How do I find if Log4J is installed in my server

Check and secure your servers on the web for Apache Log4J

Security lock image with code
Web security

On Dec 9, Apache Foundation announced the identification of a critical vulnerability named CVE-2021-44228 or fondly called Log4Shell. The vulnerability affects the popular logger library log4j used by a lot of popular open source Java projects as well as in a lot of java applications.

The vulnerability exposes an opportunity for an attacker to execute code on the Java server if it uses log4j. The remote code execution (RCE) vulnerability would allow the attacker to gain full control over the server that runs the Java application. To access this, the attacker has to only get the application to log a special string.

The vulnerability has a CVSS score of 10.0 out of a possible 10. It impacts Apache Log4j versions 2.0-beta9 to 2.14.1. Mitigations are available for version 2.10 and higher. Log4j is used extensively by Java applications and some of these like iCloud and Minecraft are widely used.

How do you find if your server has log4j

If there is a Java based application that is running on your server, there is a good chance that it is using log4j for logging. If the application uses local log4j libraries then you can search for the presence of log4j on the server. If you are running a GNU/Linux system you could do something like the following script as a broad search across files


echo "checking for log4j vulnerability...";
if [ "$(locate log4j|grep -v log4js)" ]; then
  echo "### maybe vulnerable, those files contain the name:";
  locate log4j|grep -v log4js;
fi;
if [ "$(dpkg -l|grep log4j|grep -v log4js)" ]; then
  echo "### maybe vulnerable, installed packages:";
  dpkg -l|grep log4j;
fi;
if [ "$(which java)" ]; then
  echo "java is installed, so note that Java applications often bundle their libraries inside jar/war/ear files, so there still could be log4j in such applications.";
fi;
echo "If you see no output above this line, you are safe. Otherwise check the listed files and packages.";

Ref:https://serverfault.com/questions/1086065/how-do-i-check-if-log4j-is-installed-on-my-server

However this is not a fool-proof approach. You might still have to list out the applications that are installed on your server and check out the announcements / release notes for those applications to see if they are affected by the vulnerability. There are also a lot of tools that are being released on github for searching for the log4j vulnerability. You can find these at https://github.com/search?q=log4j+vulnerability+check

Hope this helps!