Skip to content

Bump org.apache.logging.log4j:log4j-api from 2.17.1 to 2.23.1 in /poc_template #143

Bump org.apache.logging.log4j:log4j-api from 2.17.1 to 2.23.1 in /poc_template

Bump org.apache.logging.log4j:log4j-api from 2.17.1 to 2.23.1 in /poc_template #143

Workflow file for this run

name: Extended test
on:
pull_request:
branches: [ main ]
workflow_dispatch:
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
- name: Build the images
run: |
./build_images.sh
# Simple non-vulnerable scenarios
- name: Test the exploit lab using the python cli with --java-version 8 --log4j-version 2.12.2 [Non vulnerable]
run: |
#!/bin/sh
set -x
python log4shell_validator.py --java-version 8 --log4j-version 2.12.2 --debug 2>&1 | tee output.txt
grep "not vulnerable to CVE-2021-44228" output.txt
rm output.txt
- name: Test the exploit lab using the python cli with --java-version 8 --log4j-version 2.15.0 [Non vulnerable]
run: |
#!/bin/sh
set -x
python log4shell_validator.py --java-version 8 --log4j-version 2.15.0 --debug 2>&1 | tee output.txt
grep "not vulnerable to CVE-2021-44228" output.txt
rm output.txt
# Simple vulnerable scenarios
- name: Test the exploit lab using the python cli with --java-version 8 --log4j-version 2.12.1 [vulnerable]
run: |
#!/bin/sh
set -x
python log4shell_validator.py --java-version 8 --log4j-version 2.12.1 --debug 2>&1 | tee output.txt
grep -v "not vulnerable to CVE-2021-44228" output.txt
rm output.txt
- name: Test the exploit lab using the python cli with --java-version 8 --log4j-version 2.14.0 [vulnerable]
run: |
#!/bin/sh
set -x
python log4shell_validator.py --java-version 8 --log4j-version 2.14.0 --debug 2>&1 | tee output.txt
grep -v "not vulnerable to CVE-2021-44228" output.txt
rm output.txt
# Testing Disable message lookup mitigation
- name: Test Disable message lookup mitigation with --java-version 8 --log4j-version 2.14.0 (java8) [Not vulnerable]
run: |
#!/bin/sh
set -x
python log4shell_validator.py --java-version 8 --log4j-version 2.14.0 --debug --disable-message-lookup 2>&1 | tee output.txt
grep "not vulnerable to CVE-2021-44228" output.txt
rm output.txt
- name: Test Disable message lookup mitigation with --java-version 8 --log4j-version 2.9.0 (java8) [Vulnerable]
run: |
#!/bin/sh
set -x
python log4shell_validator.py --java-version 8 --log4j-version 2.9.0 --debug --disable-message-lookup 2>&1 | tee output.txt
grep -v "not vulnerable to CVE-2021-44228" output.txt
rm output.txt
# Testing Remove JNDI lookup class mitigation
- name: Test Remove JNDI lookup class mitigation with --java-version 8 --log4j-version 2.14.0 [Not vulnerable]
run: |
#!/bin/sh
set -x
python log4shell_validator.py --java-version 8 --log4j-version 2.14.0 --remove-jndi-lookup-class 2>&1 | tee output.txt
grep "not vulnerable to CVE-2021-44228" output.txt
rm output.txt
- name: Test Thread Context exploit --java-version 8 --log4j-version 2.14.0 [Not vulnerable]
run: |
#!/bin/sh
set -x
python log4shell_validator.py --java-version 8 --log4j-version 2.14.0 --remove-jndi-lookup-class --exploit-via-thread-context 2>&1 | tee output.txt
grep -v "not vulnerable to CVE-2021-44228" output.txt
grep "vulnerable to CVE-2021-44228" output.txt
rm output.txt
# Testing com.sun.jndi.ldap.object.trustURLCodebase mitigation
- name: Test com.sun.jndi.ldap.object.trustURLCodebase mitigation with --java-version 8 --log4j-version 2.14.0 (java8) [vulnerable to exfil (at least)]
run: |
#!/bin/sh
set -x
python log4shell_validator.py --java-version 8 --log4j-version 2.14.0 --disable-trust-url 2>&1 | tee output.txt
grep "Possible exfiltration" output.txt
grep "not vulnerable to CVE-2021-44228" output.txt
rm output.txt
- name: Test com.sun.jndi.ldap.object.trustURLCodebase mitigation with --java-version 8 --log4j-version 2.3.0 (java8) [Not vulnerable]
run: |
#!/bin/sh
set -x
python log4shell_validator.py --java-version 8 --log4j-version 2.9.1 --disable-trust-url 2>&1 | tee output.txt
grep "not vulnerable to CVE-2021-44228" output.txt
rm output.txt
# Testing a error handling for non existing log4j versions:
- name: Testing a error handling for non existing log4j versions
run: |
#!/bin/sh
set -x
python log4shell_validator.py --java-version 8 --log4j-version 2.8.0 --disable-trust-url 2>&1 | tee output.txt
grep "The version of log4j you specified does not seem to exist" output.txt
rm output.txt