My Experience Patching Log4j

As you likely know, Log4j is a serious threat and has been affecting thousands of people...

I recently had to handle patching Log4j for a client of mine. While scanning client environments for the log4j vulnerability I came across one environment that had a positive match. After further investigation, it was originating from within the surveillance system. I started to pursue remediation by looking into updates provided by the surveillance vendor. As it turned out the system was EOL and no longer receiving security updates.

This result led me to pursue alternative ways to patch the system. After spending some time researching the best way to patch Log4j without being able to update it to the latest version I found the second best method, removing the JndiLookup class file. I changed the .jar file to a .zip file to access the contents. Browsed to the location of the vulnerable file, JndiLookup.class, and began remediation.

The first step I took into remediating this was to make a copy of the file. I was going to test and confirm that this fix would not knock the surveillance system offline. After creating my backups I removed the vulnerable file. Restarted the surveillance system and tested it out. Initially, it was not working as it should have been, but after rebooting the server everything resumed functionality.

After some monitoring of the system to make sure it remained stable I re-ran a vulnerability scan to make sure that removing the JndiLookup file removed the threat. The scan came back clear and the threat was no longer present.

My thoughts on this?

This vulnerability is pretty serious and demonstrated to me and my company that it can be present where you would least expect it. It also shows the importance of having supported systems in your environment. In my case, we formally and strongly suggested that we upgrade the surveillance system to a new and maintained product. This way we can avoid further issues and disruptions that come with these threats and unsupported hardware. This was a great learning experience for me. This allowed me to gain further knowledge on the threat by researching how to defend against and patch it.