Using log4jscanwin to identify Log4j vulnerabilities on Windows machines

Table of Contents

What is log4j? Vulnerabilities in log4j Identifying vulnerable log4j JARs on Windows

Notes on interpreting results Mitigation Conclusion

What is log4j?

‍ Log4j is a Java based logging library developed by volunteers and maintained under the Apache Software Foundation ( ASF ). It ’ s pluggable nature and cross-platform operability makes it one of the most extensively use logging utilities. aside from being used directly, it besides comes bundled with a fortune of softwares, particularly Java applications, as the default logging library. ‍

Vulnerabilities in log4j

‍ On 9th December a zero-day vulnerability, dubbed “ Log4Shell ”, was disclosed to the public. This vulnerability gave the attacker the ability to execute arbitrary code on systems by making the log4j library log a particularly crafted string. The severity for this security system issue is 10, the highest potential vulnerability score. This is one of, if not the most, serious security vulnerabilities in the past ten ascribable to multiple reasons :

  1. Successful exploitation of the vulnerability allows Remote Code Execution (RCE), allowing the attacker to gain access to the underlying system that is running log4j
  2. The ability to perform this attack (potentially) without authentication because the logs could also be generated for unauthenticated operations
  3. The ability to piggy-back on the compromised system to exploit other resources that might not have been part of the public internet
  4. The library is used across multiple operating systems, environments (On prem, Cloud – AWS, GCP, etc.), applications, if not directly then potentially as a bundled package
  5. Mitigation for the crafted string is extremely difficult due to the sheer amount of variations that could be implemented for the payload string

here ’ s a demonstration of the vulnerability being exploited : ‍
Since the populace disclosure of the vulnerability, multiple CVEs have been published for log4j :

  1. CVE-2021-44228 A vulnerability was identified that logging a specially crafted string could use LDAP and JNDI to invoke arbitrary code. This had a severity rating of 10 (Critical)
  2. CVE-2021-45046 It was identified that the patch released for fixing CVE-2021-44228 was incomplete against non-default configurations for log4j and allowed code execution under non-default configurations
  3. CVE-2021-45105 It was identified that log4j versions from 2.0-alpha1 through 2.16.0 did not mitigate uncontrolled recursion from self-referential lookups allowing attacker to have control of Thread Control Matrix causing denial of service
  4. (Update) CVE-2021-44832 – A RCE is possible in v2.17.1 as well under controlled conditions. Vulnerability rated with moderate severity.

Identifying vulnerable log4j JARs on Windows

‍ Use log4jscanwin, a joyride created by Qualys, to scan Windows machines.
The comply steps will help identify the universe of vulnerable versions of log4j JAR files present on a Windows machine : 1. Log on to the Windows machine 2. Use a browser to download the ZIP archive for the latest version of log4jscanwin from hypertext transfer protocol : // 3. once downloaded, distill files from the archive, it should contain two directories inside the etymon folder – x86 and x64. 4. To know the architecture of our Windows machine :

  1. Navigate to the start menu
  2. Search for “This PC”
  3. Right click on the “This PC” icon and select the properties option
  4. Note the architecture mentioned under properties

5. next, navigate to start menu, search for CMD, right suction stop and select the choice “ Run as administrator ” ( The administrator password would be required if this task is being performed by a non-admin user )

6. Inside CMD, navigate to the extracted booklet and then to the booklet containing the exe file based on the machine ’ south computer architecture that was determined in step 4 7. To start the scan, run the follow command :

Log4jScanner.exe /scan

Log4jScanner.exe /scan 8. once the read is complete, it would list any identify log4j JAR files along with relevant information if the interpretation is vulnerable8. Once the scan is complete, it would list any identified log4j JAR files along with relevant information if the version is vulnerable 9. Stop at footprint 8 with the list of softwares containing vulnerable versions of log4j where patch is required to be performed 10. additionally, to perform a sanity discipline against the log4j JAR files that were identified but not classify vulnerable, check if they are false negatives by :

  1. Calculating their SHA1 sums by running the following command in PowerShell

get-filehash -Algorithm SHA1 ‘

Calculating their SHA1 sums by running the following command in PowerShell

  1. Navigate to this CSV of SHA1 hashes curated from vulnerable log4j JAR files and search if the hash calculated in step ‘1’ exists in the CSV

Navigate to this CSV of SHA1 hashes curated from vulnerable log4j JAR files and search if the hash calculated in step ‘1’ exists in the CSV

  1. If the hash matches an existing entry in the CSV, the corresponding JAR file that was identified from the tool (but considered not vulnerable) might also be potentially vulnerable

Notes on interpreting the results

‍ Log4jscanwin would identify all log4j JARs, but sometimes these JAR files might not be available directly as a JAR. For example, the JAR could be salute under another archive file such as Web Archive ( WAR ) files. Jenkins is a great example that uses WAR files. When log4jscanwin identifies a log4j JAR inside another archive file, for model “ jenkins.war ”, the way would look like


In this event, the result would either be conclusive that the JAR is vulnerable, warranting no further military action early than patching it but if the solution is inconclusive and you want to verify the SHA1 hash of the JAR yourself, you can use a creature like 7zip to extract files from the WAR file and then navigate to the path of the log4j JAR charge, calculate the hash and compare it with the hashes present in the CSV mentioned in the previous section.
Another important thing to note is that it is the Java Naming and Directory Interface ( JNDI ) that causes the vulnerabilities and not log4j itself. frankincense, if the JNDI classify is missing from log4j, it is dependable to use and not vulnerable to CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-4483. ‍


‍ once you have confirmed the being of vulnerable versions of log4j running on your Windows machines, it is necessity to patch them to mitigate the security write out. Depending on the environment, the extenuation steps differ. For example, if the security write out is found in a wield mottle environment such as AWS, expect for the seller to patch it. For software that might use log4j as a part, check if the seller for the software has released an update which includes the bandage, and if the update with the patch exists, apply the update ampere soon as possible. ‍
It should besides be noted that some articles mention updating to log4j-2.16.0 as the extenuation. This is no longer true as CVE-2021-45105 is present in all log4j versions from 2.0-alpha1 to 2.16.0 and therefore, users must update to log4j-2.17.0 to mitigate all three zero-days identified for log4j. ‍


‍ Log4j is an extensively used, Java based logging utility which was recently found to be vulnerable to a zero-day exploit. Since this software is prevailing in many systems across a diverse range of environments, the fire open of this vulnerability is highly across-the-board. This return is classified with a CVSS score of 10, the highest possible score. From the moment the first zero-day feat was made public, two more zero-days have been identified. ‍
This is a critical issue and therefore needs to be identified in our environments, so any vulnerable versions of log4j can be patched, or at least proper monitor be set until the seller releases a piece. Log4jscanwin is a tool that can be utilized to scan our Windows workloads to identify vulnerable log4j JARs and then apply appropriate moderation strategies to secure ourselves and improve the security military capability of our arrangement. ‍


‍ This article is brought to you by Kloudle Academy, a loose e-resource compilation, created and curated by Kloudle. Kloudle is a cloud security management chopine that uses the power of automation and simplifies homo requirements in cloud security. If you wish to give your feedback on this article, you can write to us here.

source :
Category : Tech

About admin

I am the owner of the website, my purpose is to bring all the most useful information to users.

Check Also


Manage participants in a zoom meeting webinar

Call the people who attend the meet as follows Alternate host host Who scheduled the …

Leave a Reply

Your email address will not be published.