And thanks Joe for sanity checking the approach :) On Wed, Dec 15, 2021 at 2:34 PM Bryan Rosander <[email protected]> wrote:
> Ah, glad that worked. I did mess up step 3 of usage, the only arg should > be the path to a NiFi install: > > 3. Run 'java Log4jPatch /PATH/TO/NIFI' > > If anyone uses it and has feedback (especially around effectiveness) I'd > appreciate it. > > On Wed, Dec 15, 2021 at 2:19 PM Joe Witt <[email protected]> wrote: > >> Bryan >> >> You did it right - i was just a dope and didn't scroll down far enough >> :). The link is a good call though too. >> >> I thought the list blocked attachments actually. >> >> Anyway thanks for sharing that. It is an option for folks to consider. >> >> Thanks >> >> On Wed, Dec 15, 2021 at 12:17 PM Bryan Rosander <[email protected]> >> wrote: >> > >> > Hey Joe, >> > >> > Sorry if I didn't attach it properly. The archive client seems to see >> it [1] >> > >> > I created a gist in case something else is wrong. [2] >> > >> > Thanks, >> > Bryan >> > >> > [1] https://lists.apache.org/thread/v8ydn3bgkgspf2vh8j0d0zygzdkwb7k0 >> > [2] https://gist.github.com/brosander/a6f5075535772c60605c1544a91d56f5 >> > >> > On Wed, Dec 15, 2021 at 2:06 PM Joe Witt <[email protected]> wrote: >> >> >> >> Bryan >> >> >> >> This type of approach would work generally quite fine. Did you paste >> >> the link you intended or did you forget to link to the patch? >> >> >> >> Thanks >> >> >> >> On Wed, Dec 15, 2021 at 12:01 PM Bryan Rosander < >> [email protected]> wrote: >> >> > >> >> > Hey all, >> >> > >> >> > I wrote up a utility to patch all nars in a given NiFi install to >> remove JndiLookup.class from log4j jars. It has no dependencies and the >> single file can be compiled and run as-is. >> >> > >> >> > It looks like it should be handled pretty well if the class is just >> missing since they didn't expect it to be available on Android. [1] >> >> > >> >> > It does not attempt to update already unpacked nars so I'd suggest >> stopping NiFi and removing the work/nar directory before running. >> >> > >> >> > Usage: >> >> > >> >> > 1. Put by itself in a directory >> >> > 2. Compile 'javac Log4jPatch.java' >> >> > 3. Run 'java Log4jPatch' >> >> > >> >> > Verify (optionally do before patch to validate that the grep pattern >> works, you have the vulnerable class file): >> >> > >> >> > 1. Start NiFi, wait for it to unpack all nars. >> >> > 2. Run this in NIFI_HOME: 'find . -iname "*log4j*" | xargs grep -i >> jndilookup.class' >> >> > >> >> > I'm looking for feedback around the approach. Anyone's free to take >> this and use it how they want to. >> >> > >> >> > Thanks, >> >> > Bryan >> >> > >> >> > [1] >> https://github.com/apache/logging-log4j2/blob/rel/2.8.2/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java#L100-L106 >> >
