Re: log4j remediation

muduki · Posted 02-16-2022 08:57 AM

Hello,

I am looking for some help with log4j remediation.

Once I run the below remediation script for the identified jar file, how to do I validate it?

zip -q -d path-to-JAR-file org/apache/logging/log4j/core/lookup/JndiLookup.class

AMSAS · Posted 02-16-2022 10:58 AM

Start here:

SAS Statement Regarding Remote Code Execution Vulnerability (CVE-2021-44228)

muduki · Posted 02-21-2022 03:38 AM

Thank you for the link. Yes, I gone through that earlier, but that gives the steps for remediation. I dont see any specific step for validation.

Would you mind to share if you are aware of any validation steps for manual log4j remediation?

jasonfor · Posted 03-24-2022 05:57 PM

For validation, I would rerun the search and if they were zipped, you shouldn't get any results for log4j-core-2.*.jar.

jasonfor · Posted 03-25-2022 10:26 AM

Correction:

The find command will still find those jar files. You want to verify that JndiLookup.class has been removed.

I think you can use something similar to this:

find . -name *.jar | xargs grep JndiLookup.class

Another way would be to spot check one or two jar files, by copying them to a temporary location, run “unzip jarfilename.jar”, and eyeball the extracted folder and see if JndiLookup.class is no longer there.

jasonfor · Posted 03-24-2022 06:04 PM

Is this the only command to issue for UNIX? zip -q -d path-to-JAR-file org/apache/logging/log4j/core/lookup/JndiLookup.class

Also does the path-to-JAR-file include the actual .jar file, for example what's in red (/opt/sas/sashome/SASEnvironmentManagerAgent/2.5/installer/lib/log4j-core-2.11.1.jar)

Thank you.

log4j remediation