How To Check Log4j Version In Linux : Checking Library Jar File Contents

by

Knowing how to check log4j version in linux is essential for security audits and application compatibility. This guide walks you through multiple reliable methods to find the Log4j version on any Linux system.

Log4j is a popular Java logging library, but the Log4Shell vulnerability (CVE-2021-44228) made version checking critical. Whether you’re a sysadmin or developer, you’ll learn to identify Log4j versions quickly.

Why Checking Log4j Version Matters

Log4j versions 2.0 to 2.14.1 are vulnerable to remote code execution. Knowing your version helps you patch or upgrade immediately. Many organizations now require version verification as part of their security compliance.

Linux systems often run Log4j inside applications, containers, or as a dependency. You might not even know it’s installed until you check.

Prerequisites For Checking Log4j Version

Before you start, ensure you have:

  • Access to a terminal with sudo or root privileges
  • Java installed (for some methods)
  • Basic familiarity with Linux commands
  • Write permissions in directories you’ll search

Most methods work on any Linux distribution including Ubuntu, CentOS, Debian, and Fedora.

How To Check Log4j Version In Linux

This is the most comprehensive method. You’ll search for Log4j JAR files and inspect their contents. Here’s the step-by-step process:

Method 1: Search For Log4j JAR Files

Start by locating all Log4j JAR files on your system. Use the find command:

  1. Open a terminal
  2. Run: sudo find / -name "*log4j*.jar" 2>/dev/null
  3. Note the file paths returned

This command searches the entire filesystem. The 2>/dev/null part hides permission errors.

You’ll see files like log4j-core-2.17.0.jar or log4j-1.2.17.jar. The version is often in the filename itself.

Method 2: Inspect JAR Manifest Files

JAR files contain a manifest with version information. Extract it using:

  1. Navigate to the directory containing the JAR
  2. Run: jar -xf log4j-core-*.jar META-INF/MANIFEST.MF
  3. View the manifest: cat META-INF/MANIFEST.MF

Look for lines like Implementation-Version: 2.17.0 or Bundle-Version: 1.2.17.

If you don’t have the jar command, install it with sudo apt install zip (Debian/Ubuntu) or sudo yum install unzip (CentOS/RHEL).

Method 3: Use Java Command Line

Java can read version info directly from the JAR. Run:

java -cp log4j-core-*.jar org.apache.log4j.helpers.Loader

This prints the version to the console. If you get a class not found error, the JAR might be Log4j 2.x. Try:

java -cp log4j-api-*.jar org.apache.logging.log4j.util.PropertiesUtil

Both commands work without extracting the JAR file.

Method 4: Check Application Dependencies

If Log4j is bundled inside a WAR or EAR file, check those archives:

  1. Extract the WAR: jar -xf application.war
  2. Search inside: find WEB-INF/lib -name "*log4j*.jar"
  3. Inspect each JAR using methods above

Many Java applications package their own Log4j version. Don’t assume the system-wide version is the one being used.

Method 5: Check Package Manager

Some Linux distributions install Log4j via package managers. Check with:

  • Debian/Ubuntu: dpkg -l | grep log4j
  • CentOS/RHEL: rpm -qa | grep log4j
  • Fedora: dnf list installed | grep log4j

Package managers show the exact version number. For example, liblog4j2-java 2.17.0-1.

This method only finds Log4j installed through the package manager. Manual installations won’t appear.

Method 6: Check Docker Containers

If you use Docker, check inside containers:

  1. List running containers: docker ps
  2. Exec into a container: docker exec -it container_name bash
  3. Run the find command inside: find / -name "*log4j*.jar" 2>/dev/null

You can also check the container image layers. Use docker history image_name to see if Log4j was added.

Method 7: Check Java Classpath

Running Java applications may have Log4j in their classpath. Find the process ID and inspect:

  1. Find Java processes: ps aux | grep java
  2. Get the PID (second column)
  3. List open files: lsof -p PID | grep log4j

This shows exactly which Log4j JARs are loaded by each Java process.

