Last active
December 17, 2021 17:36
-
-
Save neoKushan/e156810fc91765aa84857314b92bb22d to your computer and use it in GitHub Desktop.
Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 emergency patch script for Windows
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# I wrote this powershell script because the example command given only works on Linux. | |
# Aside from some prompts to make it a bit more user friendly, it should be functionally equivelant to this: | |
# | |
# `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup` | |
# | |
# To run it, ensure your execution policy is set correctly, paste the file anywhere you want it to check for | |
# log4j (This will check subfolders) and just call Remove-JndiLookup from your favourite powershell window. | |
# | |
# Note that the script isn't especially clever, running it on your machine doesn't guarantee that you're no longer | |
# vulnerable to log4shell, just that JndiLookup.class has been removed from any found instance of log4j-core-2.*.jar | |
# | |
# Zero warranty is provided, you use this entirely at your own risk. | |
# | |
function Remove-JndiLookup | |
{ | |
Param | |
( | |
[string[]]$JarFiles, | |
[string] $FilenameToRemove | |
) | |
| |
# Instantiate the .Net namespace | |
add-type -AssemblyName 'System.IO.Compression.filesystem' | |
| |
"The number of files to be processed is: $($JarFiles.Count) -" | |
| |
# List the files we're about to process, useful if the user wants to double check | |
# them later | |
foreach ($JarFile in $JarFiles) | |
{ | |
"$JarFile" | |
} | |
| |
"`nStarting patching/removal process" | |
| |
$processedFiles = 0; | |
$skippedFiles = 0; | |
| |
# Remove unwanted files | |
foreach ($JarFile in $JarFiles) | |
{ | |
# Open the jar for updating (.jar files are just .zip files) | |
$ProcessJarFile = [io.compression.zipfile]::Open($JarFile,'Update') | |
| |
"`nChecking $JarFile for $FilenameToRemove" | |
$totalFilesInJar = ($ProcessJarFile.Entries | Where FullName -Match $FilenameToRemove).Count | |
| |
if($totalFilesInJar -gt 0){ | |
"Deleting unwanted file $FilenameToRemove from $JarFile" | |
($ProcessJarFile.Entries | Where FullName -Match $FilenameToRemove).Delete() | |
| |
$processedFiles++ | |
} | |
else { | |
"File $FilenameToRemove not found inside $JarFile, this may have already been deleted." | |
$skippedFiles++ | |
} | |
| |
# Clean up / close the zip | |
$ProcessJarFile.Dispose() | |
} | |
| |
"`n$processedFiles file(s) processed`n$skippedFiles file(s) skipped`n`nFinished." | |
} | |
| |
$currentLocation = Get-Location | |
| |
"Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 emergency patch script" | |
"Aka quick 'n dirty fix for ""log4shell""" | |
"`nThis script will remove the 'JndiLookup.class' class file from all found instances of log4j2 in the current path ($currentLocation) and any subfolders." | |
"This will protect you from the RCE vulnerability, however it is not guaranteed that there will not be side-effects such as application crashes." | |
"Note that this operation DOES NOT MAKE ANY BACKUPS of any files and should be considered irreversable. Ensure you have your backups in order." | |
"`n##############################################" | |
"This script is provided with zero warranty." | |
"##############################################" | |
| |
$confirmation = Read-Host "`nAre you Sure You Want To Proceed? (y/n)" | |
if ($confirmation -eq 'y') { | |
Remove-JndiLookup -JarFiles (Get-ChildItem -Recurse -Path $currentLocation -Filter 'log4j-core-2.*.jar').FullName -FilenameToRemove 'JndiLookup.class' | |
} | |
else { | |
"`nAborting! No files have been modified." | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
FYI, one thing I noticed while running this is also picks up folders named
log4j-core-2.*.jar
. Quick fix is to add a-File
option toGet-ChildItem
.