Author: Trevor Terris
Level: Intermediate
Technologies: EJB, JSF, WAR
Summary: Small sample application to validate log4j mitigation via JBoss EAP deployment overlays
Target Product: EAP
Source: https://github.com/tkterris/log4shell-lab.git
As-is, this application is vulnerable to CVE-2021-44228! DO NOT RUN THIS IN PRODUCTION, this is intended for educational purposes only!
This example application is vulnerable to the "Log4Shell" vulnerability, CVE-2021-44228.
The example follows the common "Hello World" pattern. These are the steps that occur:
- A JSF page asks the user for their name.
- On clicking submit, the name is sent to a managed bean named
Greeter
. - The name is printed to log output via log4j, using a library version vulnerable to Log4Shell.
The application this project produces is designed to be run on Red Hat JBoss Enterprise Application Platform 7.4 or later.
If you have not yet done so, you must Configure Maven before testing the quickstarts.
-
Open a command line and navigate to the root of the JBoss server directory.
-
The following shows the command line to start the server:
For Linux: JBOSS_HOME/bin/standalone.sh For Windows: JBOSS_HOME\bin\standalone.bat
First, install and start Redis (using the default IP address and port):
sudo yum install redis
sudo systemctl start redis
Then download, build, and run the Huntress vulnerability tester:
git clone https://github.com/huntresslabs/log4shell-tester.git
cd log4shell-tester/
mvn clean install
java -jar target/log4shell-jar-with-dependencies.jar
The vulnerability tester will be available at http://127.0.0.1:8000.
NOTE: The following build command assumes you have configured your Maven user settings. If you have not, you must include Maven setting arguments on the command line. See Build and Deploy the Quickstarts for complete instructions and additional options.
- Open a command line and navigate to the root directory of this quickstart.
- Type this command to build and deploy the archive:
mvn clean install
- Deploy the compiled "log4shell-lab.war" artifact to the EAP server.
The application will be running at the following URL: http://localhost:8080/log4shell-lab.
- Fetch a test payload from the Log4Shell tester page here: https://127.0.0.1:8000/. For example:
${jndi:ldap://127.0.0.1:1389/GENERATED_TOKEN_HERE}
- In the JSF page located at
http://localhost:8080/log4shell-lab
, enter the Huntress Log4Shell payload obtained in the previous step. - View the results for that payload, as described on the Huntress Log4Shell tester page. The URL will be formatted like so: https://127.0.0.1:8000/view/GENERATED_TOKEN_HERE. If the application is vulnerable, the test payload will result in an LDAP request sent to the Huntress page, which will be logged on the results page.
This issue can be mitigated in JBoss EAP without recompiling the artifact via Deployment Overlays.
- Download a version of the
log4j-core
andlog4j-api
library JARs that have had the Log4Shell vulnerability patched. These JARs can be accessed here and here. - In the JBoss CLI, execute the following command to overlay log4j-core:
deployment-overlay add --name=log4shellOverlay --content=/WEB-INF/lib/log4j-core-2.11.2.jar=/path/to/patched/log4j-core.jar --deployments=log4shell-lab.war --redeploy-affected
- In the JBoss CLI, execute the following command to overlay log4j-api:
deployment-overlay add --name=log4shellApiOverlay --content=/WEB-INF/lib/log4j-api-2.11.2.jar=/path/to/patched/log4j-api.jar --deployments=log4shell-lab.war --redeploy-affected
- Rerun the investigation steps. There should be no additional requests listed on the Huntress results page, confirming that the application is not longer vulnerable.