{"id":37026283,"url":"https://github.com/gredler/aegis4j","last_synced_at":"2026-01-14T03:03:25.116Z","repository":{"id":57737181,"uuid":"438788951","full_name":"gredler/aegis4j","owner":"gredler","description":"A Java agent that disables platform features you don't use, before an attacker uses them against you.","archived":false,"fork":false,"pushed_at":"2022-01-11T03:31:50.000Z","size":115,"stargazers_count":14,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"master","last_synced_at":"2023-07-05T09:43:15.558Z","etag":null,"topics":["devsecops","java","java-agent","security"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gredler.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-12-15T22:20:29.000Z","updated_at":"2023-07-05T09:43:15.558Z","dependencies_parsed_at":"2022-08-24T05:31:46.275Z","dependency_job_id":null,"html_url":"https://github.com/gredler/aegis4j","commit_stats":null,"previous_names":[],"tags_count":2,"template":null,"template_full_name":null,"purl":"pkg:github/gredler/aegis4j","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gredler%2Faegis4j","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gredler%2Faegis4j/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gredler%2Faegis4j/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gredler%2Faegis4j/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gredler","download_url":"https://codeload.github.com/gredler/aegis4j/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gredler%2Faegis4j/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28408800,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T01:52:23.358Z","status":"online","status_checked_at":"2026-01-14T02:00:06.678Z","response_time":107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["devsecops","java","java-agent","security"],"created_at":"2026-01-14T03:03:24.589Z","updated_at":"2026-01-14T03:03:25.089Z","avatar_url":"https://github.com/gredler.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# aegis4j\n\nAvoid the NEXT Log4Shell vulnerability!\n\nThe Java platform has accrued a number of features over the years. Some of these features are no longer commonly used,\nbut their existence remains a security liability, providing attackers with a diverse toolkit to leverage against\nJava-based systems.\n\nIt is possible to eliminate some of this attack surface area by creating custom JVM images with\n[jlink](https://docs.oracle.com/en/java/javase/17/docs/specs/man/jlink.html), but this is not always feasible or desired.\nAnother option is to use the [--limit-modules](https://docs.oracle.com/en/java/javase/17/docs/specs/man/java.html) command\nline parameter when running your application, but this is a relatively coarse tool that cannot be used to disable\nindividual features like serialization or native process execution.\n\nA third option is aegis4j, a Java agent which can patch key system classes to completely disable a number of standard\nJava features:\n\n- `jndi`: all JNDI functionality (`javax.naming.*`)\n- `rmi`: all RMI functionality (`java.rmi.*`)\n- `process`: all process execution functionality (`Runtime.exec()`, `ProcessBuilder`)\n- `httpserver`: all use of the JDK HTTP server (`com.sun.net.httpserver.*`)\n- `serialization`: all Java serialization (`ObjectInputStream`, `ObjectOutputStream`)\n- `unsafe`: all use of `sun.misc.Unsafe`\n- `scripting`: all JSR 223 scripting (`javax.script.*`)\n- `jshell`: all use of the Java Shell API (`jdk.jshell.*`)\n\n### Download\n\nThe aegis4j JAR is available in the [Maven Central](https://repo1.maven.org/maven2/net/gredler/aegis4j/1.1/) repository.\n\n### Usage: Attach at Application Startup\n\nTo attach at application startup, blocking all features listed above, add the agent to your java command line:\n\n`java -cp \u003cclasspath\u003e -javaagent:aegis4j-1.1.jar \u003cmain-class\u003e \u003carguments\u003e`\n\nOr, if you want to configure the specific features to block:\n\n`java -cp \u003cclasspath\u003e -javaagent:aegis4j-1.1.jar=block=\u003cfeatures\u003e \u003cmain-class\u003e \u003carguments\u003e`\n\nOr, if you want to use the default block list, but unblock specific features:\n\n`java -cp \u003cclasspath\u003e -javaagent:aegis4j-1.1.jar=unblock=\u003cfeatures\u003e \u003cmain-class\u003e \u003carguments\u003e`\n\nFeature lists should be comma-delimited (e.g. `jndi,rmi,unsafe`).