How to Scan for Vulnerable Log4j Files

  • Latest log4j2-scan documented here: 2.7.1 (1/2/2022)
  • Latest Log4j2 versions: 2.17.0 (Java 8), 2.12.3 (Java 7), and 2.3.1 (Java 6)
  • Apache Log4j vulnerabilities: https://logging.apache.org/log4j/2.x/security.html

For Windows Computers

  • Download the "Windows x64, zip" version of the log4j2 scanner from https://github.com/logpresso/CVE-2021-44228-Scanner
  • Open a command prompt as an administrator, change to the directory where you downloaded and extracted the log4j scanner, and run the following command:

log4j2-scan --all-drives


 For McCombs Computer Services Tech Staff
  • In MEMCM, run the following script against a client or client collection: MSB - LOG4J Scanner - Web Download
  • For clients on campus that cannot reach the Internet run this instead: MSB - LOG4J Scanner - SCCM Share
  • Among other things, these will create the following CSV report that can be reviewed by the end user: C:\Temp\log4j.csv

For Macintosh Computers

Native Mac OS Version

There is a native Mac OS version of the scanner, but it will require you to modify the security settings on your Mac to run it.

log4j2-scan /

  • You will receive a message that application cannot be safely run, and you will be given the option to move it to the trash or cancel. Click "Cancel"
  • Then go to System Preferences > Security & Privacy > General and click the "Allow Anyway" button next to the message stating that log4j2-scan as blocked.
  • Then go back back to the terminal window and rerun "log4j2-scan /"
  • When you receive a new warning you will now have the option to click "Open" and run the application. Do so.
Java Version

If you are unable to follow the above instructions to run the native MacOS version you can also use the Java version of the app.

java -jar logpresso-log4j2-scan-2.7.1.jar /

  • Change the version number if the file you downloaded is more recent than this example.

  • If you don't have java installed already, you will need to download and install it from https://www.java.com.

What to do if the scan finds vulnerable log4j files

If you find a vulnerable file, take one the following steps below if you can.

If you don't need an application that uses a vulnerable log4j file . . .

  • Uninstall it.
  • Make sure the log4j files are no longer present after the uninstall. Manually delete them if needed.

If you need to keep that application . . .

  • Check with the vendor to see if there is an update that addresses the vulnerability.
  • Check with the vendor to see if the log4j files can be deleted. They may only be used by a feature you don't actually use or have installed.
  • If there is no fix you can implement right now, keep checking back with the vendor.

Your scan will probably find vulnerable files in a directory called 'CrashPlan' or 'Code42'. This is UTBackup, which should update automatically. You can disregard this in your scan results for now as long as they report log4j2 version 2.16 or higher.

UT recommendations regarding some products that may show up as vulnerable in your scan

Vendor recommendations regarding some products that may show up as vulnerable in your scan

Third party recommendations regarding some products that may show up as vulnerable in your scan