A severe vulnerability in the popular log4j package was discovered recently: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 . In a complex system, where there could multiple legacy Java applications with diverse build systems it is not trivial to determine if you are actually using log4j.

Here is a simple one line command that will determine if any of the currently running JVMs have loaded the log4j classes:

jps | grep -v " Jps$" |  cut -f1 -d " " | xargs -I '{}' jcmd '{}' VM.class_hierarchy | grep logging.log4j 

This is a good way to have a quick look if there are any currently running applications which need to be investigated further for potential log4j issues.

How it works

The jps command shows the PIDs of all JVM processes
grep -v " Jps$" excludes the match to the jps process itself (-v is for invert)
cut -f1 -d " " select the PID (i.e., first) column
jcmd '{}' VM.class_hierarchy prints the hierarchy of all classes loaded in a JVM
xargs calls the jcmd command on each line of the output of cut

How do I know if I'm running log4j ?

How it works

Related Posts You May Enjoy:

Unbound Variable errors in Bash scripts bash

Using QuantLib from Clojure java

Need strategic help with your project? Let us know at webs@bnikolic.co.uk, we may be able to assist!

Any comments, suggestions or enquiries? Send a message: