Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 emergency patch script for Windows

Remove-JndiLookup.ps1

#
# I wrote this powershell script because the example command given only works on Linux. 
# Aside from some prompts to make it a bit more user friendly, it should be functionally equivelant to this:
#
# `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup`
#
# To run it, ensure your execution policy is set correctly, paste the file anywhere you want it to check for
# log4j (This will check subfolders) and just call Remove-JndiLookup from your favourite powershell window.
# 
# Note that the script isn't especially clever, running it on your machine doesn't guarantee that you're no longer 
# vulnerable to log4shell, just that JndiLookup.class has been removed from any found instance of log4j-core-2.*.jar
#
# Zero warranty is provided, you use this entirely at your own risk.
#

function Remove-JndiLookup
{
    Param
    (
        [string[]]$JarFiles,
        [string] $FilenameToRemove
    )
​
    # Instantiate the .Net namespace
    add-type -AssemblyName 'System.IO.Compression.filesystem'
​
    "The number of files to be processed is: $($JarFiles.Count) -"
​
    # List the files we're about to process, useful if the user wants to double check
    # them later
    foreach ($JarFile in $JarFiles)
    {
        "$JarFile"
    }
​
    "`nStarting patching/removal process"
​
    $processedFiles = 0;
    $skippedFiles = 0;
​
    # Remove unwanted files
    foreach ($JarFile in $JarFiles)
    {
        # Open the jar for updating (.jar files are just .zip files)
        $ProcessJarFile = [io.compression.zipfile]::Open($JarFile,'Update')
​
        "`nChecking $JarFile for $FilenameToRemove"
        $totalFilesInJar = ($ProcessJarFile.Entries | Where FullName -Match $FilenameToRemove).Count
​
        if($totalFilesInJar -gt 0){
            "Deleting unwanted file $FilenameToRemove from $JarFile"
            ($ProcessJarFile.Entries | Where FullName -Match $FilenameToRemove).Delete()
​
            $processedFiles++
        }
        else {
            "File $FilenameToRemove not found inside $JarFile, this may have already been deleted."
            $skippedFiles++
        }
​
        # Clean up / close the zip
        $ProcessJarFile.Dispose()
    }
​
    "`n$processedFiles file(s) processed`n$skippedFiles file(s) skipped`n`nFinished."
}
​
$currentLocation = Get-Location
​
"Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 emergency patch script"
"Aka quick 'n dirty fix for ""log4shell"""
"`nThis script will remove the 'JndiLookup.class' class file from all found instances of log4j2 in the current path ($currentLocation) and any subfolders."
"This will protect you from the RCE vulnerability, however it is not guaranteed that there will not be side-effects such as application crashes."
"Note that this operation DOES NOT MAKE ANY BACKUPS of any files and should be considered irreversable. Ensure you have your backups in order."
"`n##############################################"
"This script is provided with zero warranty."
"##############################################"
​
$confirmation = Read-Host "`nAre you Sure You Want To Proceed? (y/n)"
if ($confirmation -eq 'y') {
    Remove-JndiLookup -JarFiles (Get-ChildItem -Recurse -Path $currentLocation -Filter 'log4j-core-2.*.jar').FullName -FilenameToRemove 'JndiLookup.class'
}
else {
    "`nAborting! No files have been modified."
}

FYI, one thing I noticed while running this is also picks up folders named log4j-core-2.*.jar. Quick fix is to add a -File option to Get-ChildItem.