log4shell — Frequently Asked Questions

No — it's purely defensive. It detects exploitation attempts and assesses versions; it does not generate or send payloads.

JNDI lookup payloads (${jndi:ldap://…} and obfuscated variants) consistent with CVE-2021-44228 exploitation, with the protocol and de-obfuscated form shown.

Log4j 2.17.1+ for Java 8+, which fixes CVE-2021-44228, 45046 and 45105.

No. It is detection-only: it parses text, safely de-obfuscates Log4j lookup syntax, and pattern-matches. It never resolves a JNDI lookup or contacts any host.

Yes — it resolves ${lower:}, ${upper:} and ${...:-default} lookup tricks to reveal hidden 'jndi' strings, so obfuscated and plain attempts both get flagged.

It means an attempt was logged, not that it succeeded. Success depends on whether a vulnerable Log4j version was running and outbound JNDI was possible. Check the version checker and investigate as an incident if exposed.

Scanning happens server-side to analyse the text, and nothing is stored. The tool does not act on the payloads it finds.

2.17.1 or later for Java 8+. It fixes CVE-2021-44228, 45046 and 45105. Backports are 2.12.4 (Java 7) and 2.3.2 (Java 6).

Not fully. 2.15 is still exploitable via CVE-2021-45046; 2.16 fixes that but has a DoS (CVE-2021-45105). Upgrade to 2.17.1+.

Not by CVE-2021-44228, but 1.x is end-of-life with its own unpatched CVEs. Move to 2.17.1+.