Find Log4Shell vulnerabilities in your unmanaged and shaded jars with the Snyk CLI
December 18, 20210 mins read
As you may be aware — the Log4Shell vulnerability identified as CVE-2021-44228 and CVE-2021-45046 was disclosed on Friday (December 10th, 2021) for Apache’s Log4j logging framework. Snyk’s CLI is a powerful tool to begin with, giving you the ability to find Log4j CVEs if the library is included directly or transitively within your application. However, if the Log4j library was not disclosed in the manifest file, forked, or repackaged, you might not find these instances — until now.
Today, we are enhancing the power of the Snyk CLI with a new
snyk log4shell command that will give you more visibility into your application, including being able to find traces of the vulnerable library even if it's not declared in the manifest file. The new command will look inside
.war files to find Log4j or its parts. "Fat JARs" are supported as well.
The command is available in Snyk CLI version 1.796 or later and is powered by the groundbreaking analysis and detection technology enabled by the FossID acquisition earlier this year.
Snyk Open Source
These commands are already available in the Snyk Open Source CLI that you can use to test Java projects:
snyk testanalyzes project manifests and determines the dependencies and their known vulnerabilities. Read the Snyk for Java docs for more usage details.
snyk test --scan-all-unmanagedcompares the signatures of the JAR files in the target folder to signatures in the Maven repository to detect individual packages and their vulnerabilities. Read the CLI reference docs for more usage details.
Snyk Log4Shell (New )
–scan-all-unmanaged argument does not open JAR files, it only compares the file signatures. To look inside .jar files and find things that are not declared, e.g. identifying forked projects, renamed files, or repackaged JAR files (e.g. fat JARs), we've introduced a new Snyk CLI command focused specifically on finding versions of Log4j affected by the CVE-2021-44228 vulnerability (Log4Shell).
snyk log4shell complements the Snyk Open Source scans that help you find the vulnerable packages via manifest files by analyzing built-in Java binaries recursively for traces of the Log4j library source code.
snyk log4shell you can:
Scan a Java project to see if it includes any .jar files with the vulnerable version of Log4j.
Scan a Java project to see if it includes any files known to be present in the vulnerable Log4j library. Such findings indicate that the whole Log4j library may be included.
How to use
Make sure the project is built.
snyk log4shellfrom the project directory that you want to scan:
1$ snyk log4shell 2Please note this command is for already built artifacts. To test source code please use snyk test. 3Results: 4 5A vulnerable version of log4j was detected: 6demo-0.0.1-SNAPSHOT/WEB-INF/lib/log4j-core-2.14.1.jar 7demo-0.0.1-SNAPSHOT.war/WEB-INF/lib/log4j-core-2.14.1.jar 8demo-0.0.1-SNAPSHOT.war.original/WEB-INF/lib/log4j-core-2.14.1.jar
Note: The new command does not require (or support) any additional command-line arguments.
Aside from building this additional functionality with Snyk, we've also been busy creating an extensive library of information about the Snyk4Shell vulnerability. We encourage you to browse those resources — including our Log4Shell remediation cheat sheet and guide to finding and fixing Log4Shell — to keep yourself safe.