Skip to content

Instantly share code, notes, and snippets.

@iversond
Last active Dec 13, 2021
Embed
What would you like to do?
(Optional) Download GLIBC 2.14 and copy to a common location (http://ftp.gnu.org/gnu/glibc/glibc-2.14.tar.gz). Download the log4j-Scanner tool (https://github.com/logpresso/CVE-2021-44228-Scanner) to a common location. This script will use the scanner tool to identify and remove the vulnerable classes from the log4j libraries.
#!/usr/bin/env bash
# shellcheck disable=2059,2154,2034,2155,2046,2086
#===============================================================================
# vim: softtabstop=2 shiftwidth=2 expandtab fenc=utf-8 spelllang=en ft=sh
#===============================================================================
#
# Usage: scan_log4j.sh <Fix Y/N> <(Optional) Debug: true/false>
#
# Examples:
# Scan and Fix libraries
# scan_log4j.sh Y
#
# Scan with debug mode enabled
# scan_log4j.sh N true
#
set -e # Exit immediately on error
set -u # Treat unset variables as an error
set -o pipefail # Prevent errors in a pipeline from being masked
IFS=$'\n\t' # Set the internal field separator to a tab and newline
###############
# Variables #
###############
declare -A timings
fix=${1}
DEBUG=${2:-false}
###############
# Functions #
###############
function echoinfo() {
local GC="\033[1;32m"
local EC="\033[0m"
printf "${GC} ☆ INFO${EC}: %s${GC}\n" "$@";
}
function echodebug() {
local BC="\033[1;34m"
local EC="\033[0m"
local GC="\033[1;32m"
if [[ ${DEBUG}=="true" ]]; then
printf "${BC} ★ DEBUG${EC}: %s${GC}\n" "$@";
fi
}
function echoerror() {
local RC="\033[1;31m"
local EC="\033[0m"
printf "${RC} ✖ ERROR${EC}: %s\n" "$@" 1>&2;
}
function display_timings_summary() {
local divider='=============================='
divider=$divider$divider
local header="\n %-28s %s\n"
local format=" %-28s %s\n"
local width=40
local total_duration=0
for duration in "${timings[@]}"; do
total_duration=$((duration + total_duration))
done
printf "$header" "TASK" "DURATION"
printf "%$width.${width}s\n" "$divider"
for key in "${!timings[@]}"; do
local converted_timing=$(date -u -d @${timings[$key]} +"%T")
printf "$format" "$key" "${converted_timing}"
done
printf "%$width.${width}s\n" "$divider"
printf "$format" "TOTAL TIME:" $(date -u -d @${total_duration} +"%T")
printf "\n"
}
# Download the GLIBC 2.14 libraries before running this: http://ftp.gnu.org/gnu/glibc/glibc-2.14.tar.gz
function install_glibc_214(){
local begin=$(date +%s)
if test -f '/opt/glibc-2.14/bin/xtrace'; then
echoinfo "GLIBC 2.14 Installed"
else
echoinfo "Installing GLIBC 2.14"
if [[ ${DEBUG} == 'true' ]]; then
echoinfo "Unset LD_LIBRARY_PATH"
unset LD_LIBRARY_PATH
echoinfo "Download GLIBC 2.14"
mkdir -p ~/glibc_install; cd ~/glibc_install
cp /mnt/software/misc/glibc-2.14.tar.gz .
tar zxvf glibc-2.14.tar.gz
cd glibc-2.14
mkdir -p build
cd build
echoinfo "Configure"
../configure --prefix=/opt/glibc-2.14
echoinfo "Make"
make -j4
sudo mkdir -p /opt/glibc-2.14/etc/
sudo touch /opt/glibc-2.14/etc/ld.so.conf
echoinfo "Install"
sudo make install
else
echoinfo "Unset LD_LIBRARY_PATH"
unset LD_LIBRARY_PATH
echoinfo "Download GLIBC 2.14"
mkdir -p ~/glibc_install; cd ~/glibc_install
cp /mnt/software/misc/glibc-2.14.tar.gz . > /dev/null 2>&1
tar zxvf glibc-2.14.tar.gz > /dev/null 2>&1
cd glibc-2.14
mkdir -p build
cd build
echoinfo "Configure"
../configure --prefix=/opt/glibc-2.14 > /dev/null 2>&1
echoinfo "Make"
make -j4 > /dev/null 2>&1
echoinfo "Install"
sudo mkdir -p /opt/glibc-2.14/etc/
sudo touch /opt/glibc-2.14/etc/ld.so.conf
sudo make install > /dev/null 2>&1
fi
fi
local end=$(date +%s)
local tottime="$((end - begin))"
timings[install_glibc_214]=$tottime
}
function scan_for_vulnerability(){
local begin=$(date +%s)
if [[ ${fix} == 'N' ]]; then
echoinfo "Scanning app drive for vulnerable log4j libraries"
sudo sh -c "export LD_LIBRARY_PATH=/opt/glibc-2.14/lib; /mnt/software/misc/log4j2-scan /u01/app"
fi
if [[ ${fix} == 'Y' ]]; then
echoinfo "Stopping PeopleSoft"
psa stop
echoinfo "Attemping to fix vulnerable log4j libraries"
sudo sh -c "export LD_LIBRARY_PATH=/opt/glibc-2.14/lib; echo 'y' | /mnt/software/misc/log4j2-scan --fix /u01/app"
echoinfo "Starting PeopleSoft"
psa start
fi
local end=$(date +%s)
local tottime="$((end - begin))"
timings[scan_for_vulnerability]=$tottime
}
########
# Main #
########
echoinfo "Fix Mode: ${fix}"
echoinfo "Debug Mode: ${DEBUG}"
# Install GLIBC 2.14 if necesary
# install_glibc_214
scan_for_vulnerability
display_timings_summary
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment