How to Scan for Vulnerable Log4j Files

• Latest log4j2-scan documented here: 2.7.1 (1/2/2022)

• Latest Log4j2 versions: 2.17.0 (Java 8), 2.12.3 (Java 7), and 2.3.1 (Java 6)

• Apache Log4j vulnerabilities: https://logging.apache.org/log4j/2.x/security.html

For Windows Computers

• Download the "Windows x64, zip" version of the log4j2 scanner from https://github.com/logpresso/CVE-2021-44228-Scanner
• Open a command prompt as an administrator, change to the directory where you downloaded and extracted the log4j scanner, and run the following command:

log4j2-scan --all-drives

For Macintosh Computers

Native Mac OS Version

There is a native Mac OS version of the scanner, but it will require you to modify the security settings on your Mac to run it.

• Download the "Mac OS" version of the log4j2 scanner from https://github.com/logpresso/CVE-2021-44228-Scanner
• Open a terminal windows, change to the directory where you downloaded and extracted the log4j scanner, and run the following command:

log4j2-scan /

• You will receive a message that application cannot be safely run, and you will be given the option to move it to the trash or cancel. Click "Cancel"
• Then go to System Preferences > Security & Privacy > General and click the "Allow Anyway" button next to the message stating that log4j2-scan as blocked.
• Then go back back to the terminal window and rerun "log4j2-scan /"
• When you receive a new warning you will now have the option to click "Open" and run the application. Do so.

Java Version

If you are unable to follow the above instructions to run the native MacOS version you can also use the Java version of the app.

• Download the "Any OS" version of the log4j scanner from https://github.com/logpresso/CVE-2021-44228-Scanner
• Open a terminal windows, change to the directory where you downloaded and extracted the log4j scanner, and run the following command:

java -jar logpresso-log4j2-scan-2.7.1.jar /

• Change the version number if the file you downloaded is more recent than this example.

• If you don't have java installed already, you will need to download and install it from https://www.java.com.

What to do if the scan finds vulnerable log4j files

If you find a vulnerable file, take one the following steps below if you can.

If you don't need an application that uses a vulnerable log4j file . . .

• Uninstall it.
• Make sure the log4j files are no longer present after the uninstall. Manually delete them if needed.

If you need to keep that application . . .

• Check with the vendor to see if there is an update that addresses the vulnerability.
• Check with the vendor to see if the log4j files can be deleted. They may only be used by a feature you don't actually use or have installed.
• If there is no fix you can implement right now, keep checking back with the vendor.

Your scan will probably find vulnerable files in a directory called 'CrashPlan' or 'Code42'. This is UTBackup, which should update automatically. You can disregard this in your scan results for now as long as they report log4j2 version 2.16 or higher.

UT recommendations regarding some products that may show up as vulnerable in your scan

• Anypoint Studio (Salesforce/Mulesoft) -  /wiki/spaces/middleware/pages/36438200
• Code42/Crashplan - AKA UTBackup
  • UT Backup clients should auto update to version with log4j 2.16. Waiting for newer 2.17 update from vendor (probably will be released in January unless things change)
• Tableau Desktop Application
  
  • Update to version 2020.4.13 and disable further updates - This is not the latest version but it is compatible with UT Tableau servers and it is secure against the primary log4j vulnerability
  • 64-bit Windows – https://downloads.tableau.com/esdalt/2020.4.13/TableauDesktop-64bit-2020-4-13.exe  
  • Mac Version – https://downloads.tableau.com/esdalt/2020.4.13/TableauDesktop-2020-4-13.dmg

Vendor recommendations regarding some products that may show up as vulnerable in your scan

• Code42/Crashplan - AKA UTBackup - https://support.code42.com/Terms_and_conditions/Code42_customer_support_resources/Code42_response_to_industry_security_incidents
  • If UTBackup is not being used on a computer, the client will NOT check in and autoupdate and must be manually updated.
• Matlab - https://www.mathworks.com/matlabcentral/answers/1610640-apache-log4j-vulnerability-cve-2021-44228-how-does-it-affect-matlab
• Oracle SQL Developer - https://support.oracle.com/knowledge/Middleware/2828123_1.html
  • Uninstall vulnerable version (delete any files that remain), Download and install version 21.4.3 or later from  https://www.oracle.com/tools/downloads/sqldev-downloads.html
    
• Salesforce (Mulesoft, Anypoint, Dataloader) - https://help.salesforce.com/s/articleView?id=000363736&type=1
• SAS - https://go.documentation.sas.com/doc/en/log4j/1.0/p1gaeukqxgohkin1uho5gh7v5s7p.htm#n1ohrpi7cm0dyfn1gpwngp0ryq41
  • Ensure you are runing SAS 9.4. This still contains a vulnerable version of Log4j, but the vulnerability is not exposed in the product.
  • Change the file extensions on any 'org/apache/logging/log4j/core/lookup/log4j*.jar' files from .jar to to .zip; open each .zip file and then delete JndiLookup.class files inside it; change the .zip extension back to .jar
• SPSS - https://www.ibm.com/support/pages/node/6525830
  • Follow the steps on this page to patch SPSS v.27 with Log4j 2.17 or else update SPSS to v.28
• Tableau - https://kb.tableau.com/articles/issue/apache-log4j2-vulnerability-log4shell-tableau-desktop-mitigation-steps
  • If you DO NOT use UT Tableau servers you can update Tableau Desktop to version 2021.4.2: https://www.tableau.com/support/releases/desktop/2021.4.2
  • If you DO use UT Tableau servers you should update only to version 2020.4.13 and disable further updates: https://www.tableau.com/support/releases/desktop/2020.4.1

Third party recommendations regarding some products that may show up as vulnerable in your scan

• https://github.com/NCSC-NL/log4shell/blob/main/software/README.md