Skip to content

Instantly share code, notes, and snippets.

@xyu

xyu/JndiLookup.java

Created January 7, 2022 19:57
Show Gist options
  • Save xyu/348e9cecf25e09bef997a58e1901481b to your computer and use it in GitHub Desktop.
Save xyu/348e9cecf25e09bef997a58e1901481b to your computer and use it in GitHub Desktop.
Download ZIP
Nerfed JndiLookup
Raw
JndiLookup.java
package org.apache.logging.log4j.core.lookup;
import org.apache.logging.log4j.core.LogEvent;
import org.apache.logging.log4j.core.config.plugins.Plugin;
@Plugin(name = "jndi", category = StrLookup.CATEGORY)
public class JndiLookup extends AbstractLookup {
@Override
public String lookup(final LogEvent event, final String key) {
return null;
}
}
Raw
nerf-jndi.sh
#!/bin/bash
set -euf -o pipefail
function usage()
{
>&2 cat << EOT
usage: $0 JAR [JAR...]
Mitigates Log4Shell (CVE-2021-44228 / CVE-2021-45046) by taking a set of
log4j-core JARs and replacing JndiLookup within each with a nerfed version that
does nothing.
EOT
exit 1
}
if [ "$#" -lt 1 ]; then
usage
fi
pushd "$(dirname "$0")"
PATCH_DIR="$(pwd)"
popd
JNDI_PATH='org/apache/logging/log4j/core/lookup/JndiLookup.class'
for JAR in "$@"
do
# First remove the vulnerable JndiLookup class from our JAR
zip -d "$JAR" "$JNDI_PATH"
# Now compile a nerfed JndiLookup class
rm -rf "$PATCH_DIR/target"
javac -cp "$JAR" -d "$PATCH_DIR/target" "$PATCH_DIR/JndiLookup.java"
# Add nerfed JndiLookup class to our JAR
jar uf "$JAR" -C "$PATCH_DIR/target" "$JNDI_PATH"
rm -rf "$PATCH_DIR/target"
echo "Patched '$JAR'"
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment