you are in.
Check what other software you are running and see if the software is vulnerable according to the list published by the NCSC-NL. CISA.gov has a similar registry.
-
I'm the closest thing to a system administrator at my company, and I don't know anything... what do I do about log4j, if anything?
There are multiple lists of software, the one I use is by the Dutch Cyber Security Center: https://github.com/NCSC-NL/log4shell/tree/main/software Everyday I cross reference on new changes and see if it effects my list. The list can be quite extensive and you might miss the most obvious ones like you FW, switches, SAN or some print software.
-
Log4J - Have your customer been breached? What have you seen if anything?
NCSC-NL has a researched list of specific vulnerabilities.
- GLPI IS NOT affected by the Log4j vulnerability CVE-2021-44228
CVE-2021-44228-Scanner
Posts with mentions or reviews of CVE-2021-44228-Scanner.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2022-01-04.
- find what log4j version windows server 2019 running
- Update latest bios legion 5 pro?
-
Detecting log4j on macos with Microsoft PowerShell
Take a look at https://github.com/logpresso/CVE-2021-44228-Scanner as another option
- Any free tool to scan for Log4Shell and Log4j vulnerabilities?
-
Help using command line scanner for Logj4 vulnerabilities
I found a scanner on Github that checks for Logj4 vulnerabilities that has versions for several different OSs including Linux but I am not familiar enough with Linux on Synology to run this on my own. I might figure it out if I spend a couple of hours but it would be really helpful to me, and I presume, others here if someone with the skills could respond with a short list of what to do to get this running, preferably as a one-time scheduled task or series of them if it takes that, rather than SSH'ing to the box.
- Horizon Client and log4j
-
So many different log4j scanner tools and scripts posted
Dell proposes Logpresso's log4j scan tool (https://github.com/logpresso/CVE-2021-44228-Scanner/releases) to mitigate vulnerabilities for various product lines, until they released actual fixes (various are still pending, so we only have the scan tool).
-
Well it's Log4J Patch Day. Again. (2.17 now available to fix infinite recursion bug)
Peculiarly Dell for some of their data protection products also seems to advice to use a 3rd party scan tool to mitigate against certain issues in <2.14 and 2.15 log4j using log4j-scan from Logpresso https://github.com/logpresso/CVE-2021-44228-Scanner, as far as I can see a Korean company? Would have imagined Dell would also have some developers being able to write something? But that's just me...
- So how exactly is Log4j supposed to be patched/mitigated on Windows?
- Detecting Log4j...
What are some alternatives?
When comparing log4shell and CVE-2021-44228-Scanner you can also consider the following projects:
Metabase - The simplest, fastest way to get business intelligence and analytics to everyone in your company :yum:
local-log4j-vuln-scanner - Simple local scanner for vulnerable log4j instances
interactsh - An OOB interaction gathering server and client library
apache-log4j-poc - Apache Log4j 远程代码执行
grype - A vulnerability scanner for container images and filesystems
log4j-scanner - log4j-scanner is a project derived from other members of the open-source community by CISA to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities.
glpi-agent - GLPI Agent
nse-log4shell - Nmap NSE scripts to check against log4shell or LogJam vulnerabilities (CVE-2021-44228)
syft - CLI tool and library for generating a Software Bill of Materials from container images and filesystems
log4shelldetect - Rapidly scan filesystems for Java programs potentially vulnerable to Log4Shell (CVE-2021-44228) or "that Log4j JNDI exploit" by inspecting the class paths inside files
SpongeForge - A Forge mod that implements SpongeAPI
Log4j-CVE-Detect - Detections for CVE-2021-44228 inside of nested binaries
log4shell vs Metabase
CVE-2021-44228-Scanner vs local-log4j-vuln-scanner
log4shell vs interactsh
CVE-2021-44228-Scanner vs apache-log4j-poc
log4shell vs grype
CVE-2021-44228-Scanner vs log4j-scanner
log4shell vs glpi-agent
CVE-2021-44228-Scanner vs nse-log4shell
log4shell vs syft
CVE-2021-44228-Scanner vs log4shelldetect
log4shell vs SpongeForge
CVE-2021-44228-Scanner vs Log4j-CVE-Detect