# Workaround for CVE-2021-44228 (Log4j RCE exploit) as a buildpack
This project shows how to create a [CNCF buildpack](https://buildpacks.io) as a workaround for
a Log4j exploit that results in remote code execution.
By using this buildpack, you can apply a workaround for this exploit for every Java apps.
The workaround would simply disable log formatting through the JVM system property
`log4j2.formatMsgNoLookups` with value set to `true`.
As a long term fix, you should update your apps with Log4j 2.15.0+.
**Please don't use this project for production workloads: this is for educational purposes only!**
## How to use it?
Include this buildpack when building your Java app:
pack build myrepo/myapp -b ghcr.io/alexandreroman/cve-2021-44228-workaround-buildpack -b paketo-buildpacks/java
This repository includes a simple Java app leveraging Log4j (including the RCE exploit).
Build this app with the buildpack:
pack build myrepo/myapp -p app -b ghcr.io/alexandreroman/cve-2021-44228-workaround-buildpack -b paketo-buildpacks/java
You can now run this app:
docker run --rm -p 8080:8080 myrepo/myapp
2021-12-10 18:58:03.234 INFO 77965 --- [ main] f.a.c.Application : Is Log4j2 workaround for CVE-2021-44228 enabled? true
When using [kpack](https://github.com/pivotal/kpack) for building container images
inside your Kubernetes cluster, you need to apply the following steps:
1. Add the buildpack `ghcr.io/alexandreroman/cve-2021-44228-workaround-buildpack` to your `ClusterStore`
2. Use the buildpack in your `ClusterBuilder` or `Builder`
When using [VMware Tanzu Build Service](https://tanzu.vmware.com/build-service),
you may use these commands to add the buildpack to your `ClusterStore`:
kp clusterstore add default -b ghcr.io/alexandreroman/cve-2021-44228-workaround-buildpack
Then add the buildpack to your builder with Tanzu Build Service:
kp clusterbuilder patch mybuilder -b tanzu-buildpacks/java -b alexandreroman/cve-2021-44228-workaround-buildpack
All container images referencing your builder will then be rebuilt,
including the workaround for the Log4j RCE exploit.
Contributions are always welcome!
Feel free to open issues & send PR.
Copyright © 2021 [VMware, Inc. or its affiliates](https://vmware.com).
This project is licensed under the [Apache Software License version 2.0](https://www.apache.org/licenses/LICENSE-2.0).