CAST: CrowdStrike Archive Scan Tool
This tool is a quick scanner to walk filesystems looking for vulnerable versions of log4j. Please see our blog post here for more detailed discussion.
Currently, it scans a given set of directories for JAR, WAR, ZIP, or EAR files, then scans for files therein matching a known set of checksums.
See the releases page for a list of downloads
As free, as-is tool this software is not officially supported by CrowdStrike. As such we ask that you please refrain from sending inquiries to the CrowdStrike support team. The project maintainers will be working with active community contributors to address bugs and supply new features. If you have identified a bug please submit an issue through GitHub.
Please see the deploy directory for scripts and guidance.
This tool currently has two verbs: "version" and "scan"
# ./cast version version: 0.5.1, commit: d8d184fc49315e19f0d37015ed95ae500b2cca1d, date: 2021-12-22T19:41:22Z, builtBy: unknown
# ./cast scan -h Usage of ./cast: -maxmem uint maximum sub-archive size to recurse (default 104857600) -recursion uint maximum in-memory in-archive recursion (0 disables) (default 3) -xdev do not cross device boundaries (POSIX-only)
The options should be fairly self-explanatory, but some clarification:
- maxmem is specified in bytes only, no human sizes for now
- a recursion of 0 will disable sub-archive scanning, but will still check inside of any first-tier ZIP archive it encounters.
- xdev is only working on POSIX platforms today
An example of running against both a ZIP file and a set of directories
./cast scan -maxmem 1000000 -recursion 1 ~/tmp/zzz.zip /tmp ./
Note that you can specify individual files AND/OR directories to recurse. This enables leveraging preindexed filesystems, e.g.:
locate -0 *.jar | xargs -0 ./cast scan