Delete JndiLookup.class

Dear Team,

I am unable to find the file
zip -q -d <LOGSTASH_HOME>/logstash-core/lib/jars/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class

Can someone please help me or guide me.

Regards

if you have logstash running on a linux server should be in

/usr/share/logstash/logstash-core/lib/jars/

Hi @X11 ,

Thankyou for the response.
I can find the jars in the location
-d <LOGSTASH_HOME>/logstash-core/lib/jars/log4j-core-2.*

But what about the path

org/apache/logging/log4j/core/lookup/JndiLookup.class

Regards

If the logstash is run as Docker container then how do we delete jndilookup class. Please throw some light

The .class file is the class you’re deleting from the jar file ; if you copied that .jar file to /tmp and ran unzip on it, you’d see all the Java classes that make up the jar…

I would think it’s same location in docker, so the first thing I would do, w/out a ton of docker experience, is basically add the same command to my Dockerfile, build the image and test it out… it’s pretty arbitrary to test, I could trigger outbound ldap (389/tcp) with this logstash config

input {
    tcp { 
        port => 1337
        codec => json 
    }
output { 
—- SNIP —-

then send a message to ther listener with the common payload going around; if you’re doing it in bash you have to escape the “$”, at least that’s what worked for me. Mods sorry in advance for the dns names in the screenshots



Here is a workaround / temporary mitigation I'm using from another thread which utilizes a Dockerfile - Zero-day-exploit in log4j2 which is part of elasticsearch - #35 by Kami.

Keep in mind that glob expansion approach didn't work for me so I use full absolute path - make sure the full path is the same in your case (it may be different with older logstash versions, but I didn't dig in).

Hello @Kami ,

Can you please let me know the path Jndilookup.class in the jar file.
since losgstash home is /usr/share/logstash.

your help would be much appreciated.

Regards

It may be different in your deployment and logstash version.

You should use "jar" command to find out the path for that class.

jar tf /opt/logstash/logstash-core/lib/jars/log4j-core-2.14.0.jar | grep -i jndi

You should of course replace "/opt/logstash/logstash-core/lib/jars/log4j-core-2.14.0.jar" with a path to the jar file in your setup (find /usr/share/logstash -name "log4*core*.jar).

I was able to find the Jndilookup.class from that command as shown below:

jar tf /usr/share/logstash/logstash-core/lib/jars/log4j-core-2.13.3.jar | grep -i jndi
org/apache/logging/log4j/core/selector/JndiContextSelector.class
org/apache/logging/log4j/core/lookup/JndiLookup.class
org/apache/logging/log4j/core/net/JndiManager$1.class
org/apache/logging/log4j/core/net/JndiManager.class
org/apache/logging/log4j/core/net/JndiManager$JndiManagerFactory.class
org/apache/logging/log4j/core/util/JndiCloser.class

and tried to delete it using the command (where /usr/share/logstash is my home directory for logstash)

zip -q -d /usr/share/logstash/logstash-core/lib/jars/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class

-bash: zip: command not found

Regards,
Zanoob

If you are using bash and the **/* does NOT work, then run shopt -s globstar before running the zip command.

shopt -s globstar
ls -lrt /usr/share/logstash/logstash-core/**/*/log4j-core-2.*
zip -d <output_of_above_command> org/apache/logging/log4j/core/lookup/JndiLookup.class
chown logstash:logstash <output_of_above_command>

Restart Logstash.

1 Like

thankyou people.

Regards
Shrikant

Do you know how to remove the class for the Jar file on windows side besides copying the file over to Linux to remove the class file? I tried opening the file w/ 7-zip to delete the class file but that didn't work. Wonder if it's possible to extract, delete, and rearchive.

you should be able to use equivalent windows command-line zip tools. I remember seeing a post that someone did it on windows but cannot recollect.

Elastic has come out with a removal tool and an excellent article on Logstash that should clarify all the doubts - Logstash 5.0.0-6.8.20 and 7.0.0-7.16.0: Log4j CVE-2021-44228, CVE-2021-45046 remediation

Hello Sandeep,

Thank you for the reply, I ran the command
shopt -s globstar
ls -lrt /usr/share/logstash/logstash-core/**//log4j-core-2.

Since you mentioned */ does not run from bash and then I tried to runt the zip file, but still getting an error.

[root@serverlogstash jars]# shopt -s globstar
[root@serverlogstash jars]# ls -lrt /usr/share/logstash/logstash-core/**//log4j-core-2.
-rw-r--r--. 1 logstash logstash 1714164 Mar 18 2021 /usr/share/logstash/logstash-core/lib/jars/log4j-core-2.13.3.jar
[root@serverlogstash jars]#
[root@serverlogstash jars]# zip -d /usr/share/logstash/logstash-core/lib/jars/log4j-core-2.13.3.jar org/apache/logging/log4j/core/lookup/JndiLookup.classchown logstash:logstash /usr/share/logstash/logstash-core/lib/jars/log4j-core-2.13.3.jar
-bash: zip: command not found
[root@serverlogstash jars]# pwd
/usr/share/logstash/logstash-core/lib/jars
[root@serverlogstash jars]#

Regards,
Zanoob

Looks like zip is not installed in your machine. Please install the zip utility and then re-run

That worked .
Thank you.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.