Created
January 7, 2022 19:57
-
-
Save xyu/348e9cecf25e09bef997a58e1901481b to your computer and use it in GitHub Desktop.
Nerfed JndiLookup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package org.apache.logging.log4j.core.lookup; | |
import org.apache.logging.log4j.core.LogEvent; | |
import org.apache.logging.log4j.core.config.plugins.Plugin; | |
@Plugin(name = "jndi", category = StrLookup.CATEGORY) | |
public class JndiLookup extends AbstractLookup { | |
@Override | |
public String lookup(final LogEvent event, final String key) { | |
return null; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -euf -o pipefail | |
function usage() | |
{ | |
>&2 cat << EOT | |
usage: $0 JAR [JAR...] | |
Mitigates Log4Shell (CVE-2021-44228 / CVE-2021-45046) by taking a set of | |
log4j-core JARs and replacing JndiLookup within each with a nerfed version that | |
does nothing. | |
EOT | |
exit 1 | |
} | |
if [ "$#" -lt 1 ]; then | |
usage | |
fi | |
pushd "$(dirname "$0")" | |
PATCH_DIR="$(pwd)" | |
popd | |
JNDI_PATH='org/apache/logging/log4j/core/lookup/JndiLookup.class' | |
for JAR in "$@" | |
do | |
# First remove the vulnerable JndiLookup class from our JAR | |
zip -d "$JAR" "$JNDI_PATH" | |
# Now compile a nerfed JndiLookup class | |
rm -rf "$PATCH_DIR/target" | |
javac -cp "$JAR" -d "$PATCH_DIR/target" "$PATCH_DIR/JndiLookup.java" | |
# Add nerfed JndiLookup class to our JAR | |
jar uf "$JAR" -C "$PATCH_DIR/target" "$JNDI_PATH" | |
rm -rf "$PATCH_DIR/target" | |
echo "Patched '$JAR'" | |
done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment