I have to secure some servers against CVE-2021-44228 aka log4shell. Those machines are running Linux and have a huge amount of log4j jars all over the place, some from app servers, some from legacy software, etc. I fear it is not possible to update all of them to the latest log4j.
However, if I understand correctly one can prevent log4shell in log4j 1.x by removing the impacted class like this:
zip -q -d log4j.jar org/apache/log4j/net/JMSAppender.class
And in log4j 2.x like this (see logging.apache.org):
zip -q -d log4j-core.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
I think of a shell script to find all log4j jars, maybe like this:
find / -name "log4j*.jar"
and call those two zip commands on all results. Unfortunately I’m not good at shell scripting. Might anyone write a script based on this idea?
Warnings:
- Of course you loose all JNDI lookup and/or JMS functionality from log4j by doing so.
- log4j 1.x has other security issues. So it’s better to upgrade e.g. to latest logj 2.x.
Well, here is my own shot at this. Not very elegant (quite repetitive), but with nicely colored output. And it only removes the class if the log4j version is compromised (FIX_VERSION="2.17.1" to also protect against CVE-2021-45105) and CVE-2021-44832.
Output looks like this:
Screenshot notes: