See runZero in action

Contact us to book a demo with our team.

How to find applications & services that use Log4J

(updated ), by Pearce Barry
HD Moore
icon

Last updated on April 26, 2022 at 08:00 CST (-0600)

runZero can help you build an up-to-date asset inventory and search for assets that may be affected by Log4J vulnerabilities, such as Log4shell. runZero is not a vulnerability scanner, but you can share runZero’s results with your security team for investigation and mitigation.

What is Log4j? #

Internet discussion was abuzz on December 9th about an 0-day vulnerability that can yield remote code execution (RCE) in Apache’s popular Log4J logging library for Java. This particular vulnerability — tracked as CVE-2021-44228 with the maximum “critical” CVSS score of 10 — resides in Log4J’s lookup capability, combined with JNDI (Java Naming and Directory Interface). This issue is widespread because many developers were unaware that Log4J was dangerous to use with unfiltered input.

The most significant impact is that an attacker can cause a string to reach the logger, that when processed by Log4J, executes arbitrary code. The first examples of this used the ${jndi:ldap} path, which could lead to arbitrary code being loaded from a remote URL. This path is partially mitigated by the use of newer Java runtimes that block the URL-based class loader by default. Unfortunately, a modern version of Java may not be enough to prevent exploitation, as the application itself may expose classes that can be used to run arbitrary code.

While Apache released fixes to CVE-2021-44228 in Log4J version 2.15.0, it was discovered these fixes were “incomplete in certain non-default configurations”, allowing for exploitation in certain circumstances (tracked as CVE-2021-45046 (with a “critical” CVSS core of 9.0), leading to a Log4J 2.16.0 release to address CVE-2021-45046.

Following that release, a new vulnerability was raised which can yield a denial-of-service attack via infinite recursion. Tracked as CVE-2021-45105 (and with a “high” CVSS score of 7.5), this vulnerability appeared to affect Log4J versions 2.8 through the most recent 2.16.0 release, and was fixed in versions 2.17.0 (for Java 8) and 2.12.3 (for Java 7).

Then on December 28th, security researchers at Checkmarx published findings of another RCE present in Log4J 2.17.0, one which requires the attacker have permissions to update the logging configuration and, when successful, can yield RCE. Tracked as CVE-2021-44832 (and with a “medium” CVSS score of 6.6), Apache released a fix for this latest vulnerability in Log4J versions 2.17.1 (for Java 8 and later), 2.12.4 (for Java 7), and 2.3.2 (for Java 6).

Impact of Log4J vulnerabilities #

The broad popularity of Log4J–coupled with the relative ease of exploiting this vulnerability–creates potential conditions for far-reaching exploitation (similar to Shellshock).

Google’s security team have scanned the contents of Maven Central and found over 35,000 affected packages, amounting to over 8% of those in the repository. Any application making use of the affected packages as dependencies may be vulnerable.

Affected applications include Elastic Search, Elastic LogStash, GrayLog2, Minecraft (client and server), Neo4J, many Apache projects (Druid, Dubbo, Flink, Flume, Hadoop, Kafka, Solr, Spark, Struts, Tapestry, Wicket), many VMware products (Horizon, vCenter, vRealize, HCX, NSX-T, UAG, Tanzu), Grails, and dozens if not hundreds of others. Log4J versions since 2.0 are reported to contain this vulnerability, which was originally disclosed to Apache several weeks ago by the security team at Alibaba Cloud.

How to stay on top of Log4Shell #

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently created a repo for tracking products/applications affected by Log4Shell, which will likely become the most reliable, long-term source-of-truth.

Note: runZero components–cloud platform, self-hosted, explorer, and CLI scanner–are not affected by this issue.

Patching and remediating vulnerable Log4J instances will continue to be an ongoing effort. Recently, an advanced persistent threat (APT) group has been observed installing rootkits in Windows systems vulnerable to Log4Shell. In fact, even some recent Log4J patching efforts themselves have led to other problems.

Government entities, such as CISA and the FTC, have reinforced the importance of patching, along with leveraging fines against businesses failing to take action. While it has been a long-haul response effort, the importance of remediating software and systems vulnerable to Log4Shell remains clear.

How to mitigate Log4J vulnerabilities #

Patches were made available to prevent code execution Log4J version 2.15.0, but these patches did not disable inline message lookup, which can expose things like environment variables and system configuration settings to an attacker that can observe the generated logs. Additional patches were made available in Log4J version 2.16.0 to make JNDI lookups disabled by default, limited to certain protocols, and only localhost allowed by default. Further patches have been made in Log4J version 2.17.0 to protect from uncontrolled recursion via self-referential lookups, along with additional patches in Log4J version 2.17.1 for limiting JNDI data source names to the java protocol.

