How do I check if Log4j is installed on my server?

I have read about security vulnerabilities related to Log4j.

How do I check if Log4j is installed on my server? My specific servers use Ubuntu 18.04.6 LTS.

I have installed many third-party packages and maybe some of them contain it.

Is there a command to run on my server to check if Log4j is installed?


Solution 1:

Try this script to get a hint:

echo "checking for log4j vulnerability..."
OUTPUT="$(locate log4j|grep -v log4js)"
if [ "$OUTPUT" ]; then
  echo "[WARNING] maybe vulnerable, those files contain the name:"
  echo "$OUTPUT"
fi
OUTPUT="$(dpkg -l|grep log4j|grep -v log4js)"
if [ "$OUTPUT" ]; then
  echo "[WARNING] maybe vulnerable, dpkg installed packages:"
  echo "$OUTPUT"
fi
if [ "$(command -v java)" ]; then
  echo "java is installed, so note that Java applications often bundle their libraries inside jar/war/ear files, so there still could be log4j in such applications."
fi
echo "If you see no output above this line, you are safe. Otherwise check the listed files and packages."

Make sure your locate database is up to date with updatedb.

Or better check and run the enhanced script from GitHub which also searches inside packed Java files. Run in one line with

wget https://raw.githubusercontent.com/rubo77/log4j_checker_beta/main/log4j_checker_beta.sh -q -O - | bash   

I am not sure if there could be compiled Java Programs running on the server without java being installed though?

Or even compiled versions where the source files aren't even found inside packed archives any more?


There is also a lot development on GitHub, where you find attacks and countermeasures.


This takes to much time for me. I am looking for someone I can transfer the ownership of the repository on GitHub

Solution 2:

There is no command that will surely tell you that. Some applications ship the libraries they use directly as a jar file, some will contain them in an archive.

And even then you don't know which version is shipped and how it is used. The only way to be sure you mitigate the CVE is to read the security announcements and release notes of your applications and follow their advisories.