How to delete JndiLookup.class class from embedded jar in linux
Olivia Zamora 
I have log4j-core-2.11.0.jar which is embedded in another jar, i need to delete jndilookup class from log4j-core but not getting any option as it embedded.
If i need to delete it from outer jar, its easy but with inner jar, no idea how to do this
ex - jar tf outer.jar - will give me all the content including log4j-core.jar
Please help on this!
3 Answers
for windows, Install 7-zip and do the following: open cmd as administrator
cd {App Directory}
for /R %f in (*log4j-core*.jar) do "C:\program Files\7-Zip\7z" d %f org/apache/logging/log4j/core/lookup/JndiLookup.class for Linux, install zip and run below Command:
zip -q -d {App Directory}/log4j-core*.jar org/apache/logging/log4j/core/lookup/JndiLookup.classor
find . -type f -name "*log4j-core*.jar" -execdir zip -q -d "{}" org/apache/logging/log4j/core/lookup/JndiLookup.class \;A good alternative is to intercept the call to the vulnerable method lookup and make it harmless. This is the solution provided by log4j-jndi-be-gone
Thanks for your answer Mohamed Saad.
We just need to make sure that, for example in the case of windows services that use the jar files, the services are stopped, otherwise the jar files will not be modified.
Also the %f should be quoted, just in case there are spaces in the path.
Like this:
for /R %f in (log4j-core.jar) do "C:\program Files\7-Zip\7z" d "%f" org/apache/logging/log4j/core/lookup/JndiLookup.class
Thank you,
1
