Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property “log4j2.formatMsgNoLookups” to “true” or it can be mitigated in prior releases (<2.10) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).


Please check NSCS-NL - log4shell - IoCs


Checks if the application is vulnerable to CVE-2021-44228.

Source Notes Links
crypt0jan Perform a scan of a single host (using Powershell) to see if it’s vulnerable
Huntress Online Log4Shell Vulnerability Tester
Canary Tokens Log4Shell Vulnerability Tester
Diverto Nmap NSE scripts to check against log4shell
righel Nmap NSE script to inject jndi payloads with customizable templates into HTTP targets
silentsignal Log4Shell scanner for Burp Suite
Northwave Security Northwave Log4j CVE-2021-44228 checker
Northwave Security Northwave Log4j CVE-2021-44228 checker Powershell version
OlafHaalstra Scans a list of URLs with GET or POST request with user defined parameters
Grype Open source vulnerability scanner (docker), picks up nested JARs containing log4j
logpresso Scans for java files that are vulnerable and may rename it for mitigation
FullHunt Open detection and scanning tool (Python) for discovering and fuzzing for Log4J vulnerability
Dtact DIVD-2021-00038 log4j scanner Scan paths including archives for vulnerable log4

Log4j2 Detection

Source Notes Links
Neo23x0 Florian Roth Log4j2 detection script
sp4ir Powershell script to detect Log4Shell
NCCgroup Version hashes (MD5, SHA1 and SHA256) for log4j2 versions
1lann Scans a file or folder recursively for jar files that may be vulnerable
Syft Open source SBOM scanner, can detect all dependencies including log4j
Devotech Powershell: Queries domain servers and scans for log4j-core files. (slow)


Please check NSCS-NL - log4shell - mitigation

Vulnerable software overview

Please check NCSC-NL - log4shell - software overview

URL List