Determine heuristically whether a running JVM is vulnerable
Cross compile for linux with:
env GOOS=linux GOARCH=amd64 go build -o log4j-finder-amd64-linux *.go
Run with sudo:
sudo ./log4j-finder-amd64-linux
Add verbose for more logging:
sudo ./log4j-finder-amd64-linux -verbose
Sample output to stdout
:
hostname,tool,tool_sha,pid,java_bin_location,java_version,prop1,prop2,prop3,prop4,using_log4j,oldest_log4j_version,vulnerable,oldest_vulnerable_log4j_version
myhost.stripe.com,lite,5312d3ca2e10757078770b735c83088820627f3cdcb34f3df8d99d16dfe00903,1234,/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java,,,,,,true,2.1,yes,2.1
myhost.stripe.com,lite,5312d3ca2e10757078770b735c83088820627f3cdcb34f3df8d99d16dfe00903,5678,/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java,,,,,,true,2.9.0,yes,2.9.0
myhost.stripe.com,lite,5312d3ca2e10757078770b735c83088820627f3cdcb34f3df8d99d16dfe00903,9999,/usr/lib/jvm/java-11-openjdk-amd64/bin/java,,,,,,true,2.16.0,no,2.16.0
2021/12/14 23:57:18 done
hostname | tool | tool_sha | pid | java_bin_location | java_version | prop1 | prop2 | prop3 | prop4 | using_log4j | oldest_log4j_version | vulnerable | oldest_vulnerable_log4j_version |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
myhost.stripe.com | lite | 5312d3ca2e10757078770b735c83088820627f3cdcb34f3df8d99d16dfe00903 | 1234 | /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java | true | 2.1 | yes | 2.1 | |||||
myhost.stripe.com | lite | 5312d3ca2e10757078770b735c83088820627f3cdcb34f3df8d99d16dfe00903 | 5678 | /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java | true | 2.9.0 | yes | 2.9.0 | |||||
myhost.stripe.com | lite | 5312d3ca2e10757078770b735c83088820627f3cdcb34f3df8d99d16dfe00903 | 9999 | /usr/lib/jvm/java-11-openjdk-amd64/bin/java | true | 2.16.0 | no | 2.16.0 |
This tools scans all open processes and attempts to find running JVMs. For running JVMs, it then looks through all open file descriptors to identify loaded JAR files and heuristically determine whether log4j is present, and if so, what version is running.