I would recommend using the .jar version of this tool on GitHub: https://github.com/logpresso/CVE-2021-44228-Scanner It will report the relevant version of log4j in use e.g $ Found CVE-2021-44228 vulnerability in /usr/lpp/bcp/blsjdpfd.jar, log4j 2.14.0
Jim On Tue, 14 Dec 2021 13:59:06 -0600, Dave Jousma <david.jou...@53.com> wrote: >On Tue, 14 Dec 2021 10:19:08 -0600, Dave Jousma <david.jou...@53.com> wrote: > > >> >>you bring up a good point. there are hits for this in base JAVA V8 both >>31bit and 64bit, so consequently, any JAVA based app could be using, without >>actually including their own copy of log4j. That also means that the local >>workaround is a bit more difficult too, as the override isn't a global >>change, unless I am misunderstanding? >> >>Isnt this a run-time option? >> >>‐Dlog4j2.formatMsgNoLookups=True >> >>No one has said if there is a method to set this as a default in JAVA itself >>if no one specifies something different. > >I have to issue a correction. Base JAVA does not appear to have the actual >log4j code in it, but something in there is/can use it. I misread the output >from the tool that Itschak graciously shared. > >QIF0200I (QIFUSS99) JAR USING LOG4J: >/RSD02A/usr/lpp/java/J8.0/lib/resources.jar > > >QIF0200I (QIFUSS99) JAR USING LOG4J: >/RSD02A/usr/lpp/java/J8.0_64/lib/resources.jar > > >a grep of the physical resources.jar file comes out with: > ><!ATTLIST Log4J configFile CDATA 'data/log4j.xml' > > >I extracted the resources.jar file to a separate directory, and tried to pipe >the output of find . command to grep to scan all the individual files from the >extract for "log4j", but I am just not unix savvy enough to make that work. > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
