New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Without alpine image, Log4j don't follow Exploit*.class #19
Comments
Exploit*.class
Exploit*.class
Exploit*.class
I confirm I'm able to reproduce the behavior. Would you have any guess as to why the exploit is not working on the non-Alpine version? It's using the same JDK version (1.8.0_181), and I don't know of reason why it wouldn't be working |
I still don't know and I haven't been able to investigate much. But I imagine that log4j changes flow due to some environment difference: environment variable, OS configuration etc. |
That's useful info. Given that the goal of this repo is to provide a purposely vulnerable application, I suggest we close the issue. |
You need to set com.sun.jndi.ldap.object.trustURLCodebase=true for the JVM via JAVA_TOOL_OPTIONS or any other means to make the app vulnerable. It should then work with any Linux image. I'm using this in a VM directly, and not docker. Thanks so much for this @christophetd |
Do you think that the JDK's are being patched to disable this class loading behaviour via JNDI? |
I could reproduce the attack today in an Ubuntu VM with the JDK 1.8 u181. |
To summarize, there seems to be no issue with the current repository, so I'll go ahead and close the issue. Thanks |
If I change container image from openjdk:8u181-jdk-alpine to
openjdk:8u181-jdk
, the vulnerability does not occur.Log4j don't follow
http://my-ip:8888/Exploit*.class
.The text was updated successfully, but these errors were encountered: