Log4Shell detector

Yet another log4shell detector, similar to log4jscanner,
log4j-detector etc but built with ProGuardCORE.

It detects the usage of log4j versions vulnerable to CVE-2021-44228.

For more information about the vulnerability see CVE-2021-44228
and Apache Log4j Security Vulnerabilities.


$ ./gradlew run --args=/path/to/my.jar

The input can be a jar file, class file, directory, Android aar, Android apk.

How does it work?

The detector looks for a specific constructor that appears in log4j < 2.15.0,
similar to this Yara rule.

ProGuardCORE is used to parse the input, and a combination of class and member
filters are used to look for the specific constructor.

dex2jar is used to convert dex files in Android APKs files to class files.

Shadow packed applications

Shadow packed versions of log4j should be detected, for example if
the log4j package is renamed to com/example/org/apache/logging/log4j.

Obfuscated applications

If an application is obfuscated then the detector may not detect the vulnerability,
since it is name based.


View Github