漏洞平台

POC详情： e27bc36a5afcb0c2a7285ff3e99a9b39668bade8

来源

关联漏洞

标题： Apache Log4j 代码问题漏洞 (CVE-2021-44228)
描述：Apache Log4j是美国阿帕奇（Apache）基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞，攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器，当该请求被打印成日志时就会触发远程代码执行。

描述

Provide patched version of Log4J against CVE-2021-44228 and CVE-2021-45046 as well as a script to manually patch it yourself

介绍

# Log4J Patched Dependency for Log4Shell

This repository aims to provide a patched version of the Log4J library for legacy system that can not be updated right away.

The patch consist in a modified version of the `log4j-core.x.x.x.jar` file following the [official recommandation](https://logging.apache.org/log4j/2.x/security.html) of the Apache foundation.

The modified version does not contains the `JndiLookup.class` class anymore.

### How to use it

First, **you shouldn't trust random people on internet**.

![internet dog](./misc/internet_dog.jpg)

This repository includes a script that allows to generated patched version of the library on your computer:
 - Download original library from a trusted source ([Maven](https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core))
 - Apply the patch by removing the `JndiLookup.class` file
 - Replace the `log4j-core-x.x.x.jar` on your system by the patched one (use `find / -name log4j-core*.jar` to find it)

```bash
version=2.8.2 # replace your desired version of log4j here

wget https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/$version/log4j-core-$version.jar

zip -q -d log4j-core-$version.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
```

If you cannot apply the patch yourself, you can directly download the patched jar from this repository:
 - [log4j-core-2.0-beta9.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.0-beta9.jar)
 - [log4j-core-2.0-rc1.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.0-rc1.jar)
 - [log4j-core-2.0-rc2.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.0-rc2.jar)
 - [log4j-core-2.0.2.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.0.2.jar)
 - [log4j-core-2.0.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.0.jar)
 - [log4j-core-2.1.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.1.jar)
 - [log4j-core-2.2.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.2.jar)
 - [log4j-core-2.3.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.3.jar)
 - [log4j-core-2.4.1.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.4.1.jar)
 - [log4j-core-2.4.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.4.jar)
 - [log4j-core-2.5.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.5.jar)
 - [log4j-core-2.6.1.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.6.1.jar)
 - [log4j-core-2.6.2.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.6.2.jar)
 - [log4j-core-2.6.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.6.jar)
 - [log4j-core-2.7.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.7.jar)
 - [log4j-core-2.8.1.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.8.1.jar)
 - [log4j-core-2.8.2.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.8.2.jar)
 - [log4j-core-2.8.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.8.jar)
 - [log4j-core-2.9.0.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.9.0.jar)
 - [log4j-core-2.9.1.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.9.1.jar)
 - [log4j-core-2.10.0.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.10.0.jar)
 - [log4j-core-2.11.0.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.11.0.jar)
 - [log4j-core-2.11.1.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.11.1.jar)
 - [log4j-core-2.11.2.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.11.2.jar)
 - [log4j-core-2.12.0.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.12.0.jar)
 - [log4j-core-2.12.1.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.12.1.jar)
 - [log4j-core-2.12.2.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.12.2.jar)
 - [log4j-core-2.13.0.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.13.0.jar)
 - [log4j-core-2.13.1.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.13.1.jar)
 - [log4j-core-2.13.2.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.13.2.jar)
 - [log4j-core-2.13.3.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.13.3.jar)
 - [log4j-core-2.14.0.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.14.0.jar)
 - [log4j-core-2.14.1.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.14.1.jar)
 - [log4j-core-2.15.0.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.15.0.jar)
 - [log4j-core-2.16.0.jar](https://github.com/Aschen/log4j-patched/raw/1.0.1/log4j/log4j-core-2.16.0.jar)

_Info: version before 2.0-beta9 are not affected since they do not contains the flawed class._

文件快照


 [4.0K]  /data/pocs/e27bc36a5afcb0c2a7285ff3e99a9b39668bade8
├── [ 249]  download-and-patch.sh
├── [4.0K]  log4j
│   ├── [763K]  log4j-core-2.0.1.jar
│   ├── [764K]  log4j-core-2.0.2.jar
│   ├── [664K]  log4j-core-2.0-beta9.jar
│   ├── [762K]  log4j-core-2.0.jar
│   ├── [685K]  log4j-core-2.0-rc1.jar
│   ├── [750K]  log4j-core-2.0-rc2.jar
│   ├── [1.5M]  log4j-core-2.10.0.jar
│   ├── [1.5M]  log4j-core-2.11.0.jar
│   ├── [1.5M]  log4j-core-2.11.1.jar
│   ├── [1.5M]  log4j-core-2.11.2.jar
│   ├── [1.6M]  log4j-core-2.12.0.jar
│   ├── [1.6M]  log4j-core-2.12.1.jar
│   ├── [1.6M]  log4j-core-2.12.2.jar
│   ├── [1.6M]  log4j-core-2.13.0.jar
│   ├── [1.6M]  log4j-core-2.13.1.jar
│   ├── [1.6M]  log4j-core-2.13.2.jar
│   ├── [1.6M]  log4j-core-2.13.3.jar
│   ├── [1.7M]  log4j-core-2.14.0.jar
│   ├── [1.6M]  log4j-core-2.14.1.jar
│   ├── [1.7M]  log4j-core-2.15.0.jar
│   ├── [1.7M]  log4j-core-2.16.0.jar
│   ├── [804K]  log4j-core-2.1.jar
│   ├── [806K]  log4j-core-2.2.jar
│   ├── [806K]  log4j-core-2.3.jar
│   ├── [966K]  log4j-core-2.4.1.jar
│   ├── [949K]  log4j-core-2.4.jar
│   ├── [1.1M]  log4j-core-2.5.jar
│   ├── [1.1M]  log4j-core-2.6.1.jar
│   ├── [1.1M]  log4j-core-2.6.2.jar
│   ├── [1.1M]  log4j-core-2.6.jar
│   ├── [1.2M]  log4j-core-2.7.jar
│   ├── [1.3M]  log4j-core-2.8.1.jar
│   ├── [1.3M]  log4j-core-2.8.2.jar
│   ├── [1.3M]  log4j-core-2.8.jar
│   ├── [1.5M]  log4j-core-2.9.0.jar
│   └── [1.5M]  log4j-core-2.9.1.jar
├── [4.0K]  misc
│   ├── [ 336]  download-and-patch-all.sh
│   ├── [ 32K]  internet_dog.jpg
│   ├── [ 195]  versions.txt
│   └── [ 127]  ver.txt
└── [5.0K]  README.md

2 directories, 42 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。