关联漏洞
描述
Fixes CVE-2021-44228 in log4j by patching JndiLookup class
介绍
# log4j-vulnerability-patcher-agent
This agent fixes critical vulnerability [CVE-2021-44228](https://www.lunasec.io/docs/blog/log4j-zero-day/) in log4j by patching `JndiLookup` class, as recommended [here](https://www.lunasec.io/docs/blog/log4j-zero-day/#temporary-mitigation).
**WARNING: this is not a substitute for proper upgrade to log4j 2.15.0**, where this vulnerability was fixed for good. Use this agent **IF, and ONLY IF, you can't upgrade log4j in your app**.
Agent can run on JRE 8 and higher, in any application (including Minecraft clients and servers).
This will completely disable `JNDI` in log4j. If you need this functionality, do not use this agent.
## How to use
1. Download agent JAR or build it yourself
2. Add command line argument `-javaagent:/path/to/agent/log4j-vulnerability-patcher-agent.jar` to the start command of your app
Example command line:
```shell
java -javaagent:/home/user/log4j-vulnerability-patcher-agent.jar -Xmx1G spigot.jar
```
If everything is OK, on start agent will output `[Log4jVulnerabilityPatcherAgent] JndiLookup was patched, vulnerability fixed!`.
## Build
You will need JDK 8, Maven and Git.
```shell
git clone https://github.com/saharNooby/log4j-vulnerability-patcher-agent.git
cd log4j-vulnerability-patcher-agent
mvn clean package
```
文件快照
[4.0K] /data/pocs/73d3df7018ca631fdc4dca1dce245ff7af5be4af
├── [1.1K] LICENSE
├── [2.7K] pom.xml
├── [1.3K] README.md
└── [4.0K] src
└── [4.0K] main
└── [4.0K] java
└── [4.0K] me
└── [4.0K] saharnooby
└── [4.0K] agent
└── [4.0K] minecraft
└── [4.0K] log4jfix
├── [1.2K] Main.java
└── [1.1K] Patcher.java
8 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。