simonis/Log4jPatch simonis/Log4jPatch

  • This repository has been archived on 12/Dec/2021
  • Stars
    star
    108
  • Rank 321,259 (Top 7 %)
  • Language
    Java
  • Created almost 3 years ago
  • Updated almost 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
simonis/Log4jPatch
github

simonis

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Deploys an agent to fix CVE-2021-44228 (Log4j RCE vulnerability) in a running JVM process

-- This repository has been archived --

Further development of this tool will continue at corretto/hotpatch-for-apache-log4j2.

Thanks for sharing, commenting, trying it out and contributing to this project!

Log4jPatch

This is a POC of a simple tool which injects a Java agent into a running JVM process. The agent will patch the lookup() method of all loaded org.apache.logging.log4j.core.lookup.JndiLookup instances to unconditionally return the string "Patched JndiLookup::lookup()". This should fix the CVE-2021-44228 remote code execution vulnerability in Log4j without restarting the Java process.

This has been currently only tested with JDK 8 & 11!

Disclaimer: this code is provided in the hope that it will be useful, but without any warranty!

Building

JDK 8

javac -XDignore.symbol.file=true -cp <java-home>/lib/tools.jar Log4jPatch.java

JDK 11

javac --add-exports java.base/jdk.internal.org.objectweb.asm=ALL-UNNAMED Log4jPatch.java

Running

JDK 8

java -cp .:<java-home>/lib/tools.jar Log4jPatch <java-pid>

JDK 11

java Log4jPatch <java-pid>

Known issues

If you get an error like:

Exception in thread "main" com.sun.tools.attach.AttachNotSupportedException: The VM does not support the attach mechanism
	at jdk.attach/sun.tools.attach.HotSpotAttachProvider.testAttachable(HotSpotAttachProvider.java:153)
	at jdk.attach/sun.tools.attach.AttachProviderImpl.attachVirtualMachine(AttachProviderImpl.java:56)
	at jdk.attach/com.sun.tools.attach.VirtualMachine.attach(VirtualMachine.java:207)
	at Log4jPatch.loadInstrumentationAgent(Log4jPatch.java:115)
	at Log4jPatch.main(Log4jPatch.java:139)

this means that your JVM is refusing any kind of help because it is running with -XX:+DisableAttachMechanism.

More Repositories

1

cl4cds

Documentation and Tools for the OpenJDK Class Data and Application Class Data Sharing (CDS/AppCDS) features
Java
28
star
2

AnalyzingHotSpotCrashes

JavaScript
9
star
3

JBreak2016

JavaScript
8
star
4

zlib-chromium

Fork of https://chromium.googlesource.com/chromium/src/third_party/zlib
C
5
star
5

fireCRaCer

Experiments with firecracker and CRaC
Java
5
star
6

hotspot_internals

JavaScript
4
star
7

Memory

Musings about Linux memory layout and the native memory consumtion of a Java process...
CSS
3
star
8

zlib-bench

Benchmarks, data and scripts for comparing various zlib-compatible de-/compression libraries
HTML
3
star
9

BirthLifeAndDeathOfAClass

Birth, Life and Death of a Class
HTML
3
star
10

HotspotIntrinsics

My talk about HotSpot Intrinsics
HTML
2
star
11

HotSpot9_Eclipse_Project

2
star
12

JavaOne2017

My presentations for JavaOne2017
HTML
1
star
13

FOSDEM2019

My "Rumble in the Java Jungle" talk at FOSDEM 2019 in Bruxelles
HTML
1
star
14

OpenJDKInsAndOuts

JavaOne 2017 talk about OpenJDK
HTML
1
star
15

JPrime2018

Slides and examples for my talk at JPrime 2018 in Sofia about Class Data Sharing
HTML
1
star
16

spring-rce-repro

Simple reproducer for Spring4Shell
Python
1
star
17

FOSDEM2018

Slides and examples for my talks at the FreeJava Dev Room / FOSDEM 2018 about Class Data Sharing
HTML
1
star
18

HotSpot_Eclipse_Project

Eclipse project for the consolidated jdk 10 HotSpot repository
1
star