Link to home
Start Free TrialLog in
Avatar of Hashim Nangarhari
Hashim NangarhariFlag for Saudi Arabia

asked on

log4j vulnerability in solaris

the following command detect log4j vulnerability in Linux systems:

sudo grep -r --include "*.jar" JndiLookup.class /

but it is not working for Solaris systems .

is there any alternatives for Solaris ?

Avatar of rindi
Flag of Switzerland image

What happens when you try that command, what messages do you get? Could it be possible that the command "sudo" can't be found?

I'm not familiar with Solaris, but while some Linux Distro's use sudo by default to perform commands that should only be done by root, others haven't even installed sudo or set it up... In those cases you have to login as root & then enter your command without sudo, or install sudo from your repository then set it up...
Avatar of Hashim Nangarhari


thank you for your comment .
my concern is how to detect the existence of log4j in solaris
I do not care for the command
Avatar of noci

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of btan

Better to use java.exe to run the detector jar file to scan for the jars files. Here are two tools


java -jar log4j-detector-2021.12.16.jar 

Usage: java -jar log4j-detector-2021.12.16.jar [--verbose] [paths to scan...]

Open in new window
On UNIX (AIX, Solaris, and so on)
java -jar logpresso-log4j2-scan-1.7.0.jar [--fix] target_path

Open in new window

it the java runtime is not installed then you are ok... java can't run without the JDK/JRE
would you explain :
find / -name '*log4*.jar'   -exec bash -c "unzip -l '{}' org/apache/logging/log4j/core/lookup/JndiLookup.class | grep JndiLookup"  \;

is it safe ? 
find a program to create a list of files... (or run commands on files).
/ is search starting place (root filesystem)
-name the match for the files
-exec run a program...
bash -c    "................"    run a shell command
unzip -l '{}' org/apache/logging/log4j/core/lookup/JndiLookup.class    - check if a file is present in the archive (.jar are zip archives).
grep Jndi...     filters the unzip output  to only show line having Jndi... on it.

Is it safe... yes.

BTW: new insights are you CANNOT rely on the name of the problematic .jar being log4j.....
several products just added the log4j as a jar in a jar, or renamed the outer .jar  or even build a complete new kit with the files from a broken log4j included in their own product jar.   (Commvault has a archive module that does this).   To add insult to the injure..., you .jar file might be called .war, .ear, .eer .. depending on the deployment platform you use for web applications.
(this is quickly becoming a HUGE MESS...).