Bryan This type of approach would work generally quite fine. Did you paste the link you intended or did you forget to link to the patch?
Thanks On Wed, Dec 15, 2021 at 12:01 PM Bryan Rosander <[email protected]> wrote: > > Hey all, > > I wrote up a utility to patch all nars in a given NiFi install to remove > JndiLookup.class from log4j jars. It has no dependencies and the single file > can be compiled and run as-is. > > It looks like it should be handled pretty well if the class is just missing > since they didn't expect it to be available on Android. [1] > > It does not attempt to update already unpacked nars so I'd suggest stopping > NiFi and removing the work/nar directory before running. > > Usage: > > 1. Put by itself in a directory > 2. Compile 'javac Log4jPatch.java' > 3. Run 'java Log4jPatch' > > Verify (optionally do before patch to validate that the grep pattern works, > you have the vulnerable class file): > > 1. Start NiFi, wait for it to unpack all nars. > 2. Run this in NIFI_HOME: 'find . -iname "*log4j*" | xargs grep -i > jndilookup.class' > > I'm looking for feedback around the approach. Anyone's free to take this and > use it how they want to. > > Thanks, > Bryan > > [1] > https://github.com/apache/logging-log4j2/blob/rel/2.8.2/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java#L100-L106
