Hello everyone! I want to share with you about my weekend project called Log4Sherlock. I wrote this application to detect CVEs in Log4j scanner, a tool that scans for JAR, WAR, EAR, JPI, HPI that contain the affected JndiLookup.class even in nested files. Log4Sherlock works by scanning all local drives on a system it is run on and grabs pom.properties inside one of the above file types, even in nested files (to obtain the version number). It then searches within the JAR file for JndiLookup.class even in nested files. Files containing JndiLookup.class with vulnerable versions are marked with appropriate CVE and the logs are saved in CSV, JSON, and txt log.
Log4Sherlock was developed to scan for the following CVEs: CVE-2021-44228 Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI, CVE-2021-45046 Apache Log4j 2.15.0, and CVE-2021-45105 Apache Log4j2 versions 2.0-alpha1 through 2.16.0.
One of the reasons why I decided to write this tool was because I noticed that some other scanners did not consider some important points that would let some of these vulnerable files through the cracks. For example, some scanners only scan for JAR files or scan for hashed jar files which doesn’t account for nested files. However, Log4Sherlock scans JAR, WAR, EAR, JPI, HPI, checks nested files, and does not unzip files, just loads them into memory and checks them, making the scanner fast and accurate.
The core value of Log4Sherlock is that it scans multiple computers remotely and uses remote systems resources to make scanning fast. It also does not hash the JAR as it could be nested or edited. Log4Sherlock identifies the following vulnerabilities CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and searches all drives on the system, excluding mapped drives. It creates a CSV list of affected files and locations and a JSON file with all information including errors like access issues to folders (so you know spots that might have been missed).
To use Log4Sherlock, download the ps1 file from log4jSherlock.ps1 and create the file computers.txt. Fill computers.txt with hostnames and run ps1. You can visit https://github.com/Maelstromage/Log4jSherlock for the complete repository.
Overall, Log4Sherlock is a fast and accurate scanner that can help you detect CVEs in Log4j scanner. I hope this tool can be useful to you and thank you for taking the time to read about it.