# Scanning Container Images for CVE-2021-44228 Getting on top of the recently announced CVE-2021-44228 vulnerability–a.k.a Log4shell– is job #1 across the software industry right now. For containerized applications, scanning your images is a great way to find the vulnerability in your app. Regardless of which tool you use, we want to help you find and remediate this issue as fast as possible. The following examples are among the various image scanning tools you can use to detect if your image is vulnerable. This list is put together by a collection of us who support and maintain these tools. If you would like to add additional tools to this list, you are free to do so as a logged in HackMD user. All we ask is to maintain neutrality in your comments as we work togther to help the OSS community grapple with this challenge. Thank You. --- # [Aquasec trivy](https://github.com/aquasecurity/trivy) *Contributor: Rory McCune, Cloud Native Security Advocate at Aqua Security* **Container Image Scan** * `trivy image [myimage:tag] | grep -B 1 -A 4 log4j-core` ``` +--------------------------------------------------------------------+------------------+ +-------------------+---------------+---------------------------------------+ | org.apache.logging.log4j:log4j-api | CVE-2021-44228 | | 2.11.1 | 2.15.0 | log4j-core: Remote code execution | | | | | | | in Log4j 2.x when logs contain | | | | | | | an attacker-controlled... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-44228 | +--------------------------------------------------------------------+ + + + + + | org.apache.logging.log4j:log4j-core | | | | | | | | | | | | | | | | | | | | | | | | | | | +--------------------------------------------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+ ``` --- # [Snyk CLI](https://github.com/snyk/snyk) / [Docker scan](https://docs.docker.com/engine/scan/) *Contributor: Eric Smalling, Senior Developer Advocate at Snyk* **Container Image Scan** * `snyk container test --severity-threshold=critical --app-vulns [myimage:tag] | grep -C 2 log4j` \- or - * `docker scan [myimage:tag] | grep -C 2 log4j` ``` Upgrade org.apache.logging.log4j:log4j-core@2.11.1 to org.apache.logging.log4j:log4j-core@2.15.0 to fix ✗ Arbitrary Code Execution (new) [Critical Severity][https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720] in org.apache.logging.log4j:log4j-core@2.11.1 introduced by org.apache.logging.log4j:log4j-core@2.11.1 ``` --- # [Anchore grype](https://github.com/anchore/grype) / [Anchore syft](https://github.com/anchore/syft) *Contributor: Daniel Nurmi, CTO at Anchore* **Container Image Scan** * `grype [myimage:tag] | grep GHSA-jfh8-c2jp-5v3q` ``` log4j-api 2.14.1 2.15.0 GHSA-jfh8-c2jp-5v3q Critical log4j-api 2.13.3 2.15.0 GHSA-jfh8-c2jp-5v3q Critical log4j-core 2.14.1 2.15.0 GHSA-jfh8-c2jp-5v3q Critical log4j-core 2.13.3 2.15.0 GHSA-jfh8-c2jp-5v3q Critical ``` **Container Image SBOM Generate** * `syft [myimage:tag] | grep -i log4j` ``` log4j-api 2.13.3 java-archive log4j-api 2.14.1 java-archive log4j-core 2.13.3 java-archive log4j-core 2.14.1 java-archive ``` NOTE: both grype and syft tools support scanning a filesystem location as well - to do so, simply replace `[myimage:tag]` in the examples above with `dir:[/path/to/your/filesystem/location]`.