Bump org.apache.logging.log4j:log4j-api from 2.17.1 to 2.23.1 in /poc_template #143
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Extended test | |
on: | |
pull_request: | |
branches: [ main ] | |
workflow_dispatch: | |
permissions: | |
contents: read | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 | |
- name: Build the images | |
run: | | |
./build_images.sh | |
# Simple non-vulnerable scenarios | |
- name: Test the exploit lab using the python cli with --java-version 8 --log4j-version 2.12.2 [Non vulnerable] | |
run: | | |
#!/bin/sh | |
set -x | |
python log4shell_validator.py --java-version 8 --log4j-version 2.12.2 --debug 2>&1 | tee output.txt | |
grep "not vulnerable to CVE-2021-44228" output.txt | |
rm output.txt | |
- name: Test the exploit lab using the python cli with --java-version 8 --log4j-version 2.15.0 [Non vulnerable] | |
run: | | |
#!/bin/sh | |
set -x | |
python log4shell_validator.py --java-version 8 --log4j-version 2.15.0 --debug 2>&1 | tee output.txt | |
grep "not vulnerable to CVE-2021-44228" output.txt | |
rm output.txt | |
# Simple vulnerable scenarios | |
- name: Test the exploit lab using the python cli with --java-version 8 --log4j-version 2.12.1 [vulnerable] | |
run: | | |
#!/bin/sh | |
set -x | |
python log4shell_validator.py --java-version 8 --log4j-version 2.12.1 --debug 2>&1 | tee output.txt | |
grep -v "not vulnerable to CVE-2021-44228" output.txt | |
rm output.txt | |
- name: Test the exploit lab using the python cli with --java-version 8 --log4j-version 2.14.0 [vulnerable] | |
run: | | |
#!/bin/sh | |
set -x | |
python log4shell_validator.py --java-version 8 --log4j-version 2.14.0 --debug 2>&1 | tee output.txt | |
grep -v "not vulnerable to CVE-2021-44228" output.txt | |
rm output.txt | |
# Testing Disable message lookup mitigation | |
- name: Test Disable message lookup mitigation with --java-version 8 --log4j-version 2.14.0 (java8) [Not vulnerable] | |
run: | | |
#!/bin/sh | |
set -x | |
python log4shell_validator.py --java-version 8 --log4j-version 2.14.0 --debug --disable-message-lookup 2>&1 | tee output.txt | |
grep "not vulnerable to CVE-2021-44228" output.txt | |
rm output.txt | |
- name: Test Disable message lookup mitigation with --java-version 8 --log4j-version 2.9.0 (java8) [Vulnerable] | |
run: | | |
#!/bin/sh | |
set -x | |
python log4shell_validator.py --java-version 8 --log4j-version 2.9.0 --debug --disable-message-lookup 2>&1 | tee output.txt | |
grep -v "not vulnerable to CVE-2021-44228" output.txt | |
rm output.txt | |
# Testing Remove JNDI lookup class mitigation | |
- name: Test Remove JNDI lookup class mitigation with --java-version 8 --log4j-version 2.14.0 [Not vulnerable] | |
run: | | |
#!/bin/sh | |
set -x | |
python log4shell_validator.py --java-version 8 --log4j-version 2.14.0 --remove-jndi-lookup-class 2>&1 | tee output.txt | |
grep "not vulnerable to CVE-2021-44228" output.txt | |
rm output.txt | |
- name: Test Thread Context exploit --java-version 8 --log4j-version 2.14.0 [Not vulnerable] | |
run: | | |
#!/bin/sh | |
set -x | |
python log4shell_validator.py --java-version 8 --log4j-version 2.14.0 --remove-jndi-lookup-class --exploit-via-thread-context 2>&1 | tee output.txt | |
grep -v "not vulnerable to CVE-2021-44228" output.txt | |
grep "vulnerable to CVE-2021-44228" output.txt | |
rm output.txt | |
# Testing com.sun.jndi.ldap.object.trustURLCodebase mitigation | |
- name: Test com.sun.jndi.ldap.object.trustURLCodebase mitigation with --java-version 8 --log4j-version 2.14.0 (java8) [vulnerable to exfil (at least)] | |
run: | | |
#!/bin/sh | |
set -x | |
python log4shell_validator.py --java-version 8 --log4j-version 2.14.0 --disable-trust-url 2>&1 | tee output.txt | |
grep "Possible exfiltration" output.txt | |
grep "not vulnerable to CVE-2021-44228" output.txt | |
rm output.txt | |
- name: Test com.sun.jndi.ldap.object.trustURLCodebase mitigation with --java-version 8 --log4j-version 2.3.0 (java8) [Not vulnerable] | |
run: | | |
#!/bin/sh | |
set -x | |
python log4shell_validator.py --java-version 8 --log4j-version 2.9.1 --disable-trust-url 2>&1 | tee output.txt | |
grep "not vulnerable to CVE-2021-44228" output.txt | |
rm output.txt | |
# Testing a error handling for non existing log4j versions: | |
- name: Testing a error handling for non existing log4j versions | |
run: | | |
#!/bin/sh | |
set -x | |
python log4shell_validator.py --java-version 8 --log4j-version 2.8.0 --disable-trust-url 2>&1 | tee output.txt | |
grep "The version of log4j you specified does not seem to exist" output.txt | |
rm output.txt |