# This script patches the log4j-core*.jar files against the CVE-2021-44228 vulnerability. # Note: this script depends on the RLI_HOME environment variable and this variable must be defined before # running the script. This variable should point to the root of your RadiantOne install, such as # C:\radiantone\vds # # The script will search for the vulnerability in all log4j jar files found under the RLI_HOME folder. # If the vulnerability is detected, you will have the option to patch it in place. # The script will also report if the vulnerability has already been patched. $originalScriptDir = split-path -parent $MyInvocation.MyCommand.Definition if ($null -eq $env:RLI_HOME) { "The RLI_HOME environment variable must be set prior to running this script. It typically points to the root of your radiantone install such as: C:\radiantone\vds" Exit 1 } $backupFolder="$env:RLI_HOME\backup" $backupFolderRegex=[regex]::escape($backupFolder) $files = Get-ChildItem -Path $env:RLI_HOME -Filter log4j-core*.jar -Recurse -ErrorAction SilentlyContinue -Force | Where-Object { ($_.FullName -notmatch $backupFolderRegex) } |Select-Object FullName Foreach ($item in $files) { if (Test-Path $item.FullName) { $jarListCommand=$env:RLI_HOME+"\jdk\bin\jar -tf "+$item.FullName $grepResult=Invoke-Expression $jarListCommand | findstr "org/apache/logging/log4j/core/lookup/JndiLookup.class" IF ($grepResult -ne $null) { $item.FullName + " still contains the Log4J vulnerability (CVE-2021-44228)." $confirmation = Read-Host "Patch this file? (y/n)" if ($confirmation -eq 'y') { "Patching "+$item.FullName "Making a backup to $backupFolder" if (-not(Test-Path $backupFolder)) { "Creating backup folder: $backupFolder" mkdir $backupFolder >$null } Copy-Item $item.FullName $backupFolder $workFolder=$env:RLI_HOME+"\work\log4jfixes" if (-not(Test-Path $workFolder)) { "Creating work folder: $workFolder" mkdir $workFolder >$null } cd $workFolder " Performing JAR extraction..." $jarExtractCommand=$env:RLI_HOME+"\jdk\bin\jar -xvf "+$item.FullName Invoke-Expression $jarExtractCommand >$null $jndilookupFile = $workFolder+"\org\apache\logging\log4j\core\lookup\JndiLookup.class" " Removing offending class from JAR..." Remove-Item $jndilookupFile $jarCreateCommand=$env:RLI_HOME+"\jdk\bin\jar -cvf "+$item.FullName+" .\" " Recreating JAR..." Invoke-Expression $jarCreateCommand >$null " Cleaning up the work folder..." Set-Location $originalScriptDir Remove-Item -LiteralPath $workFolder -Force -Recurse "JAR Patching Completed for "+$item.FullName "" } } else { $item.FullName + " is already safe and has been patched against the Log4J vulnerability (CVE-2021-44228)." "" } } } # Extra Steps For Version 7.3.17 and above. $workDocsFolder="$env:RLI_HOME\vds_server\work\docs" if (Test-Path $workDocsFolder) { "Removing folder $workDocsFolder" Remove-Item -LiteralPath $workDocsFolder -Force -Recurse "Done." "" } $docsWarPath="$env:RLI_HOME\apps\web\docs.war" $disabledAppsFolder="$env:RLI_HOME\apps\web\disabled" if (Test-Path $docsWarPath) { "Moving $docsWarPath to $disabledAppsFolder" Move-Item -Path $docsWarPath -Destination $disabledAppsFolder "Done." "" } Set-Location $originalScriptDir