Wednesday, December 29, 2021

Use zip to address Apache log4j vulnerabilities

It was from an Oracle document by using zip/unzip to remove Java class from a JAR file. I put steps to a script for a quick execution. Notes: Oracle soon updated the document to use a patch to address this vulnerability, instead. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# CVE-2021-44228 Advisory for Oracle E-Business Suite (Apache log4j Vulnerabilities)
# (Doc ID 2827804.1)
# In R12.2.10 instances only
#
jars="$FND_TOP/java/3rdparty/stdalone/log4j_core.jar $COMMON_TOP/java/lib/log4j_core.jar"

echo "Before change"
# check the JAR files exist
for jar in $jars ;do ls -l $jar ;done

# verify whether the log4j JARs contain the affected JndiLookup class:
for jar in $jars ;do unzip -l $jar org/apache/logging/log4j/core/lookup/JndiLookup.class ;done

# backup file
mv $FND_TOP/java/3rdparty/stdalone/log4j_core.jar $FND_TOP/java/3rdparty/stdalone/log4j_core.jar.bak
cp $FND_TOP/java/3rdparty/stdalone/log4j_core.jar.bak $FND_TOP/java/3rdparty/stdalone/log4j_core.jar
echo "After backup"
ls -al $FND_TOP/java/3rdparty/stdalone/log4j_core.jar*

echo "After change"
# remove the JndiLookup class from the JAR files
for jar in $jars ;do zip -q -d $jar org/apache/logging/log4j/core/lookup/JndiLookup.class ;done

# verify that the JAR files have been recently modified and that their size has become smaller:
for jar in $jars ;do ls -l $jar ;done

# verify that the JndiLookup classes are no longer present:
for jar in $jars ;do unzip -l -q $jar org/apache/logging/log4j/core/lookup/JndiLookup.class ;done

echo DONE 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Check the result:

$ cd $FND_TOP/java/3rdparty/stdalone
$ ls -altr log4j_core.jar*
-rwxr-xr-x 1 users group 3887706 Apr 30  2021 log4j_core.jar.bak
-rwxr-xr-x 1 users group         624 Dec 21  2021 log4j_core.jar

Notes: unzip can be used to list classes of a .jar file:

$ unzip -l log4j_core.jar
Archive:  log4j_core.jar
$Header: log4j_core.jar 120.0.12020000.2 2021/12/14 22:42  srkumma $
  Length     Date   Time    Name
 --------    ----   ----    ----
      114  12-14-21 22:22   META-INF/JRIMETA.DAT
      186  12-14-21 22:02   README_log4j_core.txt
 --------                   -------
      300                   2 files


Posted by at No comments:
Subscribe to: Posts (Atom)