Log4Shell Zero-day Exploit Walkthrough
Demonstrating RCE in Popular Java Library, Log4j
Hello, World! If you’ve been paying attention to very recent cyber news, you might’ve seen the big headlines about the millions of applications that are vulnerable to a remote code execution zero-day via the popular Java logging library, Log4j. The affected versions are Apache Log4j 2.0–2.14.1 and the CVE is tracked as CVE-2021-44228. In this blog, I’m going to demonstrate the setup and exploitation of a server using a vulnerable Log4j version. Let’s hack!
Setting Up The Environment
Note: Please make sure to run the following programs in a VM or sandbox. Thanks!
To set up a vulnerable server running a vulnerable Log4j library version, we’ll be building a Docker image for this Sprint Boot application created by christophetd that is vulnerable to the Log4Shell vulnerability. You’ll need to install Docker for this walkthrough.
We’ll build an image that will include all the dependencies and the source code for the vulnerable Java application.
git clone https://github.com/christophetd/log4shell-vulnerable-app.git /tmp/log4shell-vulnerable-appcd /tmp/log4shell-vulnerable-appdocker build -t log4shell-app .