For mitigations that folks can take immediately, Apache has offered some guidance.

Note: Initially it was thought that the problem could be mitigated by setting log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS. Apache have now clarified that those mitigation strategies are insufficient.

Mitigating these issues requires one of the following actions:

$ zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  • Overriding the org.apache.logging.log4j.core.lookup.JndiLookup class by making appropriate changes to your classloader configuration:

It is worth noting that an updated version of the Java runtime is not a sufficient mitigation. Newer versions of Java block the URL class loader by default, but can still be abused to leak secrets from the environment, and deserialization attacks may still succeed using classes already loaded by the process.

How to find applications that use Log4J with runZero #

Identifying every application, device, and service using the Log4J library is going to be an ongoing effort for security professionals. We will continue updating this post and our pre-built queries as more information becomes available.

The following query can be used to identify applications that are likely to be affected by this issue:

product:atlassian or product:avaya or product:coldfusion or product:coyote or product:cpanel or product:druid or product:"elastic search" or product:"epolicy orchestrator" or product:flink or product:graylog or product:hadoop or product:horizon or product:imc or product:jamf or product:jboss or product:jetty or (product:"kerio connect" and protocol:http) or product:logstash or product:metabase or product:minecraft or product:mongodb or product:neo4j or product:openfire or product:pega or product:recoverpoint or product:resin or product:rundeck or product:symantec or product:sonicwall or product:solarwinds or product:sophos or product:splunk or product:tableau or product:tomcat or product:="ubiquiti unifi" or product:"vmware horizon" or product:"vmware vcenter" or product:"vmware vrealize" or product:"vmware site recovery" or product:vmanage or product:wowza or hw:netapp or hw:imc or hw:"ucs manager" or hw:"crosswork son appliance" or hw:"site recovery manager" or hw:sonicwall or tcp_port:8983 or tcp_port:9092 or tcp_port:7077 or tcp_port:5347 or protocol:cassandra or protocol:elasticsearch
Finding Log4J applications with runZero

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries. Self-hosted customers may copy the query above, or use the Export System Queries option to download an importable query set from the cloud console.

Scan with runZero to help with Log4J

Get runZero Professional free for 21 days. Build your asset inventory and identify apps using Log4J–in minutes.

Start your trial


Acknowledgements #


Affected products and services #

ABB #

Adobe #

Akamai #

Amazon #

Apache #

APC #

Apereo #

  • CAS — Versions affected: 6.3.X & 6.4.X
  • Opencast — Versions affected: < 9.10, < 10.6

Appeon #

  • PowerBuilder — Versions affected: Appeon PowerBuilder 2017-2021 regardless of product edition

Aptible #

  • Aptible — Versions affected: ElasticSearch 5.X

Arista #

CloudVision #

Cognitive Wi-Fi #

DANZ Monitoring Fabric #

Ascertia #

Atlassian #

  • Atlassian Products — Self-hosted if configured with log4j.
  • Bamboo — Self-hosted if configured with log4j.
  • Confluence — Self-hosted if configured with log4j.
  • Crowd — Self-hosted if configured with log4j.
  • Cruicible — Self-hosted if configured with log4j.
  • Fisheye — Self-hosted if configured with log4j.
  • Jira — Self-hosted if configured with log4j.

Avaya #

The current list can be found in the advisory. Some products are still under investigation.

BeyondTrust #

BMC Software #

The current list can be found in the advisory.

  • Bladelogic Database Automation
  • BMC AMI Ops Common Rest API (CRA)
  • BMC AMI Ops Infrastructure (MVI)
  • BMC AMI Ops Insight
  • BMC AMI Ops UI
  • BMC Client Management
  • BMC Discovery
  • BMC Helix Continuous Optimization
  • BMC License Usage Collection Utility
  • CMDB
  • Control-M
  • Helix Data Manager
  • MainView Middleware Monitor
  • Remedy Smart Reporting
  • Sentry Storage All-in-One ETL
  • Sentry Storage Analyzer KM
  • Sybase KM
  • TrueSight App Visibility Manager
  • TrueSight Automation Console
  • TrueSight Automation for Networks
  • TrueSight Automation for Servers
  • TrueSight Infrastructure Management
  • TrueSight IT Data Analytics
  • TrueSight Operations Management
  • TrueSight Smart Reporting
  • TSOM Smart Reporting

Brainworks #

  • Kerio Connect — version <9.4 is affected by the vulnerability CVE-2021-44228.

Broadcom (CA, Symantec) #

The current list can be found in the advisory.

