This tool is a quick scanner to walk filesystems looking for vulnerable versions of log4j. Please see our blog post here for more detailed discussion.
Currently, it scans a given set of directories for JAR, WAR, ZIP, or EAR files, then scans for files therein matching a known set of checksums.
See the releases page for a list of downloads
As free, as-is tool this software is not officially supported by CrowdStrike. As such we ask that you please refrain from sending inquiries to the CrowdStrike support team. The project maintainers will be working with active community contributors to address bugs and supply new features. If you have identified a bug please submit an issue through GitHub.
Please see the deploy directory for scripts and guidance.
This tool currently has two verbs: "version" and "scan"
# ./cast version
version: 0.5.1, commit: d8d184fc49315e19f0d37015ed95ae500b2cca1d, date: 2021-12-22T19:41:22Z, builtBy: unknown# ./cast scan -h
Usage of ./cast:
-maxmem uint
maximum sub-archive size to recurse (default 104857600)
-recursion uint
maximum in-memory in-archive recursion (0 disables) (default 3)
-xdev
do not cross device boundaries (POSIX-only)The options should be fairly self-explanatory, but some clarification:
An example of running against both a ZIP file and a set of directories
./cast scan -maxmem 1000000 -recursion 1 ~/tmp/zzz.zip /tmp ./Note that you can specify individual files AND/OR directories to recurse. This enables leveraging preindexed filesystems, e.g.:
locate -0 *.jar | xargs -0 ./cast scan{"container":"~/tmp/zzz.zip","member":{"path":"/log4j-core-2.13.3.jar/org/apache/logging/log4j/core/net/JndiManager.class","size":4885,"modified":"2020-05-10T12:08:46Z"},"sha256":"c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078"}
{"container":"~/tmp/zzz.zip","member":{"path":"/log4j-core-2.13.3.jar/org/apache/logging/log4j/core/util/NetUtils.class","size":4315,"modified":"2020-05-10T12:08:44Z"},"sha256":"f96e82093706592b7c9009c1472f588fc2222835ea808ee2fa3e47185a4eba70"}