You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by Bryan Rosander <br...@gmail.com> on 2021/12/15 19:01:00 UTC
Log4j Patch Util
Hey all,
I wrote up a utility to patch all nars in a given NiFi install to
remove JndiLookup.class from log4j jars. It has no dependencies and the
single file can be compiled and run as-is.
It looks like it should be handled pretty well if the class is just missing
since they didn't expect it to be available on Android. [1]
It does not attempt to update already unpacked nars so I'd suggest stopping
NiFi and removing the work/nar directory before running.
Usage:
1. Put by itself in a directory
2. Compile 'javac Log4jPatch.java'
3. Run 'java Log4jPatch'
Verify (optionally do before patch to validate that the grep pattern works,
you have the vulnerable class file):
1. Start NiFi, wait for it to unpack all nars.
2. Run this in NIFI_HOME: 'find . -iname "*log4j*" | xargs grep -i
jndilookup.class'
I'm looking for feedback around the approach. Anyone's free to take this
and use it how they want to.
Thanks,
Bryan
[1]
https://github.com/apache/logging-log4j2/blob/rel/2.8.2/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java#L100-L106
Re: Log4j Patch Util
Posted by Bryan Rosander <br...@gmail.com>.
And thanks Joe for sanity checking the approach :)
On Wed, Dec 15, 2021 at 2:34 PM Bryan Rosander <br...@gmail.com>
wrote:
> Ah, glad that worked. I did mess up step 3 of usage, the only arg should
> be the path to a NiFi install:
>
> 3. Run 'java Log4jPatch /PATH/TO/NIFI'
>
> If anyone uses it and has feedback (especially around effectiveness) I'd
> appreciate it.
>
> On Wed, Dec 15, 2021 at 2:19 PM Joe Witt <jo...@gmail.com> wrote:
>
>> Bryan
>>
>> You did it right - i was just a dope and didn't scroll down far enough
>> :). The link is a good call though too.
>>
>> I thought the list blocked attachments actually.
>>
>> Anyway thanks for sharing that. It is an option for folks to consider.
>>
>> Thanks
>>
>> On Wed, Dec 15, 2021 at 12:17 PM Bryan Rosander <br...@gmail.com>
>> wrote:
>> >
>> > Hey Joe,
>> >
>> > Sorry if I didn't attach it properly. The archive client seems to see
>> it [1]
>> >
>> > I created a gist in case something else is wrong. [2]
>> >
>> > Thanks,
>> > Bryan
>> >
>> > [1] https://lists.apache.org/thread/v8ydn3bgkgspf2vh8j0d0zygzdkwb7k0
>> > [2] https://gist.github.com/brosander/a6f5075535772c60605c1544a91d56f5
>> >
>> > On Wed, Dec 15, 2021 at 2:06 PM Joe Witt <jo...@gmail.com> wrote:
>> >>
>> >> Bryan
>> >>
>> >> This type of approach would work generally quite fine. Did you paste
>> >> the link you intended or did you forget to link to the patch?
>> >>
>> >> Thanks
>> >>
>> >> On Wed, Dec 15, 2021 at 12:01 PM Bryan Rosander <
>> bryanrosander@gmail.com> wrote:
>> >> >
>> >> > Hey all,
>> >> >
>> >> > I wrote up a utility to patch all nars in a given NiFi install to
>> remove JndiLookup.class from log4j jars. It has no dependencies and the
>> single file can be compiled and run as-is.
>> >> >
>> >> > It looks like it should be handled pretty well if the class is just
>> missing since they didn't expect it to be available on Android. [1]
>> >> >
>> >> > It does not attempt to update already unpacked nars so I'd suggest
>> stopping NiFi and removing the work/nar directory before running.
>> >> >
>> >> > Usage:
>> >> >
>> >> > 1. Put by itself in a directory
>> >> > 2. Compile 'javac Log4jPatch.java'
>> >> > 3. Run 'java Log4jPatch'
>> >> >
>> >> > Verify (optionally do before patch to validate that the grep pattern
>> works, you have the vulnerable class file):
>> >> >
>> >> > 1. Start NiFi, wait for it to unpack all nars.
>> >> > 2. Run this in NIFI_HOME: 'find . -iname "*log4j*" | xargs grep -i
>> jndilookup.class'
>> >> >
>> >> > I'm looking for feedback around the approach. Anyone's free to take
>> this and use it how they want to.
