Share
## https://sploitus.com/exploit?id=2C7AFC31-83FC-5C56-96D6-91A9EB1160F4
# Log4Shell (CVE-2021-44228) PoC

## Objective

Reproduce, exploit, and remediate a known critical CVE in a Dockerised environment.

This PoC demonstrates [CVE-2021-44228 (Log4Shell)](https://vulners.com/cve/CVE-2021-44228) in a Spring Boot application.

## 1. Vulnerability Description

**CVE:** 2021-44228

**CVSS:** 10.0 (Critical)

**Affected component:** Apache Log4j ( observe no reverse shell
```

### Interim mitigations (if upgrade not possible)

1. Buy time
  * Restrict inbound exploit strings (`${jndi:` patterns) with a WAF or middleware.
  * Restrict outbound LDAP from application servers with egress filtering.

2. Disable lookups:

```
-Dlog4j2.formatMsgNoLookups=true
```

3. Harden JVM:

```
-Dcom.sun.jndi.ldap.object.trustURLCodebase=false
```

### Operational mitigations

1. Audit dependencies and runtime
  * Generate an SBOM (`gradle dependencies`, Snyk, Wiz, etc.).
  * Search deployed images/servers for `log4j-core-*.jar`, including fat JARs.
  * Triage and prioritize mitigations for the riskiest workloads.

2. Monitor & detect
  * Watch for exploit attempts in logs (`${jndi:...}`, `${${lower:j}ndi:...}`, etc.).
  * Monitor outbound LDAP traffic for callbacks.
  * Treat findings as potential compromises, escalate for incident response (forensic investigation, removal of malicious artifacts, rotation of secrets, etc.).

3. Vendor patches
  * Track vendor advisories (e.g., Elasticsearch) - many ship bundled Log4j.
  * Apply hotfixes or workarounds provided until official patches are available.

4. Strategic Improvements
  * Enforce "deny by default" policy for outbound traffic filtering.
  * Enforce dependency scanning in CI/CD.
  * Formalize response playbooks so teams know exactly what to do during the next "10.0 CVSS" vulnerability.
  * Run resilience drills/tabletops to test readiness for a "new Log4Shell-class" incident.

## 5. References
* [Apache Security Advisories](https://logging.apache.org/security.html)