Getting on top of the recently announced CVE-2021-44228 vulnerability–a.k.a Log4shell– is job #1 across the software industry right now. For containerized applications, scanning your images is a great way to find the vulnerability in your app. Regardless of which tool you use, we want to help you find and remediate this issue as fast as possible. The following examples are among the various image scanning tools you can use to detect if your image is vulnerable.
This list is put together by a collection of us who support and maintain these tools. If you would like to add additional tools to this list, you are free to do so as a logged in HackMD user. All we ask is to maintain neutrality in your comments as we work togther to help the OSS community grapple with this challenge.
Thank You.
Contributor: Rory McCune, Cloud Native Security Advocate at Aqua Security
Container Image Scan
trivy image [myimage:tag] | grep -B 1 -A 4 log4j-core+--------------------------------------------------------------------+------------------+ +-------------------+---------------+---------------------------------------+
| org.apache.logging.log4j:log4j-api | CVE-2021-44228 | | 2.11.1 | 2.15.0 | log4j-core: Remote code execution |
| | | | | | in Log4j 2.x when logs contain |
| | | | | | an attacker-controlled... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44228 |
+--------------------------------------------------------------------+ + + + + +
| org.apache.logging.log4j:log4j-core | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+--------------------------------------------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
Contributor: Eric Smalling, Senior Developer Advocate at Snyk
Container Image Scan
snyk container test --severity-threshold=critical --app-vulns [myimage:tag] | grep -C 2 log4jdocker scan [myimage:tag] | grep -C 2 log4j Upgrade org.apache.logging.log4j:log4j-core@2.11.1 to org.apache.logging.log4j:log4j-core@2.15.0 to fix
✗ Arbitrary Code Execution (new) [Critical Severity][https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720] in org.apache.logging.log4j:log4j-core@2.11.1
introduced by org.apache.logging.log4j:log4j-core@2.11.1
Contributor: Daniel Nurmi, CTO at Anchore
Container Image Scan
grype [myimage:tag] | grep GHSA-jfh8-c2jp-5v3qlog4j-api 2.14.1 2.15.0 GHSA-jfh8-c2jp-5v3q Critical
log4j-api 2.13.3 2.15.0 GHSA-jfh8-c2jp-5v3q Critical
log4j-core 2.14.1 2.15.0 GHSA-jfh8-c2jp-5v3q Critical
log4j-core 2.13.3 2.15.0 GHSA-jfh8-c2jp-5v3q Critical
Container Image SBOM Generate
syft [myimage:tag] | grep -i log4jlog4j-api 2.13.3 java-archive
log4j-api 2.14.1 java-archive
log4j-core 2.13.3 java-archive
log4j-core 2.14.1 java-archive
NOTE: both grype and syft tools support scanning a filesystem location as well - to do so, simply replace [myimage:tag] in the examples above with dir:[/path/to/your/filesystem/location].
or
or
By clicking below, you agree to our terms of service.
Sign in with Wallet
New to HackMD? Sign up
| Syntax | Example | Reference | |
|---|---|---|---|
| # Header | Header | 基本排版 | |
| - Unordered List |
|
||
| 1. Ordered List |
|
||
| - [ ] Todo List |
|
||
| > Blockquote | Blockquote |
||
| **Bold font** | Bold font | ||
| *Italics font* | Italics font | ||
| ~~Strikethrough~~ | |||
| 19^th^ | 19th | ||
| H~2~O | H2O | ||
| ++Inserted text++ | Inserted text | ||
| ==Marked text== | Marked text | ||
| [link text](https:// "title") | Link | ||
|  | Image | ||
| `Code` | Code |
在筆記中貼入程式碼 | |
| ```javascript var i = 0; ``` |
|
||
| :smile: |  |
Emoji list | |
| {%youtube youtube_id %} | Externals | ||
| $L^aT_eX$ | LaTeX | ||
| :::info This is a alert area. ::: |
This is a alert area. |
On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?
Please give us some advice and help us improve HackMD.
Do you want to remove this version name and description?
Syncing
-
Any changes
Be notified of any changes
-
Mention me
Be notified of mention me
-
Unsubscribe
Subscribe