The biggest challenge with Log4j lies in detection within packaged software in production environments: Java files (such as Log4j) can be nested a few layers deep into other files – which means that a shallow search for the file won’t find it.
To estimate how big this Log4j blindspot is, Rezilion’s vulnerability research team conducted a survey where multiple open source and commercial scanning tools were assessed against a dataset of packaged Java files where Log4j was nested and packaged in various formats, all commonly used by developers and IT teams.
Download this new research data to learn:
Which scanners did better than others? Were any of the scanners able to detect all Log4j formats?
Side-by-side scanner comparison matrix based on Rezilion’s original research.
Considerations of Log4Shell within a production environment a development, CI/CD and staging environment.