A severe vulnerability in the popular log4j package was discovered recently: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 . In a complex system, where there could multiple legacy Java applications with diverse build systems it is not trivial to determine if you are actually using log4j.

Here is a simple one line command that will determine if any of the currently running JVMs have loaded the log4j classes:

jps | grep -v " Jps$" |  cut -f1 -d " " | xargs -I '{}' jcmd '{}' VM.class_hierarchy | grep logging.log4j 

This is a good way to have a quick look if there are any currently running applications which need to be investigated further for potential log4j issues.

How it works

  1. The jps command shows the PIDs of all JVM processes
  2. grep -v " Jps$" excludes the match to the jps process itself (-v is for invert)
  3. cut -f1 -d " " select the PID (i.e., first) column
  4. jcmd '{}' VM.class_hierarchy prints the hierarchy of all classes loaded in a JVM
  5. xargs calls the jcmd command on each line of the output of cut