How to setup a PoC environment to study log4j vulnerability and protect your own Apps

The Apache Log4j 2 utility is a Java-based logging utility commonly used for logging API/Web requests. On December 9th, 2021, a vulnerability (CVE-2021-44228) was reported that could allow a system running Apache Log4j 2 version 2.14.1 or below to be compromised. This article would have 3 parts:

• Part I: log4j Vulnerability Overview & PoC
• Part II: Possible Attacks on Data
• Part III: Changing App Infrastructure Design to be Secure by Design

The above could help your team (product, security, Red team, Blue team, etc.) study the log4j vulnerability and show security weaknesses within your Apps and infrastructure.

log4j Vulnerability Overview

Log4j vulnerability allows an attacker to deploy and run malware on the JVM running on the compromised system by exploiting log4j JNDI Lookup feature. This kind of attack is categorised and also known as Remote Code Execution (RCE). The malware would establish a connection (Reverse Shell) with the attacker Botnet Master Server, allowing the botnet master to execute commands on the compromised system. Eventually if the compromised system has access to data, the organization would end-up with a data breach or ransomware infection.

Proof of Concept (PoC) Environment

The PoC environments would be built on AWS using CloudFormation as this is the easiest and safest way to deploy a real environment away from your current controlled environment where you can study and research vulnerabilities and malware to be able to come-up with effective controls. In this PoC, I have built 2 totally separate environments:

1. Your Network Infrastructure: Where an App API is deployed with log4j vulnerability. In this PoC we have chosen to use an identity REST api that connects to openLDAP to authenticate users and issue JWT token on successful authentication.
2. Attacker Network Infrastructure: Where the attack (Planting the malware in a multi-step process) would take place.

To build the stack above in AWS, please follow the readme file on Github Log4jShellPoC Repo:

The Vulnerable App REST APIs

The vulnerable App REST API is an API that authenticates users and upon successful authentication, it generates a token (JWT) and sends it back to be used to securely identify and authorize users in the su-sequent REST API calls. and As you can see from the illustration above, the software stack for the vulnerable App REST API is composed of the REST API itself (App API) running on JVM and authenticate users against OpenLDAP.

OpenLDAP is where all the registered customers data exist. Data are PII (Personal Identifiable Information) and it would be very attractive prize for any intruder to who manages to get unauthorised untracked access to it.

As mentioned before in the Part II of this article, we would be going through the possible attacks on this kind of data and explore how you can circumvent controls in-place to extract and transmit the data out of the system.

Quick Demo Video

In Part II of this article, I would go through more details about the possible attacks on data.

Conclusion & Takeaways

Building a PoC for log4j vulnerability and its possible attacks is critical for your teams to study and research vulnerabilities and malware to be able to come-up with effective security controls. It would also contribute to secure by design initiative inside your organization.

The same article published on my blog can be found?here.

All of my articles can be found here.

Notice of Non-Affiliation and Disclaimer:?The author of the article is not affiliated, associated, authorized, endorsed by, or in any way officially connected with any of the product vendors (Amazon AWS, etc.) mentioned in this article, or any of its subsidiaries or its affiliates.