Skip to content

Adding JAVA_TOOL_OPTIONS test and Readme updates. #45

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Adding JAVA_TOOL_OPTIONS test and Readme updates. #45

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e595da5
Add test for JAVA_TOOL_OPTIONS
lutkerd Dec 21, 2021
fa93af4
Update readme for disabling logging
lutkerd Dec 21, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 22 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,27 @@ There are a set of tests that can be run outside Gradle or Maven.
build-tools/bin/run_tests.sh Log4jHotPatch.jar <JDK_ROOT>
```

### Disable Verbose Output

With the hotpatch agent there is additional logging that in earlier versions went to stdout instead of stderr. When the output of a Java command was parsed this could cause an error due to the unexpected log lines. If you can update to a newer version of the hotpatch jar the issue should go away, for those that cannot update you can disable the output when using the static agent by appending `log4jFixerVerbose=false` or when patching a running JVM by setting the system propery `-Dlog4jFixerVerbose=false`, below are some examples.

```
# Only 1 of these needs to be set
export JAVA_TOOL_OPTIONS=-javaagent:/opt/tools/Log4jHotPatch.jar=log4jFixerVerbose=false

# or
export _JAVA_OPTIONS=-javaagent:/opt/tools/Log4jHotPatch.jar=log4jFixerVerbose=false

# or
/path/to/java [java-args] -javaagent:/opt/tools/Log4jHotPatch.jar=log4jFixerVerbose=false
```

When using it in hotpatch mode you can run
```
java -Dlog4jFixerVerbose=false -jar /opt/tools/Log4jHotPatch.jar <pid_to_patch>
```


## Known issues

If you get an error like:
Expand All @@ -75,7 +96,7 @@ com.sun.tools.attach.AttachNotSupportedException: Unable to open socket file: ta
at Log4jHotPatch.loadInstrumentationAgent(Log4jHotPatch.java:182)
at Log4jHotPatch.main(Log4jHotPatch.java:259)
```
this means you're running as a different user (including root) than the target JVM. JDK 8 can't handle patching as root user (and triggers a thread dump in the target JVM which is harmless). In JDK 11 patching a non-root process from a root process works just fine.
this means you're running as a different user (including root) than the target JVM. JDK 8 can't handle patching as root user (and triggers a thread dump in the target JVM which is harmless). In JDK 11 patching a non-root process from a root process works just fine.

If you get an error like this in the target process:
```
Expand Down
12 changes: 12 additions & 0 deletions build-tools/bin/run_tests.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -260,4 +260,16 @@ if [[ -z "${SKIP_STATIC}" ]]; then
sleep 2

verify_target $VULN_PID

echo "******************"
echo "Running Static JAVA_TOOL_OPTIONS JDK${JVM_MV} Test"

JAVA_TOOL_OPTIONS="-javaagent:${AGENT_JAR}"
export JAVA_TOOL_OPTIONS
start_target ${JDK_DIR}
VULN_PID=$!

sleep 2

verify_target $VULN_PID
fi