Log4jscanner by Google
Google just launched today log4jscanner, a package written in Go to help identify the vulnerability in Apache Log4j by analysing JAR files.
What's Apache Log4j?
It's a Java-based logging utility.
What's the impact of Apache Log4j Vulnerability?
The vulnerability allows an attacker to perform remote code execution by exploiting the insecure JNDI lookups feature exposed by the logging library log4j. This exploitable feature was enabled by default in many versions of the library.
This log4jscanner includes a scanner that walks directory, printing any detected JARs to stdout.
$ log4jscanner ./jar/testdata
./jar/testdata/bad_jar_in_jar.jar
./jar/testdata/log4j-core-2.1.jar
./jar/testdata/log4j-core-2.12.1.jar
./jar/testdata/log4j-core-2.14.0.jar
./jar/testdata/log4j-core-2.15.0.jar
./jar/testdata/vuln-class.jar
You will find more information about this scanner in the official repository.
More information about the impact of this vulnerability in this link.