How can I find out what version of Log4J I am using?

How Can I Find Out What Version Of Log4J I Am Using?

We Are Going To Discuss About How can I find out what version of Log4J I am utilizing?. So lets Start this Java Article.

How can I find out what version of Log4J I am utilizing?

How to unravel How can I find out what version of Log4J I am utilizing?

I got here right here after studying my servers could also be weak to the brand new Log4j exploit (CVE-2021-44228). So I wanted to know whether or not I had an outdated/weak construct of Log4j version 2 put in.
Previous solutions right here don’t assist with detecting outdated variations, as a result of they’re for letting already-running Java code determine out which version of Log4j that code makes use of, whereas I have to know if any Java app might be utilizing a weak version.
Here’s what I did as a substitute:
sudo find / -name 'log4j*'
This lists all Log4j associated recordsdata on my (Linux) server. That confirmed me a number of 1.x variations, which aren’t weak to this particular CVE, and one 2.15.0 file, which already comprises the repair for the CVE.
If you run this and find file or folder names which have 2.x, the place x < 15, then you’re seemingly weak, and have to determine out how you can replace your recordsdata ASAP.
Caution
I was warned that this isn’t sufficient of a take a look at for my function as a result of the Log4j recordsdata could also be hidden inside a .jar file, which the find command wouldn’t uncover.
Update
Here’s a public challenge that makes an attempt to scan all .jar recordsdata, to be able to find Log4j code inside archives as properly: Log4-detector

How can I find out what version of Log4J I am utilizing?
READ :  [Solved] Could not find the implementation for builder @angular-devkit/build-angular:dev-server

I got here right here after studying my servers could also be weak to the brand new Log4j exploit (CVE-2021-44228). So I wanted to know whether or not I had an outdated/weak construct of Log4j version 2 put in.
Previous solutions right here don’t assist with detecting outdated variations, as a result of they’re for letting already-running Java code determine out which version of Log4j that code makes use of, whereas I have to know if any Java app might be utilizing a weak version.
Here’s what I did as a substitute:
sudo find / -name 'log4j*'
This lists all Log4j associated recordsdata on my (Linux) server. That confirmed me a number of 1.x variations, which aren’t weak to this particular CVE, and one 2.15.0 file, which already comprises the repair for the CVE.
If you run this and find file or folder names which have 2.x, the place x < 15, then you’re seemingly weak, and have to determine out how you can replace your recordsdata ASAP.
Caution
I was warned that this isn’t sufficient of a take a look at for my function as a result of the Log4j recordsdata could also be hidden inside a .jar file, which the find command wouldn’t uncover.
Update
Here’s a public challenge that makes an attempt to scan all .jar recordsdata, to be able to find Log4j code inside archives as properly: Log4-detector

Solution 1

I got here right here after studying my servers could also be weak to the brand new Log4j exploit (CVE-2021-44228). So I wanted to know whether or not I had an outdated/weak construct of Log4j version 2 put in.

READ :  Redis: DENIED Redis is running in protected mode [How to Solve]

Previous solutions right here don’t assist with detecting outdated variations, as a result of they’re for letting already-running Java code determine out which version of Log4j that code makes use of, whereas I have to know if any Java app might be utilizing a weak version.

Here’s what I did as a substitute:

sudo find / -name 'log4j*'

This lists all Log4j associated recordsdata on my (Linux) server. That confirmed me a number of 1.x variations, which aren’t weak to this particular CVE, and one 2.15.0 file, which already comprises the repair for the CVE.

If you run this and find file or folder names which have 2.x, the place x < 15, then you’re seemingly weak, and have to determine out how you can replace your recordsdata ASAP.

Caution

I was warned that this isn’t sufficient of a take a look at for my function as a result of the Log4j recordsdata could also be hidden inside a .jar file, which the find command wouldn’t uncover.

Update

Here’s a public challenge that makes an attempt to scan all .jar recordsdata, to be able to find Log4j code inside archives as properly: Log4-detector

Original Author Thomas Tempelmann Of This Content

Solution 2

It depends upon the ClassLoader, however take a look at the example:

import org.apache.log4j.Layout;

public class X {
    public static void essential(String[] a) {
        Package p = Layout.class.getPackage();
        System.out.println(p);
        System.out.println("Implementation title:   " + p.getImplementationTitle());
        System.out.println("Implementation vendor:  " + p.getImplementationVendor());
        System.out.println("Implementation version: " + p.getImplementationVersion());
    }
}

You can name the strategy getImplementationVersion on the Layout class of log4j:

org.apache.log4j.Layout.class.getPackage().getImplementationVersion()

Original Author Loic Mouchard Of This Content

READ :  [Solved] Linux WebService Startup Error: BindException: Cannot assign requested address

Solution 3

I wouldn’t count on this to be the popular methodology, however it’s how I decided the version of Log4j that my software program was utilizing:

Open, or extract the contents of, the Log4j .jar utilizing a .zip archiving utility (Windows Explorer helps this). Navigate into the “META-INF” sub-directory and open the file “MANIFEST.MF” in a textual content editor. Find the road beginning with “Implementation-Version“, that is the Log4j version.

Obviously, this isn’t a programmatic resolution. But for those who merely need to know what version you’re utilizing and you’ve got the .jar archive, it really works.

I observed that Package.getSpecificationVersion() and Package.getImplementationVersion(), as talked about in Loic M.’s answer, work for different .jar libraries, however not my Log4j. It’s potential that the version I am utilizing simply doesn’t assist it.

I downloaded version 2.13.1 to attempt out the above talked about strategies and located that they do work with it. So it was my version (1.2.16) that didn’t assist them and returned null.

Original Author AntumDeluge Of This Content

Solution 4

To know the Log4j version throughout runtime in Java:

LOGGER.data("Log4j version: " + org.apache.logging.log4j.util.PropertiesUtil.class.getPackage().getImplementationVersion());

Or

System.out.println("Log4j version: " + org.apache.logging.log4j.util.PropertiesUtil.class.getPackage().getImplementationVersion());

Original Author Shivam Anand Of This Content

Conclusion

So This is all About This Tutorial. Hope This Tutorial Helped You. Thank You.

Leave a Reply

Your email address will not be published. Required fields are marked *