forked from sp4ir/incidentresponse
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathUpdate-Log4shellVuln.ps1
33 lines (32 loc) · 1.4 KB
/
Update-Log4shellVuln.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
<# Update-Log4shellVuln.ps1
.SYNOPSIS
Update-Log4shellVuln.ps1 for #log4shell vulnerablility (CVE-2021-44228) takes output from .\Get-Log4shellVuln.ps1 and processes each JAR file and attempts to remove the JndiLookup.class file from the archive to mitigate the vulnerability.
.DESCRIPTION
Process specifically specified JAR files from a txt file and remove any instance of JndiLookup.class
#>
param (
[Parameter(Mandatory = $false)]
[string]
$logFolder = "C:\"
)
Add-Type -AssemblyName System.IO.Compression
Add-Type -AssemblyName System.IO.Compression.FileSystem
$vulnerableCsv = "$logFolder\log4j-vuln.csv"
$mitigationResultFile = "$logFolder\log4j-fix.txt"
$JndiLookupCount = 0
$jarFiles = Import-Csv $vulnerableCsv -Header "Name"
foreach ($jarFile in $jarFiles) {
Write-Output $jarFile
$stream = New-Object IO.FileStream($jarFile.Name, [IO.FileMode]::Open)
$zip = New-Object IO.Compression.ZipArchive($stream, [IO.Compression.ZipArchiveMode]::Update)
($zip.Entries | Where-Object { $_.Name -eq 'JndiLookup.class' }) | ForEach-Object {
Write-Output "Deleting $($_.FullName)"
$_.Delete()
}
$JndiLookupCount += $(($zip.Entries | Where-Object { $_.Name -eq 'JndiLookup.class' }).Count)
$zip.Dispose()
$stream.Close()
$stream.Dispose()
}
"$JndiLookupCount" | Out-File $mitigationResultFile
Write-Output "JndiLookup files end state: $JndiLookupCount"