Exploit for Deserialization of Untrusted Data in Apache Log4J CVE-2021-44228

Name: Exploit for Deserialization of Untrusted Data in Apache Log4J CVE-2021-44228
Rating: 5 (342 reviews)
2021-12-17 | CVSS 9.3
## https://sploitus.com/exploit?id=6F93E170-75AD-5F5C-B7CC-6C4CEAA695AB
# Log4j Vulnerability - Proof-of-concept

This repo has the docker and k8s YAMLs that are needed to recreate the log4j vulnerability (seel below).

Follow [this blog](https://medium.com/@ankurkatiyar/cve-2021-44228-proof-of-concept-on-kubernetes-34c7337e8a89) to understand how all of this is tied together.
#
## Build Docker Images

In case you need to customize the docker images

```bash
  cd <Git-Repo>/web-server
  make build push
```

```bash
  cd <Git-Repo>/marshalsec
  make build push
```

```bash
  cd <Git-Repo>/attack-server
  make build push
```
Make sure that you update the DockerHub to reflect your user-id before attempting to push.

For the POC, you don't need to customize the docker images.

#

## Deploy on Kubernetes

You can deploy the YAMLs under the k8s folder to any Kubernetes Cluster.

```bash
  cd <Git-Repo>/k8s
  kubectl create -f .
```

This will deploy 3 PODs on the cluster, each reprenting an "actor" playing it's part for us to understsand how the log4j vunerability works.

In addition to the YAMLs included here, you will need to deploy an Ingress on the Kubernetes cluster to allow testing the vunerable web app from public end-points.

Heres a sample that works for Ngnix-Ingress.

```YAML
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: log4j-ingress
  labels:
    app: log4j
    env: dev
  namespace: log4j
  annotations:
    nginx.ingress.kubernetes.io/affinity: "cookie"
    nginx.ingress.kubernetes.io/session-cookie-name: "route"
    nginx.ingress.kubernetes.io/session-cookie-expires: "172800"
    nginx.ingress.kubernetes.io/session-cookie-max-age: "172800"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
    #nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  tls:
  - hosts:
    - <YOUR-DOMAIN-NAME-HERE>
    #secretName: tls-java-secret
  rules:
  - host: <YOUR-DOMAIN-NAME-HERE>
    http:
      paths:
        - path: /
          backend:
            serviceName: log4j-webserver
            servicePort: 8080

```


#
## Authors
- [@ankur-katiyar](https://www.github.com/ankur-katiyar)

## Resources
 - [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228)


## License

[GNU General Public License v3.0](https://choosealicense.com/licenses/gpl-3.0/)