Find Log4Shell vulnerabilities in your unmanaged and shaded jars with the Snyk CLI

As you may be aware — the Log4Shell vulnerability identified as CVE-2021-44228 and CVE-2021-45046 was disclosed on Friday (December 10th, 2021) for Apache’s Log4j logging framework. Snyk’s CLI is a powerful tool to begin with, giving you the ability to find Log4j CVEs if the library is included directly or transitively within your application. However, if the Log4j library was not disclosed in the manifest file, forked, or repackaged, you might not find these instances — until now.

Today, we are enhancing the power of the Snyk CLI with a new snyk log4shell command that will give you more visibility into your application, including being able to find traces of the vulnerable library even if it's not declared in the manifest file. The new command will look inside .jar and .war files to find Log4j or its parts. "Fat JARs" are supported as well.

The command is available in Snyk CLI version 1.796 or later and is powered by the groundbreaking analysis and detection technology enabled by the FossID acquisition earlier this year.

Snyk Open Source

These commands are already available in the Snyk Open Source CLI that you can use to test Java projects:

• snyk test analyzes project manifests and determines the dependencies and their known vulnerabilities. Read the Snyk for Java docs for more usage details.

• snyk test --scan-all-unmanaged compares the signatures of the JAR files in the target folder to signatures in the Maven repository to detect individual packages and their vulnerabilities. Read the CLI reference docs for more usage details.

Snyk Log4Shell (New )

The existing –scan-all-unmanaged argument does not open JAR files, it only compares the file signatures. To look inside .jar files and find things that are not declared, e.g. identifying forked projects, renamed files, or repackaged JAR files (e.g. fat JARs), we've introduced a new Snyk CLI command focused specifically on finding versions of Log4j affected by the CVE-2021-44228 vulnerability (Log4Shell).

snyk log4shell complements the Snyk Open Source scans that help you find the vulnerable packages via manifest files by analyzing built-in Java binaries recursively for traces of the Log4j library source code.

With snyk log4shell you can:

• Scan a Java project to see if it includes any .jar files with the vulnerable version of Log4j.

• Scan a Java project to see if it includes any files known to be present in the vulnerable Log4j library. Such findings indicate that the whole Log4j library may be included.

How to use snyk log4shell

1. Install the latest version (1.796) of Snyk CLI

2. Make sure the project is built.

3. Execute snyk log4shell from the project directory that you want to scan:

1$ snyk log4shell
2Please note this command is for already built artifacts. To test source code please use snyk test.
3Results:
4
5A vulnerable version of log4j was detected:
6demo-0.0.1-SNAPSHOT/WEB-INF/lib/log4j-core-2.14.1.jar
7demo-0.0.1-SNAPSHOT.war/WEB-INF/lib/log4j-core-2.14.1.jar
8demo-0.0.1-SNAPSHOT.war.original/WEB-INF/lib/log4j-core-2.14.1.jar

Note: The new command does not require (or support) any additional command-line arguments.

Additional resources

Aside from building this additional functionality with Snyk, we've also been busy creating an extensive library of information about the Snyk4Shell vulnerability. We encourage you to browse those resources — including our Log4Shell remediation cheat sheet and guide to finding and fixing Log4Shell — to keep yourself safe.