Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-44228 PoC — Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Source
https://github.com/alexandreroman/cve-2021-44228-workaround-buildpack
Associated Vulnerability
Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)
Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Description
Buildpack providing a workaround for CVE-2021-44228 (Log4j RCE exploit)
Readme
# Workaround for CVE-2021-44228 (Log4j RCE exploit) as a buildpack

This project shows how to create a [CNCF buildpack](https://buildpacks.io) as a workaround for
[CVE-2021-44228](https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/),
a Log4j exploit that results in remote code execution.

By using this buildpack, you can apply a workaround for this exploit for every Java apps.
The workaround would simply disable log formatting through the JVM system property
`log4j2.formatMsgNoLookups` with value set to `true`.

As a long term fix, you should update your apps with Log4j 2.15.0+.

**Please don't use this project for production workloads: this is for educational purposes only!**

## How to use it?

Include this buildpack when building your Java app:
```shell
pack build myrepo/myapp -b ghcr.io/alexandreroman/cve-2021-44228-workaround-buildpack -b paketo-buildpacks/java
```

This repository includes a simple Java app leveraging Log4j (including the RCE exploit).
Build this app with the buildpack:

```shell
pack build myrepo/myapp -p app -b ghcr.io/alexandreroman/cve-2021-44228-workaround-buildpack -b paketo-buildpacks/java
```

You can now run this app:

```shell
docker run --rm -p 8080:8080 myrepo/myapp
...
2021-12-10 18:58:03.234  INFO 77965 --- [           main] f.a.c.Application                        : Is Log4j2 workaround for CVE-2021-44228 enabled? true
```

When using [kpack](https://github.com/pivotal/kpack) for building container images
inside your Kubernetes cluster, you need to apply the following steps:

 1. Add the buildpack `ghcr.io/alexandreroman/cve-2021-44228-workaround-buildpack` to your `ClusterStore`
 2. Use the buildpack in your `ClusterBuilder` or `Builder`

When using [VMware Tanzu Build Service](https://tanzu.vmware.com/build-service),
you may use these commands to add the buildpack to your `ClusterStore`:

```shell
kp clusterstore add default -b ghcr.io/alexandreroman/cve-2021-44228-workaround-buildpack
```

Then add the buildpack to your builder with Tanzu Build Service:

```shell
kp clusterbuilder patch mybuilder -b tanzu-buildpacks/java -b alexandreroman/cve-2021-44228-workaround-buildpack
```

All container images referencing your builder will then be rebuilt,
including the workaround for the Log4j RCE exploit.

Enjoy!

## Contribute

Contributions are always welcome!

Feel free to open issues & send PR.

## License

Copyright © 2021 [VMware, Inc. or its affiliates](https://vmware.com).

This project is licensed under the [Apache Software License version 2.0](https://www.apache.org/licenses/LICENSE-2.0).
File Snapshot

 [4.0K]  /data/pocs/f03e1071040840f3e6de57767c4de28ad887389b
├── [4.0K]  app
│   ├── [9.8K]  mvnw
│   ├── [6.5K]  mvnw.cmd
│   ├── [2.0K]  pom.xml
│   └── [4.0K]  src
│       └── [4.0K]  main
│           ├── [4.0K]  java
│           │   └── [4.0K]  fr
│           │       └── [4.0K]  alexandreroman
│           │           └── [4.0K]  cve202144228
│           │               └── [1.8K]  Application.java
│           └── [4.0K]  resources
│               └── [ 127]  application.yml
├── [4.0K]  buildpack
│   ├── [4.0K]  bin
│   │   ├── [ 538]  build
│   │   └── [  44]  detect
│   └── [ 249]  buildpack.toml
├── [ 11K]  LICENSE
├── [ 279]  Makefile
├── [  30]  package.toml
└── [2.5K]  README.md

10 directories, 12 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →