How to find log4shell vulnerable classes in my assemblies (jar/ear/war)

234 views Asked by At

Around the current log4shell situation i need a way to find out if i have vulnerable classes in my packaged products. What is the easiest way to find if the following classes are contained in jar files packaged in EAR or WAR files?

  • JndiLookup.class
  • JMSAppenderBase.class
  • JMSAppender.class
1

There are 1 answers

0
fl0w On BEST ANSWER

One solution would be the following bat script:

@echo off
echo extraction step 1
"C:\Program Files\7-Zip\7z.exe" e -r -aos -bd -otmp *
echo creating filelist
"C:\Program Files\7-Zip\7z.exe" l -r -aos -bd tmp/* >filelist.txt
echo cleanup
rmdir /s /q tmp
echo analysis result:
find "JndiLookup.class" filelist.txt
find "JMSAppenderBase.class" filelist.txt
find "JMSAppender.class" filelist.txt
pause