Non intrusive log4j2 RCE vulnerability patch.

Last update: Dec 2, 2022

Related tags

Overview

Log4j Patch

Resolve the RCE vulnerability caused by JNDI lookup in log4j 2.0~2.14.1. It is licensed under the WTFPL 2.0 license, you can do anything with it!

This is a non-intrusive patch that allows you to block this vulnerability without modifying the program code/updating the dependent. So you can use it to patch third-party programs, such as Minecraft.

The principle of the library is simple: It provides an empty JndiLookup to override the implementation in log4j. Log4j2 can handle this situation and safely disable JNDI lookup.

It is compatible with all versions of log4j2 (2.0~2.15).

Usage

You can add it to the classpath by yourself, or you can use javaagent to inject it automatically.

Use Java Agent

First, download the agent jar: log4j-patch-agent-1.0.jar.

You only need to add the -javaagent:log4j-patch-agent-1.0.jar to the JVM parameter, and the agent will do everything automatically.

Manual injection

Sometimes you may not want to use Java agent, such as when you need to generate native-image. You can download it directly from GitHub release: log4j-patch-1.0.jar.

All you need to do is add it to the front of the classpath.

If you are using java 8, it is best to put it into $JAVA_HOME/lib/ext, which will protect programs started with that Java.

If you are using log4j2 as a Java module, use this JVM parameter instead of adding it to the classpath: --patch-module org.apache.logging.log4j.core=log4j-patch-1.0.jar.

Adding patch to your build

If you are using Maven/Gradle/SBT, adding it as the first dependency should solve the problem.

It is published on Maven Central. You can add dependencies on it in this way:

Maven:

<dependency>
    <groupId>org.glavo</groupId>
    <artifactId>log4j-patch</artifactId>
    <version>1.0</version>
</dependency>

Gradle:

dependencies {
    implementation 'org.glavo:log4j-patch:1.0'
}

Gradle Kotlin DSL:

dependencies {
    implementation("org.glavo:log4j-patch:1.0")
}

Check whether the replacement is successful

When JNDI lookup is disabled, log4j may print similar content in the log:

2021-12-10 15:50:39,521 main WARN JNDI lookup class is not available because this JRE does not support JNDI. JNDI string lookups will not be available, continuing configuration. Ignoring java.lang.ClassCastException: class org.apache.logging.log4j.core.lookup.JndiLookup

in addition, if you use the agent, it will set the system property org.glavo.log4j.patch.agent.patched to true when the replacement is successful. We can use the jinfo command line tool to observe the system properties of the JVM process.

AndroidHiddenApiBypass - Bypass restrictions on non-SDK interfaces

AndroidHiddenApiBypass Bypass restrictions on non-SDK interfaces. Why AndroidHiddenApiBypass? Pure Java: no native code used. Reliable: does not rely

Jan 6, 2023

Non-Blocking Reactive Foundation for the JVM

Reactor Core Non-Blocking Reactive Streams Foundation for the JVM both implementing a Reactive Extensions inspired API and efficient event streaming s

Dec 30, 2022

Spring Cloud Netflix Hystrix Dashboard template resolution vulnerability CVE-2021-22053

CVE-2021-22053: Spring Cloud Netflix Hystrix Dashboard template resolution vulnerability Severity High Vendor Spring by VMware Description Application

Dec 16, 2022

Logout4Shell - Use Log4Shell vulnerability to vaccinate a victim server against Log4Shell

Logout4Shell Description A vulnerability impacting Apache Log4j versions 2.0 through 2.14.1 was disclosed on the project’s Github on December 9, 2021.

Jan 3, 2023

This project will help to test the Log4j CVE-2021-44228 vulnerability.

Log4j-JNDIServer This project will help to test the Log4j CVE-2021-44228/CVE-2021-45046 vulnerabilities. Installation and Building Load the project on

Jun 30, 2022

BinAbsInspector: Vulnerability Scanner for Binaries

What is BinAbsInspector? BinAbsInspector (Binary Abstract Inspector) is a static analyzer for automated reverse engineering and scanning vulnerabiliti

Jan 4, 2023

The project is a simple vulnerability Demo environment written by SpringBoot

The project is a simple vulnerability Demo environment written by SpringBoot. Here, I deliberately wrote a vulnerability environment where there are arbitrary file uploads, and then use the `scan` attribute in the loghack configuration file to cooperate with the logback vulnerability to implement RCE.

Dec 14, 2022

Vulnerability CVE-2021-44228 checker

CVE-2021-44228 checker This is the repository for checking for vulnerability CVE-2021-44228. This is a PoC that only displays strings without any exte

Nov 9, 2022

CVE-2021-2109 && Weblogic Server RCE via JNDI

Description Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected

Nov 21, 2022

Comments

crash in Minecraft 1.7.10

Exception in thread "main" java.lang.NoClassDefFoundError: JNDI lookup is disabled
        at org.apache.logging.log4j.core.lookup.JndiLookup.<init>(JndiLookup.java:11)
        at org.apache.logging.log4j.core.lookup.Interpolator.<init>(Interpolator.java:66)
        at org.apache.logging.log4j.core.config.BaseConfiguration.<init>(BaseConfiguration.java:108)
        at org.apache.logging.log4j.core.config.DefaultConfiguration.<init>(DefaultConfiguration.java:48)
        at org.apache.logging.log4j.core.LoggerContext.<init>(LoggerContext.java:63)
        at org.apache.logging.log4j.core.selector.ClassLoaderContextSelector.locateContext(ClassLoaderContextSelector.java:217)
        at org.apache.logging.log4j.core.selector.ClassLoaderContextSelector.getContext(ClassLoaderContextSelector.java:114)
        at org.apache.logging.log4j.core.selector.ClassLoaderContextSelector.getContext(ClassLoaderContextSelector.java:81)
        at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:83)
        at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:34)
        at org.apache.logging.log4j.LogManager.getLogger(LogManager.java:387)
        at org.apache.logging.log4j.LogManager.getLogger(LogManager.java:322)
        at bao.<clinit>(SourceFile:84)
        at net.minecraft.client.main.Main.main(SourceFile:72)

原因大概是 1.7.10 使用的 2.0-beta9，没有尝试去捕获 new JndiLookup 可能产生的错误吧 https://github.com/apache/logging-log4j2/blob/log4j-2.0-beta9/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java#L66

opened by xmdhs 2