How can I find all *nested* jar files containing the log4j library
I have read here that the log4j library can be "nested" within other files that are deployed with an application.
I can find files with 'log4j' in the filename but don't know how to find log4j in these "nested jars". Is there a utility I can use from the command line that can inspect the contents of nested jars?
update
I am going to try to use the 'syft' open-source tool on WSL2 Ubuntu linux running on my windows box. I expect the file scanning to be slower from WSL2 (across a pseudo-network boundary to the windows side of the filesystem) but it should still work. I will update here with results.
UPDATE: 2021-12-18...
Remember to always check for the latest information from the resources listed below
CVE-2021-45105... 2.16.0 and 2.12.2 are no longer valid remediations! The current fixing versions are 2.17.0 (Java 8) and 2.12.3 (Java 7). All other Java versions have to take the stop gap approach (removing/deleting JndiLookup.class file from the log4j-core JAR.
I have updated my message below accordingly.
Answering the question directly:
Go to https://www.reddit.com/r/blueteamsec/comments/rd38z9/log4j_0day_being_exploited/
and cntl+f for .class and .jar recursive hunter
- More resources
-
https://www.reddit.com/r/blueteamsec/comments/rd38z9/log4j_0day_being_exploited/
- This one has TONS of useful info including detectors, even more resource links, very easy to understand remediation steps, and more
- https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
- https://github.com/cisagov/log4j-affected-db
- https://logging.apache.org/log4j/2.x/security.html
-
https://www.reddit.com/r/blueteamsec/comments/rd38z9/log4j_0day_being_exploited/
Remediation:
CVE-2021-45046 ... CVE-2021-44228 ... CVE-2021-45105
While most people that need to know probably already know enough to do what they need to do, I thought I would still put this just in case...
- Follow the guidance in those resources... it may change, but
As of 2021-12-18
It's basically
- Remove log4j-core JAR files if possible
- From both running machines for immediate fix AND
- in your source code / source code management files to prevent future builds / releases / deployments from overwriting the change
- If that is not possible (due to a dependency), upgrade them
- If you are running Java8, then you can upgrade to log4j 2.17.0+
- If you are running an earlier version of Java, then you can upgrade to log4j 2.12.3
- If you are running an older version of Java, then you need to upgrade to the newest version of Java, and then use the newest version of Log4J
- Again, these changes have to happen both on running machine and in code
- If neither of those are possible for some reason... then there is the NON-remediation stop gap of removing the JndiLookup.class file from the log4j-core JARs.
- There is a one-liner for the stop gap option on Linux using the
zip
command that comes packaged with most Linux distros by default.zip -q -d "$LOG4J_JAR_PATH" org/apache/logging/log4j/core/lookup/JndiLookup.class
- At time of writing, most of the guides online for the stop gap option on Windows say to do the following (again... assuming you can't do one of the remove JAR or upgrade options above):
- Install something like 7-zip
- Locate all of your log4j-core JAR files and for each one do the following...
- Rename the JAR to change the extension to
.zip
- Use 7-zip to unzip the JAR (which now has a
.zip
extension) - Locate and remove the JndiLookup.class file from the unzipped folder
- The path is
\\path\\to\\unzippedFolder\\org\\apache\\logging\\log4j\\core\\lookup\\JndiLookup.class
- The path is
- Delete the old JAR file (which now has an extension of .zip)
- Use 7-zip to RE-zip the folder
- Rename the new .zip folder to change the extension to
.jar
- There are also some options to use Power Shell
- Reddit thread: log4j_0day_being_exploited
- ctrl+f for "PowerShell"
- There is a one-liner for the stop gap option on Linux using the
This is fine if you only have 1 or 2 JAR files to deal with and you don't mind installing 7-zip or you have PowerShell available to do it. However, if you have lots of JAR files, or if you don't want to install 7-zip and don't have access to Power Shell, I created an open-source VBS script that will do it for you without needing to install any additional software. https://github.com/CrazyKidJack/Windowslog4jClassRemover
Read the README and the Release Notes https://github.com/CrazyKidJack/Windowslog4jClassRemover/releases/latest