A log4shell detector using ProGuardCORE
Log4Shell detector
Yet another log4shell detector, similar to log4jscanner,
log4j-detector etc but built with ProGuardCORE.
It detects the usage of log4j versions vulnerable to CVE-2021-44228.
For more information about the vulnerability see CVE-2021-44228
and Apache Log4j Security Vulnerabilities.
Executing
$ ./gradlew run --args=/path/to/my.jar
The input can be a jar file, class file, directory, Android aar, Android apk.
How does it work?
The detector looks for a specific constructor that appears in log4j < 2.15.0,
similar to this Yara rule.
ProGuardCORE is used to parse the input, and a combination of class and member
filters are used to look for the specific constructor.
dex2jar is used to convert dex files in Android APKs files to class files.
Shadow packed applications
Shadow packed versions of log4j should be detected, for example if
the log4j package is renamed to com/example/org/apache/logging/log4j
.
Obfuscated applications
If an application is obfuscated then the detector may not detect the vulnerability,
since it is name based.