Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/saharnooby/log4j-vulnerability-patcher-agent

Fixes CVE-2021-44228 in log4j by patching JndiLookup class
https://github.com/saharnooby/log4j-vulnerability-patcher-agent

agent bytecode cve fix log4j patch

Last synced: 16 days ago
JSON representation

Fixes CVE-2021-44228 in log4j by patching JndiLookup class

Awesome Lists containing this project

README 

        
# log4j-vulnerability-patcher-agent



This agent fixes critical vulnerability [CVE-2021-44228](https://www.lunasec.io/docs/blog/log4j-zero-day/) in log4j by patching `JndiLookup` class, as recommended [here](https://www.lunasec.io/docs/blog/log4j-zero-day/#temporary-mitigation).



**WARNING: this is not a substitute for proper upgrade to log4j 2.15.0**, where this vulnerability was fixed for good. Use this agent **IF, and ONLY IF, you can't upgrade log4j in your app**.



Agent can run on JRE 8 and higher, in any application (including Minecraft clients and servers).



This will completely disable `JNDI` in log4j. If you need this functionality, do not use this agent.



## How to use



1. Download agent JAR or build it yourself

2. Add command line argument `-javaagent:/path/to/agent/log4j-vulnerability-patcher-agent.jar` to the start command of your app



Example command line:



```shell

java -javaagent:/home/user/log4j-vulnerability-patcher-agent.jar -Xmx1G spigot.jar

```



If everything is OK, on start agent will output `[Log4jVulnerabilityPatcherAgent] JndiLookup was patched, vulnerability fixed!`.



## Build



You will need JDK 8, Maven and Git.



```shell

git clone https://github.com/saharNooby/log4j-vulnerability-patcher-agent.git

cd log4j-vulnerability-patcher-agent

mvn clean package

```