CVE-2021-44228 PoC — Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Source

https://github.com/sysadmin0815/Fix-Log4j-PowershellScript

Associated Vulnerability

Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)
Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Description

Log4Shell mitigation (CVE-2021-44228) - search and remove JNDI class from *log4j*.jar files on the system with Powershell (Windows)

Readme

# Fix-Log4j-PowershellScript (CVE-2021-44228)

[![PSScriptAnalyzer](https://github.com/sysadmin0815/Fix-Log4j-PowershellScript/actions/workflows/powershell-analysis.yml/badge.svg)](https://github.com/sysadmin0815/Fix-Log4j-PowershellScript/actions/workflows/powershell-analysis.yml)

<b>search and remove JNDI Lookup Class from *log4j*.jar files on the system with Powershell (Windows) </b> <br>
make sure you use the latest script release! <br>

## Release version 1.6.2 and above
Killmode for Java processes implemented. ($killMode)<br>
<b>defaults to $false</b> if not changed manually! Be careful using this feature!<br>
<br>
<h3>the script can be deployed manually, with GPO or deployment tools like SCCM.</h3>
<br>
<h3> Features and Info:</h3>
<b> by default the script searches on C:\ </b> if not changed<br>
 -can be changed to search on all local drives with $searchAllDrives = $true in the script<br>
 -can be changed to search a specific path with $searchPath = "C:\your\folder\to\search\ <br><br>

<b>by default the script creates a backup</b> of the file(s) in the same folder were the jar files was found, before removing the class<br>
 -can be disabled with $enableBackup set to $false in the script<br>

<b>by default the script validates if the jndilookup.class has been removed</b> from the jar file <br> <br>
<b> by default if the class is still detected</b> and the jar file was not modified, the backup file will be cleaned up.<br>
 -can be disabled with $removeBkOnFailure set to $false<br>
 
<b> by default the script searches for running java processes</b> and write a warning in the log and console.<br>
 -KillMode for java prcesses can be enabled by $killMode set to $true - be careful with that!<br>

<b>Generate a log file</b> in the scripts root directory <br><br>
<b>Generate readable console output</b> <br> <br> 

<h3> How to run the script:</h3>
<b> Please read the script and modify it if needed before you execute it!</b><br>
execute the script with elevated Powershell.exe or with deploment tools like SCCM.<br>
"powershell.exe -file "C:\Path\To\Script\Fix-log4j_jndi_7zip.ps1" -executionpolicy Bypass"
<br>
<br>
Tested on Windows 10, Server 2012R2, 2016 and 2019.<br>

<h3>Credits:</h3>

7-Zip is used to delete the class in the jar file and verify the removal.
>  Source: https://www.7-zip.org/ <br>
>  7-Zip Copyright (C) 1999-2021 Igor Pavlov.

<br>
<br>
<b>THE SCRIPT IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND.</b> <br>

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!