Simple fix for #log4jRCE #log4jshell issue if you are using Java 8 or lower version.
Create a file called http://JndiLookup.java"> http://JndiLookup.java :
Create a file called http://JndiLookup.java"> http://JndiLookup.java :
package org.apache.logging.log4j.core.lookup;
import org.apache.logging.log4j.core.LogEvent;
import org.apache.logging.log4j.core.config.plugins.Plugin;
@Plugin(name = "jndi", category = "Lookup")
public class JndiLookup implements StrLookup {
import org.apache.logging.log4j.core.LogEvent;
import org.apache.logging.log4j.core.config.plugins.Plugin;
@Plugin(name = "jndi", category = "Lookup")
public class JndiLookup implements StrLookup {
@Override
public String lookup(final String key) { return key; }
@Override
public String lookup(final LogEvent event, final String key) { return key; }
}
public String lookup(final String key) { return key; }
@Override
public String lookup(final LogEvent event, final String key) { return key; }
}
Compile the class using log4j2 core jar. 2.0 is what I used. You can find this in http://search.maven.org"> http://search.maven.org or other repos:
javac -cp log4j-core-2.0.jar -d target http://JndiLookup.java"> http://JndiLookup.java
javac -cp log4j-core-2.0.jar -d target http://JndiLookup.java"> http://JndiLookup.java
Create a jar file with the modified class:
jar cvf log4j-fix.jar -C target org/
jar cvf log4j-fix.jar -C target org/
Copy the jar file to JVM JRE & #39;lib/ext& #39; directory:
sudo cp log4j-fix.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/
sudo cp log4j-fix.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/
Restart your Java application(s). JNDI lookups will be ignored and the jndi string will be logged as-is.
Will not work for Java > 8, since ext mechanism was removed