Unless you were under a rock for the past couple of days, I assume you’ve heard about log4shell. The RCE exploit of the popular Java logging module log4j, that caused havoc all over the internet. I haven’t worked with Java for years, but I’m curious if my projects are vulnerable to this exploit. Let’s find out.
If you prefer, you can call it CVE-2021-44228.
The Main problem
I found a great tool log4j-detector to check my source codes for nested embedded log4j versions. My problem with it is that it’s written in Java, and I didn’t want to spend time installing it into my machine.
I like to work with docker, so I decided to run in it. After a few minutes of search I did not find any suitable image, so I decided to create one instead.
I put my code on my github repo.
Luckily it did not find any vulnerable version :) hooray.
I know that it does not mean that everything is in perfect condition. But it’s as good as the tool gets. I will look deeper into this issue to know how to defend against it.
I’m sure things will move pretty fast, and there will be uprising tools to look for these issues and fix them. Hopefully, we can get over it soon.
official logo for log4shell pic.twitter.com/DMEmPYJ7Mx— Kevin Beaumont (@GossiTheDog) December 10, 2021