I have read here that the log4j library can be "nested" within other files that are deployed with an application.
I can find files with 'log4j' in the filename but don't know how to find log4j in these "nested jars". Is there a way to do this from the command line?
This question has moved to SuperUser here.
Run the following command search for log4j jar files in an application:
dir /s /b <application_root>\*log4j*.jar
If any files are displayed, check the version number that is part of the file name. For example Tomcat\webapps\ROOT\WEB-INF\lib\log4j-core-2.15.0.jar is version 2.15.
If the version is between 2 and 2.14 (2.15 is not vulnerable), the application is vulnerable to CVE-2021-44228 and one of the following mitigations must be applied.