Checkmk not affected by Log4shell

Dear Checkmk users,

we surely don’t need to tell you what Log4shell is. Some of you will even have spent your weekend with it.

Just a short update from us on the subject:

  • Checkmk itself is not affected by the vulnerability.
  • The Checkmk appliance is not affected by the vulnerability.

We wish you all the best in these busy days.


What? No Java inside checkmk? How can it be Enterprise ready then? :crazy_face:


You can use this with a little wrapper as a local check for linux and windoof:

logpresso/CVE-2021-44228-Scanner: Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228 (


Hi Doc,
Do you have a little wrapper for Linux and windows to hand to put in as a check?
I’ve been looking into the article the checkMK have put out but I’m having trouble applying the check to my RAW edition of check_mk.
Automatically detecting log4j vulnerabilities in your IT | Checkmk
Any help would be amazing.

Only for Linux hosts yet.


# Christian Wirtz, 2021-12-13

# Wrapper around:
# for checkmk usage


RESULT=`/usr/lib/check_mk_agent/bin/log4j2-scan $DESTPATH`
COUNT=`echo "$RESULT" | grep "vulnerable files" | awk '{ print $2}'`
SHORT=`echo "$RESULT" | grep "vulnerable files"`
LONG=`echo "$RESULT" | awk 1 ORS='\\\\n'`

echo "P CVE-2021-44228_log4j count=$COUNT;1;1 $SHORT\n$LONG"

We used the binary from Logpresso.

Structure under /usr/lib/check_mk_agent/

|-- bin
|   `-- log4j2-scan
`-- local
    `-- 86400


this does not work in checkmk raw edition 2.0.0.p17 as the output is expected in a different format:

State Service Status detail
UNKN 0 Invalid plugin status ‘Found’. Invalid performance data: ‘potentially’. Output is: vulnerable files
UNKN Found Invalid plugin status ‘0;1;1’. Invalid performance data: ‘2’. Output is: vulnerable files


If I remove the output of “\n$LONG” the local check is recognized but the check has the state “OK” although there were 2 files found:
OK CVE-2021-44228_log4j count: 2.00

UPDATE 2: If I only use the $LONG Output as suggested here Found file log4j? - #17 by Raf I get the following output:

UNKN Logpresso Invalid plugin status ‘0;1;1’. Invalid performance data: ‘CVE-2021-44228’. Output is: Vulnerability Scanner 1.5.0 (2021-12-15)

Does the nagios-core aof CRE handle outputs differently than the ckeck_mk-microcore?

Kind regards

The scanner is available for

I expect the wrapper script does work on all platforms?

We used V 1.2.5 - they possibly changed the output format.

Problem is in two places not only one, first is " | awk ‘{ print $2}’ " spits out two rows , and the second problem is that " $SHORT\n$LONG" spits out two rows as well so i only use long one. This work in the way that : will give value “10” if there is 1 vulnerable files and “01” if there is 1 potentially vulnerable files and obviously if “11” then 1 vulnerable files and 1 potentially vulnerable files, not perfect but it does the trick:
Solution in first problem:
COUNT=echo "$RESULT" | grep "vulnerable files" | awk '{printf "%s", $2}'
Solution on second problem:
echo “P CVE-2021-44228_log4j count=”$COUNT";1;1 $LONG"

moved to


the discussion to the mentioned local checks can be found here:

1 Like

This works now. Thank you!

It looks like the output does have to be more like Nagios plugin output Development Guidelines · Nagios Plugins (the pipe ‘|’)

Kind regards.

Hi, maybe it would be best if you comment here

as the discussion about this plugin has moved there.

1 Like

Hallo Lami,

beinhaltet das auch alle anderen Komponenten der Appliance, z.B. apache

Gruß Woodman

1 Like

Hallo @woodman ,

Apache selbst nutzt kein log4j, auch Apache Tomcat in der Standardauslieferung nicht. Das Einzige was betroffen sein kann, sind Produkte, die du selbst in das checkmk Umfeld bringst.


Hey Tosch,

danke für die Auskunft.