CaseWare #

  • Cloud — Versions affected: unknown

CIS-CAT #

CIS-CAT #

Cisco #

The current list can be found in the advisory. Many other products are still under investigation.

Cisco Cloud Hosted Services #

Collaboration and Social Media #

Network and Content Security Devices #

Network Management and Provisioning #

Routing and Switching - Enterprise and Service Provider #

Unified Computing #

Video, Streaming, TelePresence, and Transcoding Devices #

Voice and Unified Communications Devices #

Other #

Cloudera #

Cloudogu #

Commvault #

Confluent #

Decos #

Dell #

EMC #

Other #

Dell #

Other #

Eaton #

Elastic #

Elastic has confirmed the vulnerability, but believes their mitigations make it difficult to exploit.

EVL Labs #

  • JGAAP — Versions affected: < 8.0.2

Ewon #

  • eCatcher — Versions affected: < 6.7.8

ExtraHop #

  • Reveal(x) — Versions affected: <=8.4.6, <=8.5.3, <=8.6.4

F-Secure #

F5 #

  • Traffix SDC — Versions 5.2.0 CF1 and 5.1.0 CF-30 - 5.1.0 CF-33 affected, other F5 products themselves are not vulnerable. F5 published guidance on mitigating through BIG-IP ASM/Advanced WAF and NGINX App Protect

Filecloud #

  • Filecloud — FileCloud uses Apache Solr which in turn uses the log4j library.

ForgeRock #

Fortinet #

Github #

Google Cloud #

See Google Cloud Log4j security advisory.

Gradle #

GuardedBox #

HCL #

See the KB entries matching CVE-2021-44228 for additional details.

HPE #

HPE #

Huawei #

IBM #

Analytics #

Data Management #

Spectrum #

Sterling #

WebSphere #

Other #

Informatica #

Informatica state that their cloud remediation is complete, and have an advisory listing vulnerable on-premises products.

Intel #

Intland #

  • codebeamer — Versions affected: <= 20.11-SP11, <= 21.09-SP3

Ivanti #

  • Avalache — Versions affected: 6.3.0, 6.3.1, 6.3.2, 6.3.3

Juniper #

Cloud Services #

Paragon Automation #

Security #

Other #

Kronos #

Lenovo #

Networking Switches #

Software #

Software #

Storage #

ThinkAgile #

ThinkStation #

ThinkSystem #

Lightbend #

LOGalyze #

McAfee #

Microfocus #

CyberRes #

Microsoft #

Mimecast #

  • Mimecast — Affected services have been patched.

MobileIron #

Mulesoft #

NetApp #

New Relic #

Nutanix #

  • AOS STS — Affected, patched in v6.0.2.4
  • File Analytics — Affected versions: 2.1.x, 2.2.x, 3.0+. Mitigation steps available for 2.1.x, 2.2.x, download available in 3.0.1.
  • Karbon — All versions affected, mitigation steps available.
  • Mine — All versions affected, mitigation steps available.
  • Objects — All versions affected, mitigation steps available.
  • SaaS-based Products — Most affected products have been patched, WAF mitigations in place.
  • Witness VM — All versions affected, mitigation steps available.

Okta #

OneSpan #

Digipass authentication products #

On-premises server products #

Oracle #

  • Enterprise Manager — Affected versions: 13.3.2, 13.4, & 13.5. Note that Oracle has currently restricted access to vulnerable product info, this info is from the CISA.
  • Exadata — Affected versions: < 21.3.4. Note that Oracle has currently restricted access to vulnerable product info, this info is from the CISA.

OVHcloud #

OxygenXML #

Palo-Alto Networks #

Ping Identity #

Polycom #

PortEx #

  • Portex — Versions affected: <3.0.2

Positive Technologies #

Progress #

PTV Group #

Software Solutions for Traffic & Mobility #

PureStorage #

  • FlashArray — Affected versions: Purity//FA 5.3.x, Purity//FA 6.0.x, Purity//FA 6.1.x, Purity//FA 6.2.x
  • FlashBlade — Affected versions: Purity//FB 3.0.x, Purity//FB 3.1.x, Purity//FB 3.2.x, Purity//FB 3.3.x
  • Portworx — Affected versions: 2.8.0+ with telemetry enabled
  • Pure Cloud Block Store — Affected versions: 6.1.xPAZ, 6.1.xPAWS, 6.2.xPAZ, 6.2.xPAWS
  • Pure VMA Collector — Affected versions: v3.x

Qlik #

QMATIC #

Rapid7 #

Real-Time Innovations (RTI) #

Redhat #

Cloud Computing #

  • OpenShift 3.11 — This issue has been assigned CVE-2021-44228 and rated with a severity impact of Critical.
  • OpenShift 4 — This issue has been assigned CVE-2021-44228 and rated with a severity impact of Critical.
  • OpenShift Logging — This issue has been assigned CVE-2021-44228 and rated with a severity impact of Critical.
  • OpenStack Platform 13 — This issue has been assigned CVE-2021-44228 and rated with a severity impact of Critical.

