来源

关联漏洞

描述

Buildpack providing a workaround for CVE-2021-44228 (Log4j RCE exploit)

介绍

# Workaround for CVE-2021-44228 (Log4j RCE exploit) as a buildpack

This project shows how to create a [CNCF buildpack](https://buildpacks.io) as a workaround for
[CVE-2021-44228](https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/),
a Log4j exploit that results in remote code execution.

By using this buildpack, you can apply a workaround for this exploit for every Java apps.
The workaround would simply disable log formatting through the JVM system property
`log4j2.formatMsgNoLookups` with value set to `true`.

As a long term fix, you should update your apps with Log4j 2.15.0+.

**Please don't use this project for production workloads: this is for educational purposes only!**

## How to use it?

Include this buildpack when building your Java app:
```shell
pack build myrepo/myapp -b ghcr.io/alexandreroman/cve-2021-44228-workaround-buildpack -b paketo-buildpacks/java
```

This repository includes a simple Java app leveraging Log4j (including the RCE exploit).
Build this app with the buildpack:

```shell
pack build myrepo/myapp -p app -b ghcr.io/alexandreroman/cve-2021-44228-workaround-buildpack -b paketo-buildpacks/java
```

You can now run this app:

```shell
docker run --rm -p 8080:8080 myrepo/myapp
...
2021-12-10 18:58:03.234  INFO 77965 --- [           main] f.a.c.Application                        : Is Log4j2 workaround for CVE-2021-44228 enabled? true
```

When using [kpack](https://github.com/pivotal/kpack) for building container images
inside your Kubernetes cluster, you need to apply the following steps:

 1. Add the buildpack `ghcr.io/alexandreroman/cve-2021-44228-workaround-buildpack` to your `ClusterStore`
 2. Use the buildpack in your `ClusterBuilder` or `Builder`

When using [VMware Tanzu Build Service](https://tanzu.vmware.com/build-service),
you may use these commands to add the buildpack to your `ClusterStore`:

```shell
kp clusterstore add default -b ghcr.io/alexandreroman/cve-2021-44228-workaround-buildpack
```

Then add the buildpack to your builder with Tanzu Build Service:

```shell
kp clusterbuilder patch mybuilder -b tanzu-buildpacks/java -b alexandreroman/cve-2021-44228-workaround-buildpack
```

All container images referencing your builder will then be rebuilt,
including the workaround for the Log4j RCE exploit.

Enjoy!

## Contribute

Contributions are always welcome!

Feel free to open issues & send PR.

## License

Copyright © 2021 [VMware, Inc. or its affiliates](https://vmware.com).

This project is licensed under the [Apache Software License version 2.0](https://www.apache.org/licenses/LICENSE-2.0).

文件快照

 [4.0K]  /data/pocs/f03e1071040840f3e6de57767c4de28ad887389b
├── [4.0K]  app
│   ├── [9.8K]  mvnw
│   ├── [6.5K]  mvnw.cmd
│   ├── [2.0K]  pom.xml
│   └── [4.0K]  src
│       └── [4.0K]  main
│           ├── [4.0K]  java
│           │   └── [4.0K]  fr
│           │       └── [4.0K]  alexandreroman
│           │           └── [4.0K]  cve202144228
│           │               └── [1.8K]  Application.java
│           └── [4.0K]  resources
│               └── [ 127]  application.yml
├── [4.0K]  buildpack
│   ├── [4.0K]  bin
│   │   ├── [ 538]  build
│   │   └── [  44]  detect
│   └── [ 249]  buildpack.toml
├── [ 11K]  LICENSE
├── [ 279]  Makefile
├── [  30]  package.toml
└── [2.5K]  README.md

10 directories, 12 files

备注