Bryan You did it right - i was just a dope and didn't scroll down far enough :). The link is a good call though too.
I thought the list blocked attachments actually. Anyway thanks for sharing that. It is an option for folks to consider. Thanks On Wed, Dec 15, 2021 at 12:17 PM Bryan Rosander <[email protected]> wrote: > > Hey Joe, > > Sorry if I didn't attach it properly. The archive client seems to see it [1] > > I created a gist in case something else is wrong. [2] > > Thanks, > Bryan > > [1] https://lists.apache.org/thread/v8ydn3bgkgspf2vh8j0d0zygzdkwb7k0 > [2] https://gist.github.com/brosander/a6f5075535772c60605c1544a91d56f5 > > On Wed, Dec 15, 2021 at 2:06 PM Joe Witt <[email protected]> wrote: >> >> Bryan >> >> This type of approach would work generally quite fine. Did you paste >> the link you intended or did you forget to link to the patch? >> >> Thanks >> >> On Wed, Dec 15, 2021 at 12:01 PM Bryan Rosander <[email protected]> >> wrote: >> > >> > Hey all, >> > >> > I wrote up a utility to patch all nars in a given NiFi install to remove >> > JndiLookup.class from log4j jars. It has no dependencies and the single >> > file can be compiled and run as-is. >> > >> > It looks like it should be handled pretty well if the class is just >> > missing since they didn't expect it to be available on Android. [1] >> > >> > It does not attempt to update already unpacked nars so I'd suggest >> > stopping NiFi and removing the work/nar directory before running. >> > >> > Usage: >> > >> > 1. Put by itself in a directory >> > 2. Compile 'javac Log4jPatch.java' >> > 3. Run 'java Log4jPatch' >> > >> > Verify (optionally do before patch to validate that the grep pattern >> > works, you have the vulnerable class file): >> > >> > 1. Start NiFi, wait for it to unpack all nars. >> > 2. Run this in NIFI_HOME: 'find . -iname "*log4j*" | xargs grep -i >> > jndilookup.class' >> > >> > I'm looking for feedback around the approach. Anyone's free to take this >> > and use it how they want to. >> > >> > Thanks, >> > Bryan >> > >> > [1] >> > https://github.com/apache/logging-log4j2/blob/rel/2.8.2/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java#L100-L106
