Ah, glad that worked. I did mess up step 3 of usage, the only arg should be the path to a NiFi install:
3. Run 'java Log4jPatch /PATH/TO/NIFI' If anyone uses it and has feedback (especially around effectiveness) I'd appreciate it. On Wed, Dec 15, 2021 at 2:19 PM Joe Witt <joe.w...@gmail.com> wrote: > Bryan > > You did it right - i was just a dope and didn't scroll down far enough > :). The link is a good call though too. > > I thought the list blocked attachments actually. > > Anyway thanks for sharing that. It is an option for folks to consider. > > Thanks > > On Wed, Dec 15, 2021 at 12:17 PM Bryan Rosander <bryanrosan...@gmail.com> > wrote: > > > > Hey Joe, > > > > Sorry if I didn't attach it properly. The archive client seems to see > it [1] > > > > I created a gist in case something else is wrong. [2] > > > > Thanks, > > Bryan > > > > [1] https://lists.apache.org/thread/v8ydn3bgkgspf2vh8j0d0zygzdkwb7k0 > > [2] https://gist.github.com/brosander/a6f5075535772c60605c1544a91d56f5 > > > > On Wed, Dec 15, 2021 at 2:06 PM Joe Witt <joe.w...@gmail.com> wrote: > >> > >> Bryan > >> > >> This type of approach would work generally quite fine. Did you paste > >> the link you intended or did you forget to link to the patch? > >> > >> Thanks > >> > >> On Wed, Dec 15, 2021 at 12:01 PM Bryan Rosander < > bryanrosan...@gmail.com> wrote: > >> > > >> > Hey all, > >> > > >> > I wrote up a utility to patch all nars in a given NiFi install to > remove JndiLookup.class from log4j jars. It has no dependencies and the > single file can be compiled and run as-is. > >> > > >> > It looks like it should be handled pretty well if the class is just > missing since they didn't expect it to be available on Android. [1] > >> > > >> > It does not attempt to update already unpacked nars so I'd suggest > stopping NiFi and removing the work/nar directory before running. > >> > > >> > Usage: > >> > > >> > 1. Put by itself in a directory > >> > 2. Compile 'javac Log4jPatch.java' > >> > 3. Run 'java Log4jPatch' > >> > > >> > Verify (optionally do before patch to validate that the grep pattern > works, you have the vulnerable class file): > >> > > >> > 1. Start NiFi, wait for it to unpack all nars. > >> > 2. Run this in NIFI_HOME: 'find . -iname "*log4j*" | xargs grep -i > jndilookup.class' > >> > > >> > I'm looking for feedback around the approach. Anyone's free to take > this and use it how they want to. > >> > > >> > Thanks, > >> > Bryan > >> > > >> > [1] > https://github.com/apache/logging-log4j2/blob/rel/2.8.2/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java#L100-L106 >
