Hey all, I wrote up a utility to patch all nars in a given NiFi install to remove JndiLookup.class from log4j jars. It has no dependencies and the single file can be compiled and run as-is.
It looks like it should be handled pretty well if the class is just missing since they didn't expect it to be available on Android. [1] It does not attempt to update already unpacked nars so I'd suggest stopping NiFi and removing the work/nar directory before running. Usage: 1. Put by itself in a directory 2. Compile 'javac Log4jPatch.java' 3. Run 'java Log4jPatch' Verify (optionally do before patch to validate that the grep pattern works, you have the vulnerable class file): 1. Start NiFi, wait for it to unpack all nars. 2. Run this in NIFI_HOME: 'find . -iname "*log4j*" | xargs grep -i jndilookup.class' I'm looking for feedback around the approach. Anyone's free to take this and use it how they want to. Thanks, Bryan [1] https://github.com/apache/logging-log4j2/blob/rel/2.8.2/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java#L100-L106
Log4jPatch.java
Description: Binary data
