{"id":15780066,"url":"https://github.com/rgl/log4j-log4shell-playground","last_synced_at":"2025-08-17T14:40:33.741Z","repository":{"id":139753106,"uuid":"438541418","full_name":"rgl/log4j-log4shell-playground","owner":"rgl","description":"A playground for poking at the Log4Shell (CVE-2021-44228) vulnerability mitigations","archived":false,"fork":false,"pushed_at":"2021-12-15T08:44:16.000Z","size":2,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-12-31T11:06:06.451Z","etag":null,"topics":["log4j","log4shell"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rgl.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-12-15T07:51:12.000Z","updated_at":"2021-12-16T11:59:53.000Z","dependencies_parsed_at":null,"dependency_job_id":"84306d10-7a5a-40bf-8669-754bbc87e93f","html_url":"https://github.com/rgl/log4j-log4shell-playground","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/rgl/log4j-log4shell-playground","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgl%2Flog4j-log4shell-playground","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgl%2Flog4j-log4shell-playground/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgl%2Flog4j-log4shell-playground/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgl%2Flog4j-log4shell-playground/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rgl","download_url":"https://codeload.github.com/rgl/log4j-log4shell-playground/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgl%2Flog4j-log4shell-playground/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":270861805,"owners_count":24658662,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-17T02:00:09.016Z","response_time":129,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["log4j","log4shell"],"created_at":"2024-10-04T18:40:27.154Z","updated_at":"2025-08-17T14:40:33.711Z","avatar_url":"https://github.com/rgl.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# About\n\nA playground for poking at the [critical log4j (aka Log4Shell) (CVE-2021-44228) vulnerability](https://en.wikipedia.org/wiki/Log4Shell) mitigations.\n\nThis particular problem lies within the [JndiLookup feature](https://logging.apache.org/log4j/2.x/manual/lookups.html#JndiLookup) and the log4j ability to interpret **ALL** the arguments of a logging call.\n\nI would expect it to only interpret the format message (the first argument of a logging call), e.g., the `Hello {}` in `log.info(\"Hello {}\", \"${jndi:ldap://127.0.0.1:8081}\")`, but it interprests all of them.\n\nThe mitigations will prevent log4j from triggering the `jndi` lookups, but they still allow other lookups like `${java:version}`.\n\n**NB: Since log4j [2.16.0](https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0) ([LOG4J2-3211](https://issues.apache.org/jira/browse/LOG4J2-3211); [diff](https://github.com/apache/logging-log4j2/compare/rel/2.15.0...rel/2.16.0)) the format message is no longer interpreted.**\n\nThis vulnerability can be triggered remotely when the target application logs any user supplied data, for example, from these common HTTP headers:\n\n* `Accept`\n* `Cookie`\n* `Location`\n* `Origin`\n* `Referer`\n* `User-Agent`\n* `X-Api-Version`\n* `X-Forwarded-For`\n* `X-Forwarded-Host`\n* `X-Requested-With`\n\n# Play (Ubuntu 20.04)\n\nBuild:\n\n```bash\nsudo apt-get install -y openjdk-11-jdk-headless\nwget https://archive.apache.org/dist/logging/log4j/2.10.0/apache-log4j-2.10.0-bin.tar.gz\nwget https://archive.apache.org/dist/logging/log4j/2.16.0/apache-log4j-2.16.0-bin.tar.gz\ntar xf apache-log4j-2.10.0-bin.tar.gz\ntar xf apache-log4j-2.16.0-bin.tar.gz\njavac -Werror -cp apache-log4j-2.10.0-bin/log4j-api-2.10.0.jar Server.java\n```\n\nTry a vulnerable log4j version:\n\n```bash\njava \\\n    -cp apache-log4j-2.10.0-bin/log4j-api-2.10.0.jar:apache-log4j-2.10.0-bin/log4j-core-2.10.0.jar:. \\\n    Server\ncurl -H 'X-Api-Version:${jndi:ldap://127.0.0.1:8081}' http://localhost:8080\ncurl -H 'X-Api-Version:${java:version}' http://localhost:8080\n```\n\nTry removing the `JndiLookup` class from the classpath mitigation:\n\n```bash\ncp apache-log4j-2.10.0-bin/log4j-core-2.10.0.jar log4j-core-2.10.0-without-jndi-lookup.jar\nzip -q -d log4j-core-2.10.0-without-jndi-lookup.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\njava \\\n    -cp apache-log4j-2.10.0-bin/log4j-api-2.10.0.jar:log4j-core-2.10.0-without-jndi-lookup.jar:. \\\n    Server\ncurl -H 'X-Api-Version:${jndi:ldap://127.0.0.1:8081}' http://localhost:8080\ncurl -H 'X-Api-Version:${java:version}' http://localhost:8080\n```\n\nTry the environment variable mitigation:\n\n**NB** Since 2021-12-15 (circa log4j 2.16.0 / CVE-2021-45046 release date) this is no longer recommended.\n\n```bash\nLOG4J_FORMAT_MSG_NO_LOOKUPS=true \\\n    java \\\n    -cp apache-log4j-2.10.0-bin/log4j-api-2.10.0.jar:apache-log4j-2.10.0-bin/log4j-core-2.10.0.jar:. \\\n    Server\ncurl -H 'X-Api-Version:${jndi:ldap://127.0.0.1:8081}' http://localhost:8080\ncurl -H 'X-Api-Version:${java:version}' http://localhost:8080\n```\n\nTry a non-vulnerable log4j version:\n\n```bash\njava \\\n    -cp apache-log4j-2.16.0-bin/log4j-api-2.16.0.jar:apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar:. \\\n    Server\ncurl -H 'X-Api-Version:${jndi:ldap://127.0.0.1:8081}' http://localhost:8080\ncurl -H 'X-Api-Version:${java:version}' http://localhost:8080\n```\n\nTry [grype](https://github.com/anchore/grype) to see whether it detects the vulnerability:\n\n```bash\nwget https://github.com/anchore/grype/releases/download/v0.27.2/grype_0.27.2_linux_amd64.tar.gz\ntar xf grype_0.27.2_linux_amd64.tar.gz grype\n./grype dir:.\n```\n\nTry [trivy](https://github.com/aquasecurity/trivy) to see whether it detects the vulnerability:\n\n```bash\nwget https://github.com/aquasecurity/trivy/releases/download/v0.21.2/trivy_0.21.2_Linux-64bit.tar.gz\ntar xf trivy_0.21.2_Linux-64bit.tar.gz trivy\n./trivy fs --security-checks vuln .\n```\n\n# References\n\n* https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/\n* https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/\n* https://logging.apache.org/log4j/2.x/security.html\n* https://logging.apache.org/log4j/2.x/manual/lookups.html#JndiLookup\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frgl%2Flog4j-log4shell-playground","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frgl%2Flog4j-log4shell-playground","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frgl%2Flog4j-log4shell-playground/lists"}