====== Log4shell ====== On December the 9th, 2021, Apache published a severe vulnerability called [[https://nvd.nist.gov/vuln/detail/CVE-2021-44228|Log4shell]] (and other Log4j-related vulnerabilities). ===== Download ===== How to scan your services quickly, basically with log4j-scan from fullhunt, but using cisagov: git clone https://github.com/cisagov/log4j-scanner.git cd log4-scanner/ ==== Requirements ==== * python * python-requests * python-termcolor * python-pycryptodome ===== Create a url list ===== The easiest way is to create a list of all URLs you want to check: nano urls.txt https://digitalprivacy.diy https://meet.digitalprivacy.diy https://searx.digitalprivacy.diy ===== Check your urls ===== python log4j-scan.py -l urls.txt --waf-bypass --run-all-tests or just a url python log4j-scan.py -u https://digitalprivacy.diy --waf-bypass --run-all-tests