>> >> >
>> >> > Thanks,
>> >> > Bryan
>> >> >
>> >> > [1]
>> https://github.com/apache/logging-log4j2/blob/rel/2.8.2/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java#L100-L106
>>
>
Re: Log4j Patch Util
Posted by Bryan Rosander <br...@gmail.com>.
Ah, glad that worked. I did mess up step 3 of usage, the only arg should
be the path to a NiFi install:
3. Run 'java Log4jPatch /PATH/TO/NIFI'
If anyone uses it and has feedback (especially around effectiveness) I'd
appreciate it.
On Wed, Dec 15, 2021 at 2:19 PM Joe Witt <jo...@gmail.com> wrote:
> Bryan
>
> You did it right - i was just a dope and didn't scroll down far enough
> :). The link is a good call though too.
>
> I thought the list blocked attachments actually.
>
> Anyway thanks for sharing that. It is an option for folks to consider.
>
> Thanks
>
> On Wed, Dec 15, 2021 at 12:17 PM Bryan Rosander <br...@gmail.com>
> wrote:
> >
> > Hey Joe,
> >
> > Sorry if I didn't attach it properly. The archive client seems to see
> it [1]
> >
> > I created a gist in case something else is wrong. [2]
> >
> > Thanks,
> > Bryan
> >
> > [1] https://lists.apache.org/thread/v8ydn3bgkgspf2vh8j0d0zygzdkwb7k0
> > [2] https://gist.github.com/brosander/a6f5075535772c60605c1544a91d56f5
> >
> > On Wed, Dec 15, 2021 at 2:06 PM Joe Witt <jo...@gmail.com> wrote:
> >>
> >> Bryan
> >>
> >> This type of approach would work generally quite fine. Did you paste
> >> the link you intended or did you forget to link to the patch?
> >>
> >> Thanks
> >>
> >> On Wed, Dec 15, 2021 at 12:01 PM Bryan Rosander <
> bryanrosander@gmail.com> wrote:
> >> >
> >> > Hey all,
> >> >
> >> > I wrote up a utility to patch all nars in a given NiFi install to
> remove JndiLookup.class from log4j jars. It has no dependencies and the
> single file can be compiled and run as-is.
> >> >
> >> > It looks like it should be handled pretty well if the class is just
> missing since they didn't expect it to be available on Android. [1]
> >> >
> >> > It does not attempt to update already unpacked nars so I'd suggest
> stopping NiFi and removing the work/nar directory before running.
> >> >
> >> > Usage:
> >> >
> >> > 1. Put by itself in a directory
> >> > 2. Compile 'javac Log4jPatch.java'
> >> > 3. Run 'java Log4jPatch'
> >> >
> >> > Verify (optionally do before patch to validate that the grep pattern
> works, you have the vulnerable class file):
> >> >
> >> > 1. Start NiFi, wait for it to unpack all nars.
> >> > 2. Run this in NIFI_HOME: 'find . -iname "*log4j*" | xargs grep -i
> jndilookup.class'
> >> >
> >> > I'm looking for feedback around the approach. Anyone's free to take
> this and use it how they want to.
> >> >
> >> > Thanks,
> >> > Bryan
> >> >
> >> > [1]
> https://github.com/apache/logging-log4j2/blob/rel/2.8.2/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java#L100-L106
>
Re: Log4j Patch Util
Posted by Joe Witt <jo...@gmail.com>.
Bryan
You did it right - i was just a dope and didn't scroll down far enough
:). The link is a good call though too.
I thought the list blocked attachments actually.
Anyway thanks for sharing that. It is an option for folks to consider.
Thanks
On Wed, Dec 15, 2021 at 12:17 PM Bryan Rosander <br...@gmail.com> wrote:
>
> Hey Joe,
>
> Sorry if I didn't attach it properly. The archive client seems to see it [1]
>
> I created a gist in case something else is wrong. [2]
>
> Thanks,
> Bryan
>
> [1] https://lists.apache.org/thread/v8ydn3bgkgspf2vh8j0d0zygzdkwb7k0
> [2] https://gist.github.com/brosander/a6f5075535772c60605c1544a91d56f5
>
> On Wed, Dec 15, 2021 at 2:06 PM Joe Witt <jo...@gmail.com> wrote:
>>
>> Bryan
>>
>> This type of approach would work generally quite fine. Did you paste
>> the link you intended or did you forget to link to the patch?
>>
>> Thanks
>>
>> On Wed, Dec 15, 2021 at 12:01 PM Bryan Rosander <br...@gmail.com> wrote:
>> >
>> > Hey all,
>> >
>> > I wrote up a utility to patch all nars in a given NiFi install to remove JndiLookup.class from log4j jars. It has no dependencies and the single file can be compiled and run as-is.