Cloud Computing/Runtimes #

Integration & Automation #

Runtimes #

Other #

Redis #

  • Jedis — Versions affected: 3.7.1, 4.0.0-rc2

Revenera #

Rockwell Automation #

Ruckus #

SBT #

  • SBT — Versions affected: < 1.5.6

Schneider Electric #

  • EASYFIT — Versions affected: Current software and earlier
  • Ecoreal XL — Versions affected: Current software and earlier
  • Eurotherm Data Reviewer — Versions affected: V3.0.2 and prior
  • MSE — Versions affected: Current software and earlier
  • NetBotz750/755 — Versions affected: Software versions 5.0 through 5.3.0
  • NEW630 — Versions affected: Current software and earlier
  • SDK BOM — Versions affected: Current software and earlier
  • SDK-Docgen — Versions affected: Current software and earlier
  • SDK-TNC — Versions affected: Current software and earlier
  • SDK-UMS — Versions affected: Current software and earlier
  • SDK3D2DRenderer — Versions affected: Current software and earlier
  • SDK3D360Widget — Versions affected: Current software and earlier
  • Select and Config DATA — Versions affected: Current software and earlier
  • SNC-API — Versions affected: Current software and earlier
  • SNC-CMM — Versions affected: Current software and earlier
  • SNCSEMTECH — Versions affected: Current software and earlier
  • SPIMV3 — Versions affected: Current software and earlier
  • SWBEditor — Versions affected: Current software and earlier
  • SWBEngine — Versions affected: Current software and earlier

Siemens #

SolarWinds #

Soliton Systems #

SonicWall #

  • Email Security — ES 10.0.11 and earlier versions are affected.
  • NSM — Affected.
  • WAF — Version 3.x with Cloud Management enabled is affected.

Splunk #

Stardog #

  • Stardog — Versions affected: <7.8.1

Stratodesk #

  • NoTouch — Versions affected: 4.5.231

SwingSet #

  • SwingSet — Versions affected: < 4.0.6

TeamViewer #

Tesorion #

Tibco #

Controllers #

Hardware Controllers #

Hardware Controllers #

TrendMicro #

Ubiquiti #

USoft #

  • USoft — Versions affected: 9.1 (unverified)

VMware #

The current list can be found in the advisory.

WatchGuard #

Wibu Systems #

WitFoo #

Zeiss #

Zendesk #

Other #

Potentially affected products #

  • Blackberry may be affected.
  • Citrix is still investigating many products.
  • Dell is still investigating.
  • Huawei is still investigating.
  • Kaseya is still investigating.
  • Oracle currently requires a support account to see affected products.
  • TrendMicro is still investigating.

Free runZero trial

Don’t have runZero and need help finding potentially vulnerable applications using Log4J?

Start your free trial
runZero on laptop
Pearce Barry
Written by Pearce Barry

Pearce Barry is a Director of Security Research at runZero. Barry joined runZero in June 2021, working on the Metasploit Project the four years prior. Now, Pearce leads research efforts at runZero, which includes creating and improving fingerprints, adding to protocols, enhancing scanning logic, and writing queries.

HD Moore
Written by HD Moore

HD Moore is the co-founder and CEO of runZero. Previously, he founded the Metasploit Project and served as the main developer of the Metasploit Framework, which is the world's most widely used penetration testing framework.

Similar Content

November 9, 2023

How to find SysAid Help Desk instances

How to find SysAid Help Desk instances # On the evening of November 8th Microsoft Threat Intelligence announced that they had discovered attacks by a ransomware gang against the SysAid Help Desk software using a zero-day exploit (CVE-2023-47246). These attacks leveraged a …

Read More

November 1, 2023

How to find Apache ActiveMQ instances

How to find Apache ActiveMQ® instances # On October 25th the Apache team announced a vulnerability (CVE-2023-46604) in ActiveMQ that could lead to unauthenticated remote code execution. Shortly after the issue was disclosed exploits started to appear and the Rapid7 MDR team …

Read More

October 30, 2023

Finding NGINX Ingress Controllers with runZero

Today, three vulnerabilities in the NGINX Ingress Controller for Kubernetes were disclosed, as described in this article from The Hacker News. These vulnerabilities have CVSS scores ranging from 7.6 to 8.8; all of these scores are considered high. These vulnerabilities have …

Read More