Last active
December 13, 2021 21:49
-
-
Save iversond/8672cef4ef3b60dcdb1255947e18ebc9 to your computer and use it in GitHub Desktop.
(Optional) Download GLIBC 2.14 and copy to a common location (http://ftp.gnu.org/gnu/glibc/glibc-2.14.tar.gz). Download the log4j-Scanner tool (https://github.com/logpresso/CVE-2021-44228-Scanner) to a common location. This script will use the scanner tool to identify and remove the vulnerable classes from the log4j libraries.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # shellcheck disable=2059,2154,2034,2155,2046,2086 | |
| #=============================================================================== | |
| # vim: softtabstop=2 shiftwidth=2 expandtab fenc=utf-8 spelllang=en ft=sh | |
| #=============================================================================== | |
| # | |
| # Usage: scan_log4j.sh <Fix Y/N> <(Optional) Debug: true/false> | |
| # | |
| # Examples: | |
| # Scan and Fix libraries | |
| # scan_log4j.sh Y | |
| # | |
| # Scan with debug mode enabled | |
| # scan_log4j.sh N true | |
| # | |
| set -e # Exit immediately on error | |
| set -u # Treat unset variables as an error | |
| set -o pipefail # Prevent errors in a pipeline from being masked | |
| IFS=$'\n\t' # Set the internal field separator to a tab and newline | |
| ############### | |
| # Variables # | |
| ############### | |
| declare -A timings | |
| fix=${1} | |
| DEBUG=${2:-false} | |
| ############### | |
| # Functions # | |
| ############### | |
| function echoinfo() { | |
| local GC="\033[1;32m" | |
| local EC="\033[0m" | |
| printf "${GC} ☆ INFO${EC}: %s${GC}\n" "$@"; | |
| } | |
| function echodebug() { | |
| local BC="\033[1;34m" | |
| local EC="\033[0m" | |
| local GC="\033[1;32m" | |
| if [[ ${DEBUG}=="true" ]]; then | |
| printf "${BC} ★ DEBUG${EC}: %s${GC}\n" "$@"; | |
| fi | |
| } | |
| function echoerror() { | |
| local RC="\033[1;31m" | |
| local EC="\033[0m" | |
| printf "${RC} ✖ ERROR${EC}: %s\n" "$@" 1>&2; | |
| } | |
| function display_timings_summary() { | |
| local divider='==============================' | |
| divider=$divider$divider | |
| local header="\n %-28s %s\n" | |
| local format=" %-28s %s\n" | |
| local width=40 | |
| local total_duration=0 | |
| for duration in "${timings[@]}"; do | |
| total_duration=$((duration + total_duration)) | |
| done | |
| printf "$header" "TASK" "DURATION" | |
| printf "%$width.${width}s\n" "$divider" | |
| for key in "${!timings[@]}"; do | |
| local converted_timing=$(date -u -d @${timings[$key]} +"%T") | |
| printf "$format" "$key" "${converted_timing}" | |
| done | |
| printf "%$width.${width}s\n" "$divider" | |
| printf "$format" "TOTAL TIME:" $(date -u -d @${total_duration} +"%T") | |
| printf "\n" | |
| } | |
| # Download the GLIBC 2.14 libraries before running this: http://ftp.gnu.org/gnu/glibc/glibc-2.14.tar.gz | |
| function install_glibc_214(){ | |
| local begin=$(date +%s) | |
| if test -f '/opt/glibc-2.14/bin/xtrace'; then | |
| echoinfo "GLIBC 2.14 Installed" | |
| else | |
| echoinfo "Installing GLIBC 2.14" | |
| if [[ ${DEBUG} == 'true' ]]; then | |
| echoinfo "Unset LD_LIBRARY_PATH" | |
| unset LD_LIBRARY_PATH | |
| echoinfo "Download GLIBC 2.14" | |
| mkdir -p ~/glibc_install; cd ~/glibc_install | |
| cp /mnt/software/misc/glibc-2.14.tar.gz . | |
| tar zxvf glibc-2.14.tar.gz | |
| cd glibc-2.14 | |
| mkdir -p build | |
| cd build | |
| echoinfo "Configure" | |
| ../configure --prefix=/opt/glibc-2.14 | |
| echoinfo "Make" | |
| make -j4 | |
| sudo mkdir -p /opt/glibc-2.14/etc/ | |
| sudo touch /opt/glibc-2.14/etc/ld.so.conf | |
| echoinfo "Install" | |
| sudo make install | |
| else | |
| echoinfo "Unset LD_LIBRARY_PATH" | |
| unset LD_LIBRARY_PATH | |
| echoinfo "Download GLIBC 2.14" | |
| mkdir -p ~/glibc_install; cd ~/glibc_install | |
| cp /mnt/software/misc/glibc-2.14.tar.gz . > /dev/null 2>&1 | |
| tar zxvf glibc-2.14.tar.gz > /dev/null 2>&1 | |
| cd glibc-2.14 | |
| mkdir -p build | |
| cd build | |
| echoinfo "Configure" | |
| ../configure --prefix=/opt/glibc-2.14 > /dev/null 2>&1 | |
| echoinfo "Make" | |
| make -j4 > /dev/null 2>&1 | |
| echoinfo "Install" | |
| sudo mkdir -p /opt/glibc-2.14/etc/ | |
| sudo touch /opt/glibc-2.14/etc/ld.so.conf | |
| sudo make install > /dev/null 2>&1 | |
| fi | |
| fi | |
| local end=$(date +%s) | |
| local tottime="$((end - begin))" | |
| timings[install_glibc_214]=$tottime | |
| } | |
| function scan_for_vulnerability(){ | |
| local begin=$(date +%s) | |
| if [[ ${fix} == 'N' ]]; then | |
| echoinfo "Scanning app drive for vulnerable log4j libraries" | |
| sudo sh -c "export LD_LIBRARY_PATH=/opt/glibc-2.14/lib; /mnt/software/misc/log4j2-scan /u01/app" | |
| fi | |
| if [[ ${fix} == 'Y' ]]; then | |
| echoinfo "Stopping PeopleSoft" | |
| psa stop | |
| echoinfo "Attemping to fix vulnerable log4j libraries" | |
| sudo sh -c "export LD_LIBRARY_PATH=/opt/glibc-2.14/lib; echo 'y' | /mnt/software/misc/log4j2-scan --fix /u01/app" | |
| echoinfo "Starting PeopleSoft" | |
| psa start | |
| fi | |
| local end=$(date +%s) | |
| local tottime="$((end - begin))" | |
| timings[scan_for_vulnerability]=$tottime | |
| } | |
| ######## | |
| # Main # | |
| ######## | |
| echoinfo "Fix Mode: ${fix}" | |
| echoinfo "Debug Mode: ${DEBUG}" | |
| # Install GLIBC 2.14 if necesary | |
| # install_glibc_214 | |
| scan_for_vulnerability | |
| display_timings_summary | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment