/cve-2021-44228-workaround-buildpack

Buildpack providing a workaround for CVE-2021-44228 (Log4j RCE exploit)

Primary LanguageJavaApache License 2.0Apache-2.0

Workaround for CVE-2021-44228 (Log4j RCE exploit) as a buildpack

This project shows how to create a CNCF buildpack as a workaround for CVE-2021-44228, a Log4j exploit that results in remote code execution.

By using this buildpack, you can apply a workaround for this exploit for every Java apps. The workaround would simply disable log formatting through the JVM system property log4j2.formatMsgNoLookups with value set to true.

As a long term fix, you should update your apps with Log4j 2.15.0+.

Please don't use this project for production workloads: this is for educational purposes only!

How to use it?

Include this buildpack when building your Java app:

pack build myrepo/myapp -b ghcr.io/alexandreroman/cve-2021-44228-workaround-buildpack -b paketo-buildpacks/java

This repository includes a simple Java app leveraging Log4j (including the RCE exploit). Build this app with the buildpack:

pack build myrepo/myapp -p app -b ghcr.io/alexandreroman/cve-2021-44228-workaround-buildpack -b paketo-buildpacks/java

You can now run this app:

docker run --rm -p 8080:8080 myrepo/myapp
...
2021-12-10 18:58:03.234  INFO 77965 --- [           main] f.a.c.Application                        : Is Log4j2 workaround for CVE-2021-44228 enabled? true

When using kpack for building container images inside your Kubernetes cluster, you need to apply the following steps:

  1. Add the buildpack ghcr.io/alexandreroman/cve-2021-44228-workaround-buildpack to your ClusterStore
  2. Use the buildpack in your ClusterBuilder or Builder

When using VMware Tanzu Build Service, you may use these commands to add the buildpack to your ClusterStore:

kp clusterstore add default -b ghcr.io/alexandreroman/cve-2021-44228-workaround-buildpack

Then add the buildpack to your builder with Tanzu Build Service:

kp clusterbuilder patch mybuilder -b tanzu-buildpacks/java -b alexandreroman/cve-2021-44228-workaround-buildpack

All container images referencing your builder will then be rebuilt, including the workaround for the Log4j RCE exploit.

Enjoy!

Contribute

Contributions are always welcome!

Feel free to open issues & send PR.

License

Copyright © 2021 VMware, Inc. or its affiliates.

This project is licensed under the Apache Software License version 2.0.