From 77fb42bda0aa5e19a8210aafe4b9374a66a20586 Mon Sep 17 00:00:00 2001 From: saharNooby Date: Sat, 11 Dec 2021 12:31:57 +0500 Subject: [PATCH] Update README --- README.md | 31 ++++++++++++++++++++++++++++++- pom.xml | 2 +- 2 files changed, 31 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index fca09af..3ed5b3a 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,32 @@ # log4j-vulnerability-patcher-agent -Fixes CVE-2021-44228 in log4j by patching JndiLookup class. +This agent fixes critical vulnerability [CVE-2021-44228](https://www.lunasec.io/docs/blog/log4j-zero-day/) in log4j by patching `JndiLookup` class, as recommended [here](https://www.lunasec.io/docs/blog/log4j-zero-day/#temporary-mitigation). + +**WARNING: this is not a substitute for proper upgrade to log4j 2.15.0**, where this vulnerability was fixed for good. Use this agent **IF, and ONLY IF, you can't upgrade log4j in your app**. + +Agent can run on JRE 8 and higher, in any application (including Minecraft clients and servers). + +This will completely disable `JNDI` in log4j. If you need this functionality, do not use this agent. + +## How to use + +1. Download agent JAR or build it yourself +2. Add command line argument `-javaagent:/path/to/agent/log4j-vulnerability-patcher-agent.jar` to the start command of your app + +Example command line: + +```shell +java -javaagent:/home/user/log4j-vulnerability-patcher-agent.jar -Xmx1G spigot.jar +``` + +If everything is OK, on start agent will output `[Log4jVulnerabilityPatcherAgent] JndiLookup was patched, vulnerability fixed!`. + +## Build + +You will need JDK 8, Maven and Git. + +```shell +git clone https://github.com/saharNooby/log4j-vulnerability-patcher-agent.git +cd log4j-vulnerability-patcher-agent +mvn clean package +``` diff --git a/pom.xml b/pom.xml index 60a12e3..3f9998d 100644 --- a/pom.xml +++ b/pom.xml @@ -31,7 +31,7 @@ - true + log4j-vulnerability-patcher-agent