Some ways to search for installed or used log4j libraries in your containers and file systems
Yesterday several security advisories arrived in my Inbox and people were worried about a 0-day vulnerability in Apache Log4j .
I read a lot during the last 24 hours and searched for log4j versions within HCL Connections. I wanted to write about some of these commands already since weeks, so I use the awareness to show you some fast options to scan all packages in container images, file system and registries. For me one of the hardest points was to find out, if the software is using log4j and which version.
This is a companion discussion topic for the original entry at https://stoeps.de/posts/2021/log4j_how_to_find_out/