CVE-2021-44228 PoC — Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Source

https://github.com/corretto/hotpatch-for-apache-log4j2

Associated Vulnerability

Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)
Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Description

An  agent to hotpatch the log4j RCE from CVE-2021-44228.

Readme

# Log4jHotPatch

This is a tool which injects a Java agent into a running JVM process. The agent will attempt to patch the `lookup()` method of all loaded `org.apache.logging.log4j.core.lookup.JndiLookup` instances to unconditionally return the string "Patched JndiLookup::lookup()". It is designed to address the [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228/) remote code execution vulnerability in Log4j without restarting the Java process. This tool will also address [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046/).

This has been currently only tested with JDK 8, 11, 15 and 17 on Linux!

## Building
### Gradle
To build on linux, mac and Windows subsystem for linux
```
./gradlew build
```

To build on Windows
```
.\gradlew.bat build
```

Depending on the platform you are building. This will generate `build/libs/Log4jHotPatch.jar`

### Maven

To build using Maven use

```
mvn clean package
```

This will generate a `target/Log4jHotPatch.jar`.

## Running

JDK 8
```
java -cp <java-home>/lib/tools.jar:Log4jHotPatch.jar Log4jHotPatch <java-pid>
```

JDK 11 and newer
```
java -jar Log4jHotPatch.jar <java-pid>
```

### Running the static agent

Simply add the agent to your java command line as follows:
```
java -classpath <class-path> -javaagent:Log4jHotPatch.jar <main-class> <arguments>
```

### Testing the agent
There are a set of tests that can be run outside Gradle or Maven.
```
build-tools/bin/run_tests.sh Log4jHotPatch.jar <JDK_ROOT>
```

## Known issues

If you get an error like:
```
Exception in thread "main" com.sun.tools.attach.AttachNotSupportedException: The VM does not support the attach mechanism
	at jdk.attach/sun.tools.attach.HotSpotAttachProvider.testAttachable(HotSpotAttachProvider.java:153)
	at jdk.attach/sun.tools.attach.AttachProviderImpl.attachVirtualMachine(AttachProviderImpl.java:56)
	at jdk.attach/com.sun.tools.attach.VirtualMachine.attach(VirtualMachine.java:207)
	at Log4jHotPatch.loadInstrumentationAgent(Log4jHotPatch.java:115)
	at Log4jHotPatch.main(Log4jHotPatch.java:139)
```
this means that your JVM is refusing any kind of help because it is running with `-XX:+DisableAttachMechanism`.

If you get an error like:
```
com.sun.tools.attach.AttachNotSupportedException: Unable to open socket file: target process not responding or HotSpot VM not loaded
	at sun.tools.attach.LinuxVirtualMachine.<init>(LinuxVirtualMachine.java:106)
	at sun.tools.attach.LinuxAttachProvider.attachVirtualMachine(LinuxAttachProvider.java:63)
	at com.sun.tools.attach.VirtualMachine.attach(VirtualMachine.java:208)
	at Log4jHotPatch.loadInstrumentationAgent(Log4jHotPatch.java:182)
	at Log4jHotPatch.main(Log4jHotPatch.java:259)
```
this means you're running as a different user (including root) than the target JVM. JDK 8 can't handle patching as root user (and triggers a thread dump in the target JVM which is harmless). In JDK 11 patching a non-root process from a root process works just fine. 

If you get an error like this in the target process:
```
Exception in thread "Attach Listener" java.lang.ExceptionInInitializerError
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at sun.instrument.InstrumentationImpl.loadClassAndStartAgent(InstrumentationImpl.java:386)
        at sun.instrument.InstrumentationImpl.loadClassAndCallAgentmain(InstrumentationImpl.java:411)
Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "log4jFixerAgentVersion" "write")
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at java.security.AccessController.checkPermission(AccessController.java:886)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
        at java.lang.System.setProperty(System.java:794)
        at Log4jHotPatch.<clinit>(Log4jHotPatch.java:66)
```
it means the target process has a security manager installed. Look for this command line option in the target process:
```
-Djava.security.policy=/local/apollo/.../apollo-security.policy
```
If you encounter this error, make sure you are using the latest version of the tool

**Important:** If you attempted to patch as the wrong user, you may need to delete `.attach_pid<pid>` files (found in `/tmp` and/or the CWD of the VM process) before trying again. These files need to have the right ownership for attach to succeed.

