Hey Joe, Sorry if I didn't attach it properly. The archive client seems to see it [1]
I created a gist in case something else is wrong. [2] Thanks, Bryan [1] https://lists.apache.org/thread/v8ydn3bgkgspf2vh8j0d0zygzdkwb7k0 [2] https://gist.github.com/brosander/a6f5075535772c60605c1544a91d56f5 On Wed, Dec 15, 2021 at 2:06 PM Joe Witt <[email protected]> wrote: > Bryan > > This type of approach would work generally quite fine. Did you paste > the link you intended or did you forget to link to the patch? > > Thanks > > On Wed, Dec 15, 2021 at 12:01 PM Bryan Rosander <[email protected]> > wrote: > > > > Hey all, > > > > I wrote up a utility to patch all nars in a given NiFi install to remove > JndiLookup.class from log4j jars. It has no dependencies and the single > file can be compiled and run as-is. > > > > It looks like it should be handled pretty well if the class is just > missing since they didn't expect it to be available on Android. [1] > > > > It does not attempt to update already unpacked nars so I'd suggest > stopping NiFi and removing the work/nar directory before running. > > > > Usage: > > > > 1. Put by itself in a directory > > 2. Compile 'javac Log4jPatch.java' > > 3. Run 'java Log4jPatch' > > > > Verify (optionally do before patch to validate that the grep pattern > works, you have the vulnerable class file): > > > > 1. Start NiFi, wait for it to unpack all nars. > > 2. Run this in NIFI_HOME: 'find . -iname "*log4j*" | xargs grep -i > jndilookup.class' > > > > I'm looking for feedback around the approach. Anyone's free to take > this and use it how they want to. > > > > Thanks, > > Bryan > > > > [1] > https://github.com/apache/logging-log4j2/blob/rel/2.8.2/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java#L100-L106 >