Automating Log4j Version Checks

For large environments, manual checking is impractical. Create a script:

#!/bin/bash
# log4j-checker.sh
find / -name "*log4j*.jar" 2>/dev/null | while read jar; do
    echo "Found: $jar"
    unzip -p "$jar" META-INF/MANIFEST.MF 2>/dev/null | grep -i version
done

Save this as a script and run with sudo bash log4j-checker.sh. It outputs every Log4j JAR and its version.

You can extend this to check inside WAR files, Docker images, and more.

Interpreting Log4j Version Numbers

Log4j versions follow a specific format. Here’s what to look for:

  • 1.x versions: 1.2.17, 1.2.16, etc. (older, also vulnerable)
  • 2.x versions: 2.0 to 2.14.1 (vulnerable to Log4Shell)
  • 2.15.0 and above: patched versions
  • 2.17.0 and above: fully patched with all fixes

If you find version 2.0 to 2.14.1, upgrade immediately. Version 1.x also has known vulnerabilities.

Some applications may use Log4j 2.x with a different package name. Always check the actual version number.

Common Pitfalls When Checking Log4j Version

Users often make these mistakes:

  • Only checking system-wide installations, missing application-bundled versions
  • Confusing Log4j 1.x with Log4j 2.x (they have different package structures)
  • Not checking inside containers or virtual machines
  • Assuming the filename version is accurate (it can be misleading)
  • Forgetting to check transitive dependencies (Log4j pulled in by other libraries)

Always verify the version from the manifest or Java command, not just the filename.

Checking Log4j Version In Different Linux Distributions

Ubuntu And Debian

Use apt list --installed | grep log4j or check /usr/share/java directory. Many Ubuntu systems store Log4j JARs in /usr/share/java.

CentOS And RHEL

Run rpm -qa | grep log4j and check /usr/lib/java or /usr/share/java. Enterprise distributions often have Log4j in standard locations.

Fedora

Similar to CentOS, use dnf list installed | grep log4j. Fedora may have Log4j in /usr/lib/java.

Alpine Linux

Check with apk info | grep log4j. Alpine uses different package names like log4j2.

Using Third-Party Tools For Log4j Detection

Several tools automate Log4j version checking:

  • Log4j Scanner by Cisco: scans entire filesystems
  • Qualys Log4j Scanner: comprehensive detection
  • Nessus plugins: for vulnerability scanning
  • Custom scripts using grep and find

These tools are useful for large-scale audits. However, manual verification is still recommended for critical systems.

What To Do After Finding The Version

Once you know the version, take action:

  1. If vulnerable (2.0-2.14.1 or 1.x), upgrade to 2.17.0 or later
  2. If patched, verify no other copies exist
  3. Remove old JAR files to prevent accidental use
  4. Update application dependencies
  5. Document all Log4j versions found

Upgrading Log4j is straightforward. Download the latest version from Apache and replace the JAR files. Restart the application afterward.

Frequently Asked Questions

How can I check log4j version in linux without Java installed?

You can check the JAR filename or extract the manifest using unzip. The command unzip -p log4j.jar META-INF/MANIFEST.MF | grep -i version works without Java.

What if I find multiple log4j versions on my system?

This is common. Each application may bundle its own version. You need to upgrade all vulnerable versions individually. Focus on versions below 2.17.0.

How do I check log4j version in a running Java application?

Use lsof -p PID | grep log4j to see which JARs are loaded. Then inspect those JARs using the methods above. The application must be restarted after upgrading.

Can I check log4j version using a single command?

Yes, run: find / -name "*log4j*.jar" -exec unzip -p {} META-INF/MANIFEST.MF \; 2>/dev/null | grep -A1 "Implementation-Version". This searches all JARs and prints versions.

Is it safe to delete old log4j JAR files?

Only if you’re sure no application needs them. Always backup before deleting. It’s safer to replace with patched versions than to delete entirely.

Conclusion

Checking Log4j version on Linux is straightforward once you know the methods. Start with the find command to locate JAR files, then inspect manifests or use Java commands. Automate the process for large environments.

Remember to check inside containers, application archives, and all running processes. Log4j can hide anywhere. Regular version checks should be part of your security routine.

By following this guide, you can confidently answer “how to check log4j version in linux” and keep your systems secure. The methods here work across all Linux distributions and setups.

Stay proactive about Log4j vulnerabilities. Check your systems today and upgrade any outdated versions. Your applications and data depend on it.