Description
This post talks about how to update an existing jar file that was built using the vulnerable Log4J2 jars (currently 2.17) without having to rebuild the jar from the source location.
This can be used by companies who want to patch their components already on the field for quick fix.
Pre-Requisite
- 7zip downloaded and installed.
- The vulnerable jar file (say myapplication.jar ) that has the vulnerable Log4J2 binaries embedded. For this example, our application has the following vulnerable log4j files:-
- log4j-api-2.13.0.jar
- log4j-core-2.13.0.jar
- log4j-jul-2.13.0.jar
- log4j-slf4j-impl-2.13.0.jar
- Download latest Log4J2 jar files from:- https://logging.apache.org/log4j/2.x/download.html
- log4j-api-2.17.0.jar
- log4j-core-2.17.0.jar
- log4j-jul-2.17.0.jar
- log4j-slf4j-impl-2.17.0.jar
- Extract the vulnerable jar file (myapplication.jar using 7zip and check the location where the vulnerable jar files are packaged. Typically they are stored in:- \BOOT-INF\lib
Note:- At the time of creating the blog, the latest version was 2.17 that has the fix for the vulnerabilities-
CVE-2021-45046, CVE-2021-44228 and CVE-2021-45105 .
Methodology
At a high level the following are the tasks we will be performing.
- Using 7Zip, we will first remove the vulnerable Jars from the final Package (Jar file) .
- Using 7Zip will add the updated Log4J jars to the existing Package.
Steps:-
1. Open command prompt and ensure 7zip command is there in the path.
2. CD to the directory where the vulnerable jar file(say myapplication.jar is located (say c:\TestApp\)
3. Run the following command:-
c:\TestApp>7Z.EXE d myapplication.jar -r log4j-api-2.13.0.jar
Repeat this for Other jars as well:-
c:\TestApp>7Z.EXE d myapplication.jar -r log4j-core-2.13.0.jar
c:\TestApp>7Z.EXE d myapplication.jar -r log4j-jul-2.13.0.jar
c:\TestApp>7Z.EXE d myapplication.jar -r log4j-slf4j-impl-2.13.0.jar
Note:- The -r option will recursively look for the specified log4j file within the myapplication.jar file and delete the occurrences.
c:\TestApp>7Z.EXE d myapplication.jar -r log4j-api-2.13.0.jar
Repeat this for Other jars as well:-
c:\TestApp>7Z.EXE d myapplication.jar -r log4j-core-2.13.0.jar
c:\TestApp>7Z.EXE d myapplication.jar -r log4j-jul-2.13.0.jar
c:\TestApp>7Z.EXE d myapplication.jar -r log4j-slf4j-impl-2.13.0.jar
Note:- The -r option will recursively look for the specified log4j file within the myapplication.jar file and delete the occurrences.
4. Create the folder structure in the same directory that replicates the location of the jar files inside the package (as determined in the step 4 of per-requisites, i.e. \BOOT-INF\lib) and place the new log4j jar files (version 2.17.0) in the folder. So the directory structure will look like:- c:\TestApp\BOOT-INF\lib)
5. Run the following command to add the updated log4j files:-
c:\TestApp>7Z.EXE a -mx=0 .\myapplication.jar BOOT-INF\lib\log4j-api-2.17.0.jar
and repeat for the other jars as well as follows:-
c:\TestApp>7Z.EXE a -mx=0 .\myapplication.jar BOOT-INF\lib\log4j-core-2.17.0.jar
c:\TestApp>7Z.EXE a -mx=0 .\myapplication.jar BOOT-INF\lib\log4j-jul-2.17.0.jar
c:\TestApp>7Z.EXE a -mx=0 .\myapplication.jar BOOT-INF\lib\log4j-slf4j-impl-2.17.0.jar
myapplication.jar is now updated with the new log4j2 files!
Note:- The -mx=0 option is important else the application will not startup complaining that the jar files should not be compressed on startup.
else you would get the following error:-
Exception in thread "main" java.lang.IllegalStateException: Unable to open nested entry 'BOOT-INF/lib/log4j-core-2.17.0.jar'. It has been compressed and nested jar files must be stored without compression. Please check the mechanism used to create your executable jar file