\n\n### Usage: Attach to a Running Application\n\nTo attach to a running application, blocking all features listed above, run the following command:\n\n`java -jar aegis4j-1.1.jar \u003capplication-pid\u003e`\n\nOr, if you want to configure the specific features to block:\n\n`java -jar aegis4j-1.1.jar \u003capplication-pid\u003e block=\u003cfeatures\u003e`\n\nOr, if you want to use the default block list, but unblock specific features:\n\n`java -jar aegis4j-1.1.jar \u003capplication-pid\u003e unblock=\u003cfeatures\u003e`\n\nFeature lists should be comma-delimited (e.g. `jndi,rmi,unsafe`).\n\nThe application process ID, or PID, can usually be determined by running the `jps` command.\n\n### Compatibility\n\nThe aegis4j Java agent is compatible with JDK 11 and newer.\n\n### Monitoring\n\nThe list of Java features blocked by aegis4j is available via the `aegis4j.blocked.features` system property, which\ncan be queried at runtime via Java code, JMX, APM agents, etc.\n\nWhen an attempt is made to use a blocked feature, the type of exception thrown varies according to context, but the exception\nmessage always uses the format `\"\u003caction\u003e blocked by aegis4j\"`.\n\n### Building\n\nTo build aegis4j, run `gradlew build`.\n\n### Digging Deeper\n\nClass modifications are performed using [Javassist](https://www.javassist.org/). The specific class modifications performed are\nconfigured in the [mods.properties](src/main/resources/net/gredler/aegis4j/mods.properties) file.\n\nSome of the tests validate the agent against actual vulnerabilities (e.g.\n[CVE-2015-7501](src/test/java/net/gredler/aegis4j/CVE_2015_7501.java),\n[CVE-2019-17531](src/test/java/net/gredler/aegis4j/CVE_2019_17531.java),\n[CVE-2021-44228](src/test/java/net/gredler/aegis4j/CVE_2021_44228.java)).\nThe tests are run with the `jdk.attach.allowAttachSelf=true` system property, so that the agent can be attached and tested\nlocally. Tests are also run in individual VM instances, so that the class modifications performed in one test do not affect other\ntests.\n\nIdeally aegis4j could block all reflection as well, since it's often used in exploit chains. However, reflection is used *everywhere*,\nincluding the JDK lambda internals, Spring Boot, JUnit, and many other libraries and frameworks. The best way to mitigate the dangers\nof reflection is to upgrade to JDK 17 or later, where many of the internal platform classes have been made inaccessible via reflection\n(see [JEP 403](https://openjdk.java.net/jeps/403), or the [full list](https://cr.openjdk.java.net/~mr/jigsaw/jdk8-packages-strongly-encapsulated)\nof packages that were locked down between JDK 8 and JDK 17).\n\n### Related Work\n\n[log4j-jndi-be-gone](https://github.com/nccgroup/log4j-jndi-be-gone):\nA Java agent which patches the Log4Shell vulnerability (CVE-2021-44228).\n\n[Log4jHotPatch](https://github.com/corretto/hotpatch-for-apache-log4j2/):\nA similar Java agent from the Amazon Corretto team.\n\n[Logout4Shell](https://github.com/Cybereason/Logout4Shell):\nVaccine exploit which leverages the Log4Shell vulnerability to patch the Log4Shell vulnerability.\n\n[Logpresso log4j2-scan](https://github.com/logpresso/CVE-2021-44228-Scanner):\nCommand line tool for scanning (and patching) JAR files for Log4Shell vulnerabilities.\n\n[ysoserial](https://github.com/frohoff/ysoserial):\nA proof-of-concept tool for generating Java serialization vulnerability payloads.\n\n[NotSoSerial](https://github.com/kantega/notsoserial):\nA Java agent which attempts to mitigate serialization vulnerabilities by selectively blocking serialization attempts.\n\n[An In-Depth Study of More Than Ten Years of Java Exploitation](https://www.abartel.net/static/p/ccs2016-10yearsJavaExploits.pdf):\nStudy of real-world Java exploits between 2003 and 2013 ([citations](https://scholar.google.com/scholar?cites=17190152291480177134)).\n\n[A Systematic Analysis and Hardening of the Java Security Architecture](https://www.bodden.de/pubs/phdHolzinger.pdf):\nPhD thesis which incorporates the above research and proposes specific hardening measures.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgredler%2Faegis4j","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgredler%2Faegis4j","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgredler%2Faegis4j/lists"}