Menu
▾
▴
Re: [Exist-open] log4j2 vulnerability
|
From: Josef W. UL <jwe...@hi...> - 2021-12-16 08:39:34
|
Hi Pietro
I had the same problem. I hat to go to the location, where my eXist-5.2
mac app is stored. There I could do the following:
ls -al eXist-db.app/Contents/Java
And then move to the Java directory:
cd eXist-db.app/Contents/Java
Here I could enter the recommended command to remove the JNDI lookup
class from log4j-core-*:
sudo zip -q -d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class
This runs without error message and leaves the log4j-core*.jar with the
actual modification date and time. I think one has to reset ownership
with chown.
I think this procedure corresponds fully to Apaches recommendation and
should work as expected. Replacing the jars is maybe not completely
satisfying.
On another installation in Debian Linux the same procedure left
eXist-4.7.1 in a properly working state. All logs continued to work as
before.
Hope this helps, greetings
Josef
On 16.12.21 07:53, Pietro Liuzzo wrote:
> Thanks!
>
> I tried both and I stumbled upon the fact that there seem to be no
> $EXIST_HOME set on my computer.
>
> This command, run from several locations, using find with several
> context always gives me the same „nothing to do“ result.
>
> So, I gave up and I tried another way. I am not sure that it is an
> admissible thing to do, neither that it works, that is why I am
> sharing it, i.e. for sanity check since. What I am entirely sure about
> is that I do not know what I am doing...
>
> After patching the log4j.xml as recommended, what I did on my MacBook
> 10.16 with java 1.8.0_311 to test a workaround, and I would like to
> try to replicate on server was
>
> * download log4j 2.16 and unpack it
> * open exist-db.app/Contents/Java replace the five log4j*.jar (2.13)
> with the ones from the downloaded new version (2.16)
> * open exist-db.app/Contents with an editor, search the entire
> folder and replace every instance of 2.13 with 2.16 (all 94
> instances found are related to log4j)
>
> I then started my exist 5.2 and everything seems to be working
> normally. While I hope I have „manually upgraded log4j to version
> 2.16". If that did what I wanted it to do, I am really not sure…
>
> If that is a possibility, I would like to replicate it on the server…
> can anyone tell me if this is OK?
>
> all best
>
>> Am 15.12.2021 um 16:59 schrieb Peter Stadler
>> <st...@we...>:
>>
>> Just for the record/convenience, I do a `find` first to take care of
>> the different paths:
>> find ${EXIST_HOME} -name log4j-core-*.jar -exec zip -q -d {}
>> org/apache/logging/log4j/core/lookup/JndiLookup.class \;
>>
>> Best
>> Peter
>>
>>> Am 15.12.2021 um 15:54 schrieb Clark, Ash <as....@no...>:
>>>
>>> Hi Pietro,
>>>
>>> You may need to be in EXIST_HOME/lib to run the command for removing
>>> the JNDI class. Sorry for the omission!
>>>
>>> ~Ash
>>> From: Pietro Liuzzo <pie...@gm...>
>>> Sent: Wednesday, December 15, 2021 2:16 AM
>>> To: Clark, Ash <as....@no...>
>>> Cc: Mathias Göbel <go...@su...>; exist-open
>>> <exi...@li...>
>>> Subject: Re: [Exist-open] log4j2 vulnerability
>>>
>>> Thanks!
>>>
>>> I have tried to do this as well but I am told that there is nothing
>>> to do.
>>> perhaps the location of that class depends on the system?
>>>
>>> all best
>>> Pietro
>>>
>>> Pietro Maria Liuzzo (egli/lui,he/him,er/ihn)
>>> cel (DE): +49 (0) 176 61 000 606
>>> Skype: pietro.liuzzo (Quingentole)
>>> ORCID: https://orcid.org/0000-0001-5714-4011
>>> Academia: https://uni-hamburg.academia.edu/PietroMariaLiuzzo
>>>
>>>
>>>
>>>
>>>
>>>
>>>> Il giorno 14 dic 2021, alle ore 22:27, Clark, Ash
>>>> <as....@no...> ha scritto:
>>>>
>>>> zip -q -d log4j-core-*.jar
>>>> org/apache/logging/log4j/core/lookup/JndiLookup.class
>>>
>>> _______________________________________________
>>> Exist-open mailing list
>>> Exi...@li...
>>> https://lists.sourceforge.net/lists/listinfo/exist-open
>>
>
>
>
> _______________________________________________
> Exist-open mailing list
> Exi...@li...
> https://lists.sourceforge.net/lists/listinfo/exist-open
|
