Skip to content

SubOptimal/log4shell-snippets

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
java
java
 
 
kotlin
kotlin
 
 
scala
scala
 
 
.gitignore
.gitignore
 
 
README.adoc
README.adoc
 
 

Repository files navigation

related to Log4Shell (CVE-2021-44228) vulnerability

The repository provides simple demonstration of the vulnerability as Java, Kotlin and Scala snippet.

why those snippets

Log4Shell is a serious vulnerability and there are some rumors around it.

The simple snippets only show that any language running on the JVM is impacted and the vulnerability can be triggered not only via HTTP headers. Don’t feel safe if your application is not directly exposed to the internet, if user entered input is eventually logged, you might be impacted (see xkcd #327).

Some commenters take it to blame Java to be insecure

Which is not true, as the vulnerability …​

  • is not related to the Java language, other JVM languages impacted also if they use an impacted log4j version, see the Kotlin and Scala example

  • happen because of a feature, which was enabled by default, of the log4j logging framework and could be misused

The attack vector is not only via HTTP headers

Any application using a vulnerable log4j version is impacted, if the logged string could be constructed to contain a JNDI call like ${jndi:ldap://127.0.0.1/xyz}. So any logged input data might become a security risk. The snippets just log a literal string to trigger the JNDI call and lead in the basic setup to a thrown exception. If you want to see that the LDAP request going out of your network, replace the ${jndi:ldap…​} part by a string generated on https://log4shell.huntress.com/ (the page will not send an exploit, it will only log the LDAP call).

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages