I came here after learning my servers may be vulnerable to the new Log4j exploit (CVE-2021-44228). So I needed to know whether I had an outdated/vulnerable build of Log4j version 2 installed.
Previous answers here do not help with detecting old versions, because they are for letting already-running Java code figure out which version of Log4j that code uses, whereas I need to know if any Java app could be using a vulnerable version.
Here’s what I did instead:
sudo find / -name 'log4j*'
This lists all Log4j related files on my (Linux) server. That showed me a few 1.x versions, which are not vulnerable to this specific CVE, and one 2.15.0 file, which already contains the fix for the CVE.
If you run this and find file or folder names that have 2.x, where x < 15, then you are likely vulnerable, and need to figure out how to update your files ASAP.
Caution
I was warned that this is not enough of a test for my purpose because the Log4j files may be hidden inside a .jar file, which the find command would not discover.
Update
Here’s a public project that attempts to scan all .jar files, in order to find Log4j code inside archives as well: Log4-detector