Resolve the RCE vulnerability caused by JNDI lookup in log4j 2.0~2.14.1

Related tags

Hook log4j-patch
Overview

Log4j Patch

Release

Resolve the RCE vulnerability caused by JNDI lookup in log4j 2.0~2.14.1. It is licensed under the WTFPL 2.0 license, you can do anything with it!

The principle of the library is simple: It provides an empty JndiLookup to override the implementation in log4j.

You can download it directly from GitHub release: log4j-patch-1.0.jar.

All you need to do is add it to the front of the classpath to disable JNDI lookup and avoid RCE vulnerabilities. It is compiled using java 6 and is compatible with all current Java versions.

If you are using log4j2 as a Java module, use this JVM parameter instead of adding it to the classpath: --patch-module org.apache.logging.log4j.core=log4j-patch-1.0.jar.

Adding patch to your build

If you are using Maven/Gradle/SBT, adding it as the first dependency should solve the problem (To be tested). I have published it to JitPack. It has also been published to Maven Central, but is waiting for synchronization, please wait a little bit.

At present, please add JitPack repository first:

Maven:

<repositories>
    <repository>
        <id>jitpack.io</id>
        <url>https://jitpack.io</url>
    </repository>
</repositories>

Gradle:

repositories {
    maven { url 'https://jitpack.io' }
}

Gradle Kotlin DSL:

repositories {
    maven(url = "https://jitpack.io")
}

Then, add a dependency on it:

<dependency>
    <groupId>org.glavo</groupId>
    <artifactId>log4j-patch</artifactId>
    <version>1.0</version>
</dependency>

Gradle:

dependencies {
    implementation 'org.glavo:log4j-patch:1.0'
}

Gradle Kotlin DSL:

dependencies {
    implementation("org.glavo:log4j-patch:1.0")
}
You might also like...
Comments
  • crash in Minecraft 1.7.10

    crash in Minecraft 1.7.10

    Exception in thread "main" java.lang.NoClassDefFoundError: JNDI lookup is disabled
            at org.apache.logging.log4j.core.lookup.JndiLookup.<init>(JndiLookup.java:11)
            at org.apache.logging.log4j.core.lookup.Interpolator.<init>(Interpolator.java:66)
            at org.apache.logging.log4j.core.config.BaseConfiguration.<init>(BaseConfiguration.java:108)
            at org.apache.logging.log4j.core.config.DefaultConfiguration.<init>(DefaultConfiguration.java:48)
            at org.apache.logging.log4j.core.LoggerContext.<init>(LoggerContext.java:63)
            at org.apache.logging.log4j.core.selector.ClassLoaderContextSelector.locateContext(ClassLoaderContextSelector.java:217)
            at org.apache.logging.log4j.core.selector.ClassLoaderContextSelector.getContext(ClassLoaderContextSelector.java:114)
            at org.apache.logging.log4j.core.selector.ClassLoaderContextSelector.getContext(ClassLoaderContextSelector.java:81)
            at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:83)
            at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:34)
            at org.apache.logging.log4j.LogManager.getLogger(LogManager.java:387)
            at org.apache.logging.log4j.LogManager.getLogger(LogManager.java:322)
            at bao.<clinit>(SourceFile:84)
            at net.minecraft.client.main.Main.main(SourceFile:72)
    

    原因大概是 1.7.10 使用的 2.0-beta9,没有尝试去捕获 new JndiLookup 可能产生的错误吧 https://github.com/apache/logging-log4j2/blob/log4j-2.0-beta9/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java#L66

    opened by xmdhs 2
Owner
Glavo
Glavo
An attempt to patch JARs that bundle a vulnerable version of Log4J

Log4JFixer An attempt to patch JARs that bundle a vulnerable version of Log4J. Written in Kotlin. Compiling ./gradlew shadowJar Built JAR is located i

Matouš Kučera 2 Feb 4, 2022
A bare minimum proof-of-concept for Log4j2 JNDI RCE vulnerability (CVE-2021-44228/Log4Shell)

Log4j2 RCE Vulnerability POC A bare minimum proof-of-concept for Log4j2 JNDI Remote-Code-Execution vulnerability (CVE-2021-44228). This is intended fo

Sola 4 Aug 17, 2022
This tool patches the CVE-2021-44228 Log4J vulnerability present in all minecraft versions NOTE THIS TOOL MUST BE RE-RUN after downloading or updating versions of minecraft as its not a perminent patch

WARNING THIS EXPLOIT EFFECTS BOTH CLIENTS AND SERVERS There is currently a exploit going around that affects all versions of Minecraft this exploit ab

Jacobtread 6 Aug 23, 2022
An attempt to patch JARs that bundle a vulnerable version of Log4J

Log4JFixer An attempt to patch JARs that bundle a vulnerable version of Log4J. Written in Kotlin. Compiling ./gradlew shadowJar Built JAR is located i

Matouš Kučera 2 Feb 4, 2022
A sample project to debunk common misbeliefs regarding the impact the Log4j vulnerabilities on Java Applications

Introduction This project intends to debunk two common misbeliefs regarding the

Eliezio Oliveira 3 Jun 8, 2022
log4shell detector similar to log4jscanner, log4j-detector etc but built with ProGuardCORE

Log4Shell detector Yet another log4shell detector, similar to log4jscanner, log4

James Hamilton 4 Jan 17, 2022
Burp extension to scan Log4Shell (CVE-2021-44228) vulnerability pre and post auth

Log4J Scanner Burp extension to scan Log4Shell (CVE-2021-44228) vulnerability pre and post auth. Disclaimer I am not responsible for your actions, bur

Dexter0us 94 Nov 22, 2022
Proof of concept app for Android permanent denial-of-service vulnerability CVE-2020-0443

CVE-2020-0443 This is a proof of concept app that exploits CVE-2020-0443 to brick any Android device. After running the app and rebooting, the device

Sithija 11 Dec 21, 2022
Non-decompiling Android vulnerability scanner (DC25 demo lab, CB17)

README trueseeing is a fast, accurate and resillient vulnerabilities scanner for Android apps. It operates on Android Packaging File (APK) and outputs

Monolith Works Inc. 0 Jan 14, 2022