# Workaround for CVE-2021-44228 (Log4j RCE exploit) as a buildpack

This project shows how to create a [CNCF buildpack]( as a workaround for
a Log4j exploit that results in remote code execution.

By using this buildpack, you can apply a workaround for this exploit for every Java apps.
The workaround would simply disable log formatting through the JVM system property
`log4j2.formatMsgNoLookups` with value set to `true`.

As a long term fix, you should update your apps with Log4j 2.15.0+.

**Please don't use this project for production workloads: this is for educational purposes only!**

## How to use it?

Include this buildpack when building your Java app:
pack build myrepo/myapp -b -b paketo-buildpacks/java

This repository includes a simple Java app leveraging Log4j (including the RCE exploit).
Build this app with the buildpack:

pack build myrepo/myapp -p app -b -b paketo-buildpacks/java

You can now run this app:

docker run --rm -p 8080:8080 myrepo/myapp
2021-12-10 18:58:03.234  INFO 77965 --- [           main] f.a.c.Application                        : Is Log4j2 workaround for CVE-2021-44228 enabled? true

When using [kpack]( for building container images
inside your Kubernetes cluster, you need to apply the following steps:

 1. Add the buildpack `` to your `ClusterStore`
 2. Use the buildpack in your `ClusterBuilder` or `Builder`

When using [VMware Tanzu Build Service](,
you may use these commands to add the buildpack to your `ClusterStore`:

kp clusterstore add default -b

Then add the buildpack to your builder with Tanzu Build Service:

kp clusterbuilder patch mybuilder -b tanzu-buildpacks/java -b alexandreroman/cve-2021-44228-workaround-buildpack

All container images referencing your builder will then be rebuilt,
including the workaround for the Log4j RCE exploit.


## Contribute

Contributions are always welcome!

Feel free to open issues & send PR.

## License

Copyright © 2021 [VMware, Inc. or its affiliates](

This project is licensed under the [Apache Software License version 2.0](