Delete JndiLookup.class

shrikantgulia · December 11, 2021, 1:23pm

Dear Team,

I am unable to find the file
zip -q -d <LOGSTASH_HOME>/logstash-core/lib/jars/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class

Can someone please help me or guide me.

Regards

X11 · December 12, 2021, 2:35am

if you have logstash running on a linux server should be in

/usr/share/logstash/logstash-core/lib/jars/

shrikantgulia · December 12, 2021, 2:48am

Hi @X11 ,

Thankyou for the response.
I can find the jars in the location
-d <LOGSTASH_HOME>/logstash-core/lib/jars/log4j-core-2.*

But what about the path

org/apache/logging/log4j/core/lookup/JndiLookup.class

Regards

fanboy1234 · December 12, 2021, 2:56am

If the logstash is run as Docker container then how do we delete jndilookup class. Please throw some light

X11 · December 12, 2021, 5:45am

The .class file is the class you’re deleting from the jar file ; if you copied that .jar file to /tmp and ran unzip on it, you’d see all the Java classes that make up the jar…

I would think it’s same location in docker, so the first thing I would do, w/out a ton of docker experience, is basically add the same command to my Dockerfile, build the image and test it out… it’s pretty arbitrary to test, I could trigger outbound ldap (389/tcp) with this logstash config

input {
    tcp { 
        port => 1337
        codec => json 
    }
output { 
—- SNIP —-

then send a message to ther listener with the common payload going around; if you’re doing it in bash you have to escape the “$”, at least that’s what worked for me. Mods sorry in advance for the dns names in the screenshots

Kami · December 12, 2021, 12:10pm

Here is a workaround / temporary mitigation I'm using from another thread which utilizes a Dockerfile - Zero-day-exploit in log4j2 which is part of elasticsearch - #35 by Kami.

Keep in mind that glob expansion approach didn't work for me so I use full absolute path - make sure the full path is the same in your case (it may be different with older logstash versions, but I didn't dig in).

shrikantgulia · December 13, 2021, 5:07am

Hello @Kami ,

Can you please let me know the path Jndilookup.class in the jar file.
since losgstash home is /usr/share/logstash.

your help would be much appreciated.

Regards

Kami · December 13, 2021, 9:36am

It may be different in your deployment and logstash version.

You should use "jar" command to find out the path for that class.

jar tf /opt/logstash/logstash-core/lib/jars/log4j-core-2.14.0.jar | grep -i jndi

You should of course replace "/opt/logstash/logstash-core/lib/jars/log4j-core-2.14.0.jar" with a path to the jar file in your setup (find /usr/share/logstash -name "log4*core*.jar).

zanoob · December 14, 2021, 12:27pm

I was able to find the Jndilookup.class from that command as shown below:

jar tf /usr/share/logstash/logstash-core/lib/jars/log4j-core-2.13.3.jar | grep -i jndi
org/apache/logging/log4j/core/selector/JndiContextSelector.class
org/apache/logging/log4j/core/lookup/JndiLookup.class
org/apache/logging/log4j/core/net/JndiManager$1.class
org/apache/logging/log4j/core/net/JndiManager.class
org/apache/logging/log4j/core/net/JndiManager$JndiManagerFactory.class
org/apache/logging/log4j/core/util/JndiCloser.class

and tried to delete it using the command (where /usr/share/logstash is my home directory for logstash)

zip -q -d /usr/share/logstash/logstash-core/lib/jars/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class

-bash: zip: command not found

Regards,
Zanoob

sandeepkanabar · December 14, 2021, 7:46pm

If you are using bash and the **/* does NOT work, then run shopt -s globstar before running the zip command.

shopt -s globstar
ls -lrt /usr/share/logstash/logstash-core/**/*/log4j-core-2.*

zip -d <output_of_above_command> org/apache/logging/log4j/core/lookup/JndiLookup.class
chown logstash:logstash <output_of_above_command>

Restart Logstash.

shrikantgulia · December 16, 2021, 5:38am

thankyou people.

Regards
Shrikant

anhlqn · December 16, 2021, 10:31pm

Do you know how to remove the class for the Jar file on windows side besides copying the file over to Linux to remove the class file? I tried opening the file w/ 7-zip to delete the class file but that didn't work. Wonder if it's possible to extract, delete, and rearchive.

sandeepkanabar · December 17, 2021, 6:04am

you should be able to use equivalent windows command-line zip tools. I remember seeing a post that someone did it on windows but cannot recollect.

sandeepkanabar · December 21, 2021, 6:42am

Elastic has come out with a removal tool and an excellent article on Logstash that should clarify all the doubts - Logstash 5.0.0-6.8.20 and 7.0.0-7.16.0: Log4j CVE-2021-44228, CVE-2021-45046 remediation

zanoob · January 3, 2022, 1:46pm

Hello Sandeep,

Thank you for the reply, I ran the command
shopt -s globstar
ls -lrt /usr/share/logstash/logstash-core/**//log4j-core-2.

Since you mentioned */ does not run from bash and then I tried to runt the zip file, but still getting an error.

[root@serverlogstash jars]# shopt -s globstar
[root@serverlogstash jars]# ls -lrt /usr/share/logstash/logstash-core/**//log4j-core-2.
-rw-r--r--. 1 logstash logstash 1714164 Mar 18 2021 /usr/share/logstash/logstash-core/lib/jars/log4j-core-2.13.3.jar
[root@serverlogstash jars]#
[root@serverlogstash jars]# zip -d /usr/share/logstash/logstash-core/lib/jars/log4j-core-2.13.3.jar org/apache/logging/log4j/core/lookup/JndiLookup.classchown logstash:logstash /usr/share/logstash/logstash-core/lib/jars/log4j-core-2.13.3.jar
-bash: zip: command not found
[root@serverlogstash jars]# pwd
/usr/share/logstash/logstash-core/lib/jars
[root@serverlogstash jars]#

Regards,
Zanoob

sandeepkanabar · January 3, 2022, 4:53pm

Looks like zip is not installed in your machine. Please install the zip utility and then re-run

zanoob · January 4, 2022, 2:49pm

That worked .
Thank you.

system · February 1, 2022, 2:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.