Just a little something I whipped up after finding that the JndiLookup.class is not isolated to just the log4j jar files (ex. it’s inside of the MineCraft server jar)
Evaluation
#!/bin/bash
#
# Author - Sam Novak
# Notes - after discovering that the JndiLookup.class files can exists in other jar files
# I decided the I better look at all of them. Fortunately, you can grep the class from a JAR
#
# Save IFS so we can grep folders with spaces in the name
SAVEIFS=$IFS
IFS=$(echo -en "\n\b")
# Install mlocate to make the evaluation script more efficient
if [ ! -f /usr/bin/locate ] && [ ! -f /bin/locate ]; then
if [ -f /usr/bin/apt ]; then
apt install mlocate -y &> /dev/null
elif [ -f /usr/bin/yum ]; then
yum install mlocate -y &> /dev/null
elif [ -f /bin/yum ]; then
yum install mlocate -y &> /dev/null
fi
updatedb
fi
for E in $(locate "*.jar"); do
grep -i JndiLookup.class "$E"
# only run if the class is present
if [ $? -eq 0 ]; then
IFS=$SAVEIFS
# Found at least once, all is sadness.
exit 1
fi
done
IFS=$SAVEIFS
# Not found, all is good
exit 0
Remediation
#!/bin/bash
#
# Author - Sam Novak
# Notes - This has the potential to break things in production, and services/servers may
# need to be restarted in order to guarantee that the class is no longer loaded in memory.
#
# You must comment out the line below in order for this to run.
# Think of is as a 'safety switch'
exit 1
SAVEIFS=$IFS
IFS=$(echo -en "\n\b")
if [ ! -f /usr/bin/zip ] && [ ! -f /bin/zip ]; then
# we need to install zip
if [ -f /usr/bin/apt ]; then
apt install zip -y &> /dev/null
elif [ -f /usr/bin/yum ]; then
yum install zip -y &> /dev/null
elif [ -f /bin/yum ]; then
yum install zip -y &> /dev/null
fi
fi
# We already have a locate DB from the evaluation script
for E in $(locate "*.jar"); do
grep -i JndiLookup.class "$E"
# only run if the class is present
if [ $? -eq 0 ]; then
if zip -q -d "$E" org/apache/logging/log4j/core/lookup/JndiLookup.class &> /dev/null; then
echo "Successfully removed JndiLookup.class. "
echo "Successfully removed JndiLookup.class from $E" >> /var/log/log4shell_remediation.log
else
echo "Failed to remove JndiLookup.class. "
echo "Failed to removed JndiLookup.class from $E" >> /var/log/log4shell_remediation.log
fi
fi
done
IFS=$SAVEIFS