Tools for finding and reproducing the CVE-2021-44228 log4j2 vulnerability

• find-vulnerabilities: determine heuristically whether a running JVM is vulnerable
• confirm-vulnerabilities: determine with 100% accuracy whether a running JVM is vulnerable

Both of these tools scan all running JVM processes on a machine, and produce a CSV report about which processes may be / are vulnerable.

Check out the corresponding READMEs for find-vulnerabilities/ and confirm-vulnerabilities/ for usage details.

Here are a few tradeoffs to help you determine which tool is right for your use case:

find-vulnerabilities is low-risk to run, but has the possibility of missing:

• Cases where a system property is not set on the CLI, e.g. at runtime
• Cases where the JVM has closed the file descriptor for the jar
• Non-standard / patched releases of log4j2

confirm-vulnerabilities uses the JVM Attach API which:

• May not work if an application explicitly disables this API
• May crash the running JVM due to JVM bugs
• May briefly slow down the running JVM while waiting for JVM pause

This project welcomes feedback and contributions; however, we might be slow to respond to or triage your requests. We appreciate your patience.

This project uses the MIT license.

This project has adopted the Stripe Code of conduct.