Exploit for Deserialization of Untrusted Data in Apache Log4J CVE-2021-44228

Name: Exploit for Deserialization of Untrusted Data in Apache Log4J CVE-2021-44228
Rating: 5 (279 reviews)
2021-12-10 | CVSS 9.3
## https://sploitus.com/exploit?id=EA3173CE-C426-5047-864A-480B1A30F235
# Workaround for CVE-2021-44228 (Log4j RCE exploit) as a buildpack

This project shows how to create a [CNCF buildpack](https://buildpacks.io) as a workaround for
[CVE-2021-44228](https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/),
a Log4j exploit that results in remote code execution.

By using this buildpack, you can apply a workaround for this exploit for every Java apps.
The workaround would simply disable log formatting through the JVM system property
`log4j2.formatMsgNoLookups` with value set to `true`.

As a long term fix, you should update your apps with Log4j 2.15.0+.

**Please don't use this project for production workloads: this is for educational purposes only!**

## How to use it?

Include this buildpack when building your Java app:
```shell
pack build myrepo/myapp -b ghcr.io/alexandreroman/cve-2021-44228-workaround-buildpack -b paketo-buildpacks/java
```

This repository includes a simple Java app leveraging Log4j (including the RCE exploit).
Build this app with the buildpack:

```shell
pack build myrepo/myapp -p app -b ghcr.io/alexandreroman/cve-2021-44228-workaround-buildpack -b paketo-buildpacks/java
```

You can now run this app:

```shell
docker run --rm -p 8080:8080 myrepo/myapp
...
2021-12-10 18:58:03.234  INFO 77965 --- [           main] f.a.c.Application                        : Is Log4j2 workaround for CVE-2021-44228 enabled? true
```

When using [kpack](https://github.com/pivotal/kpack) for building container images
inside your Kubernetes cluster, you need to apply the following steps:

 1. Add the buildpack `ghcr.io/alexandreroman/cve-2021-44228-workaround-buildpack` to your `ClusterStore`
 2. Use the buildpack in your `ClusterBuilder` or `Builder`

When using [VMware Tanzu Build Service](https://tanzu.vmware.com/build-service),
you may use these commands to add the buildpack to your `ClusterStore`:

```shell
kp clusterstore add default -b ghcr.io/alexandreroman/cve-2021-44228-workaround-buildpack
```

Then add the buildpack to your builder with Tanzu Build Service:

```shell
kp clusterbuilder patch mybuilder -b tanzu-buildpacks/java -b alexandreroman/cve-2021-44228-workaround-buildpack
```

All container images referencing your builder will then be rebuilt,
including the workaround for the Log4j RCE exploit.

Enjoy!

## Contribute

Contributions are always welcome!

Feel free to open issues & send PR.

## License

Copyright &copy; 2021 [VMware, Inc. or its affiliates](https://vmware.com).

This project is licensed under the [Apache Software License version 2.0](https://www.apache.org/licenses/LICENSE-2.0).