Tim Moores wrote:Something like
grep -lri log4j TOMCAT_DIR/webapps
might be a good start. There will be false positives (like commons logging, logback and slf4j, which Stephan mentioned), but it's a start to find log4j config files and libraries, and which other code and libraries use them.
If your Tomcat uses other (or more) directories for web app, repeat as necessary.
Tim Holloway wrote:Each and every webapp, however, is responsible for its own logging. And each and every webapp can use any logger or loggers that it likes. So each and every webapp will have to be individually checked for that vulnerability.