>> >
>> > It looks like it should be handled pretty well if the class is just missing since they didn't expect it to be available on Android. [1]
>> >
>> > It does not attempt to update already unpacked nars so I'd suggest stopping NiFi and removing the work/nar directory before running.
>> >
>> > Usage:
>> >
>> > 1. Put by itself in a directory
>> > 2. Compile 'javac Log4jPatch.java'
>> > 3. Run 'java Log4jPatch'
>> >
>> > Verify (optionally do before patch to validate that the grep pattern works, you have the vulnerable class file):
>> >
>> > 1. Start NiFi, wait for it to unpack all nars.
>> > 2. Run this in NIFI_HOME: 'find . -iname "*log4j*" | xargs grep -i jndilookup.class'
>> >
>> > I'm looking for feedback around the approach. Anyone's free to take this and use it how they want to.
>> >
>> > Thanks,
>> > Bryan
>> >
>> > [1] https://github.com/apache/logging-log4j2/blob/rel/2.8.2/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java#L100-L106
Re: Log4j Patch Util
Posted by Bryan Rosander <br...@gmail.com>.
Hey Joe,
Sorry if I didn't attach it properly. The archive client seems to see it
[1]
I created a gist in case something else is wrong. [2]
Thanks,
Bryan
[1] https://lists.apache.org/thread/v8ydn3bgkgspf2vh8j0d0zygzdkwb7k0
[2] https://gist.github.com/brosander/a6f5075535772c60605c1544a91d56f5
On Wed, Dec 15, 2021 at 2:06 PM Joe Witt <jo...@gmail.com> wrote:
> Bryan
>
> This type of approach would work generally quite fine. Did you paste
> the link you intended or did you forget to link to the patch?
>
> Thanks
>
> On Wed, Dec 15, 2021 at 12:01 PM Bryan Rosander <br...@gmail.com>
> wrote:
> >
> > Hey all,
> >
> > I wrote up a utility to patch all nars in a given NiFi install to remove
> JndiLookup.class from log4j jars. It has no dependencies and the single
> file can be compiled and run as-is.
> >
> > It looks like it should be handled pretty well if the class is just
> missing since they didn't expect it to be available on Android. [1]
> >
> > It does not attempt to update already unpacked nars so I'd suggest
> stopping NiFi and removing the work/nar directory before running.
> >
> > Usage:
> >
> > 1. Put by itself in a directory
> > 2. Compile 'javac Log4jPatch.java'
> > 3. Run 'java Log4jPatch'
> >
> > Verify (optionally do before patch to validate that the grep pattern
> works, you have the vulnerable class file):
> >
> > 1. Start NiFi, wait for it to unpack all nars.
> > 2. Run this in NIFI_HOME: 'find . -iname "*log4j*" | xargs grep -i
> jndilookup.class'
> >
> > I'm looking for feedback around the approach. Anyone's free to take
> this and use it how they want to.
> >
> > Thanks,
> > Bryan
> >
> > [1]
> https://github.com/apache/logging-log4j2/blob/rel/2.8.2/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java#L100-L106
>
Re: Log4j Patch Util
Posted by Joe Witt <jo...@gmail.com>.
Bryan
This type of approach would work generally quite fine. Did you paste
the link you intended or did you forget to link to the patch?
Thanks
On Wed, Dec 15, 2021 at 12:01 PM Bryan Rosander <br...@gmail.com> wrote:
>
> Hey all,
>
> I wrote up a utility to patch all nars in a given NiFi install to remove JndiLookup.class from log4j jars. It has no dependencies and the single file can be compiled and run as-is.
>
> It looks like it should be handled pretty well if the class is just missing since they didn't expect it to be available on Android. [1]
>
> It does not attempt to update already unpacked nars so I'd suggest stopping NiFi and removing the work/nar directory before running.
>
> Usage:
>
> 1. Put by itself in a directory
> 2. Compile 'javac Log4jPatch.java'
> 3. Run 'java Log4jPatch'
>
> Verify (optionally do before patch to validate that the grep pattern works, you have the vulnerable class file):
>
> 1. Start NiFi, wait for it to unpack all nars.
> 2. Run this in NIFI_HOME: 'find . -iname "*log4j*" | xargs grep -i jndilookup.class'
>
> I'm looking for feedback around the approach. Anyone's free to take this and use it how they want to.
>
> Thanks,
> Bryan
>
> [1] https://github.com/apache/logging-log4j2/blob/rel/2.8.2/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java#L100-L106