File Snapshot


 [4.0K]  /data/pocs/5610b2e1b6ebe4db440abad08eca4bfcd6cb0e2d
├── [ 845]  build.gradle
├── [4.0K]  build-tools
│   └── [4.0K]  bin
│       └── [5.8K]  run_tests.sh
├── [3.8K]  CHANGELOG.md
├── [ 309]  CODE_OF_CONDUCT.md
├── [3.1K]  CONTRIBUTING.md
├── [4.0K]  gradle
│   └── [4.0K]  wrapper
│       ├── [ 58K]  gradle-wrapper.jar
│       └── [ 200]  gradle-wrapper.properties
├── [5.6K]  gradlew
├── [2.7K]  gradlew.bat
├── [ 592]  LICENSE
├── [  67]  NOTICE
├── [4.8K]  pom.xml
├── [4.5K]  README.md
├── [  51]  settings.gradle
├── [4.0K]  src
│   └── [4.0K]  main
│       ├── [4.0K]  java
│       │   ├── [4.0K]  com
│       │   │   └── [4.0K]  amazon
│       │   │       └── [4.0K]  corretto
│       │   │           └── [4.0K]  hotpatch
│       │   │               └── [4.0K]  org
│       │   │                   └── [4.0K]  objectweb
│       │   │                       └── [4.0K]  asm
│       │   │                           ├── [6.2K]  AnnotationVisitor.java
│       │   │                           ├── [ 27K]  AnnotationWriter.java
│       │   │                           ├── [ 16K]  Attribute.java
│       │   │                           ├── [ 13K]  ByteVector.java
│       │   │                           ├── [167K]  ClassReader.java
│       │   │                           ├── [2.8K]  ClassTooLargeException.java
│       │   │                           ├── [ 16K]  ClassVisitor.java
│       │   │                           ├── [ 44K]  ClassWriter.java
│       │   │                           ├── [6.1K]  ConstantDynamic.java
│       │   │                           ├── [ 10K]  Constants.java
│       │   │                           ├── [5.5K]  Context.java
│       │   │                           ├── [2.6K]  CurrentFrame.java
│       │   │                           ├── [3.9K]  Edge.java
│       │   │                           ├── [5.7K]  FieldVisitor.java
│       │   │                           ├── [ 11K]  FieldWriter.java
│       │   │                           ├── [ 57K]  Frame.java
│       │   │                           ├── [7.1K]  Handle.java
│       │   │                           ├── [8.1K]  Handler.java
│       │   │                           ├── [ 30K]  Label.java
│       │   │                           ├── [3.4K]  MethodTooLargeException.java
│       │   │                           ├── [ 35K]  MethodVisitor.java
│       │   │                           ├── [ 99K]  MethodWriter.java
│       │   │                           ├── [6.6K]  ModuleVisitor.java
│       │   │                           ├── [9.4K]  ModuleWriter.java
│       │   │                           ├── [ 20K]  Opcodes.java
│       │   │                           ├── [3.9K]  package.html
│       │   │                           ├── [6.0K]  RecordComponentVisitor.java
│       │   │                           ├── [9.1K]  RecordComponentWriter.java
│       │   │                           ├── [4.0K]  signature
│       │   │                           │   ├── [1.8K]  package.html
│       │   │                           │   ├── [ 12K]  SignatureReader.java
│       │   │                           │   ├── [7.0K]  SignatureVisitor.java
│       │   │                           │   └── [7.8K]  SignatureWriter.java
│       │   │                           ├── [ 10K]  Symbol.java
│       │   │                           ├── [ 54K]  SymbolTable.java
│       │   │                           ├── [ 32K]  Type.java
│       │   │                           ├── [7.6K]  TypePath.java
│       │   │                           └── [ 17K]  TypeReference.java
│       │   ├── [ 711]  Log4jHotPatch17.java
│       │   └── [ 10K]  Log4jHotPatch.java
│       └── [4.0K]  resources
│           └── [ 242]  MANIFEST.MF
├── [4.0K]  test
│   ├── [270K]  log4j-api-2.12.1.jar
│   ├── [1.6M]  log4j-core-2.12.1.jar
│   ├── [  79]  security.policy
│   └── [2.2K]  Vuln.java
├── [1.6K]  THIRD_PARTY_LICENSE.md
└── [   6]  version.txt

17 directories, 60 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!