Exploit for Deserialization of Untrusted Data in Apache Log4J CVE-2021-44228

Name: Exploit for Deserialization of Untrusted Data in Apache Log4J CVE-2021-44228
Rating: 5 (280 reviews)

2021-12-14 | CVSS 9.3

## https://sploitus.com/exploit?id=6A34D9C3-C290-5763-BAF4-F1D6351C4BA2
# CVE-2021-44228-Demo

This project for prove and testing zero-day log4j exploit

# verify dependency 
./mvnw dependency:list 

# patch
A set ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true

B add vm option -Dlog4j2.formatMsgNoLookups=true

C.1 add properties log4j2.formatMsgNoLookups=true (NOT WORK)
C.2 add properties log4j.formatMsgNoLookups=true (NOT WORK)

D update <log4j2.version>2.15.0</log4j2.version>

E in log4j2.xml replace %m with %m{nolookups}