A sample project to debunk common misbeliefs regarding the impact the Log4j vulnerabilities on Java Applications

Related tags

Kotlin Projects kotlin log4j log4j2 log4shell
Overview

A weapon you held...

Introduction

This project intends to debunk two common misbeliefs regarding the impact of the recently discovered Log4j 2.x vulnerabilities on Java applications for two typical scenarios, as reported by the following CVE records:

The first two, famously nicknamed Log4Shell, enable Remote-Code-Execution, while the last one allows a Denial-of-Service.

Misbelief #1: All Log4j modules from 2.0 to 2.16 were impacted by at least one of these vulnerabilities

Unfortunately, only the description of first CVE explicitly says that only the log4j-core module was affected but the other two are vague on this impact. The official Apache Log4j Security Vulnerabilities page, more accurately states that only the log4j-core was impacted by the 3 recent vulnerabilities. Therefore, we can safely claim that:

Your application is immune to those three vulnerabilities if it does not include the log4j-core module in the runtime classpath.

Misbelief #2: If log4-core older than 2.17 is present in the classpath, then my application is necessarily vulnerable

This one is more subtle. Many applications are based on Spring Boot that by default uses Logback as its logger, but also includes some Log4j modules to bridge the Log4J API to SLF4J/Logback, namely:

  • log4j-to-slf4j
  • log4j-api

Not rarely, the log4j-core is also indirectly included on the runtime classpath by some application dependency. At the end, we have two available implementations (aka "providers") that can be used when the Log4j API is used directly.

As per implemented on Log4j's LogManager initialization code, only one provider is used, the one with higher priority. Luckily, log4j-to-slf4j has higher priority (15) than log4j-core (10), ultimately renegating any vulnerable log4j-core module into an "inert pathogen". Again, we can conclude that:

Your application is also immune if it contains both log4j-to-slf4j and log4j-core in the runtime classpath.

Branches

Branch Test
master Both log4j-to-slf4j and log4j-core are in the RT classpath
only-log4j Only log4j-core on the RT classpath

For all branches, we're using the old, unpatched, Log4j v2.14.1.

How to run

First, build the application binary with:

$ ./gradlew installDist

Then run the application with no arguments to see the instructions:

$ ./build/install/log4j-test/bin/log4j-test
You might also like...
KVision allows you to build modern web applications with the Kotlin language

KVision allows you to build modern web applications with the Kotlin language, without any use of HTML, CSS or JavaScript. It gives you a rich hierarchy of ready to use GUI components, which can be used as builder blocks for the application UI.

Robert Jaros 985 Jan 1, 2023
Sample Social Login Project of Spring Boot and Kotlin

Sample-Spring-Boot-Social-Kotlin Sample Social Login Project of Spring Boot and Kotlin dependencies dependencies { implementation("org.springframewor

Seokhyun 2 Oct 11, 2021
Kotlin Symbol Processing (KSP) sample project

Kotlin Symbol Processing (KSP) Sample Project Sample annotation processor created with Kotlin Symbol Processing (KSP) API. The repository supplements

Pavlo Stavytskyi 33 Dec 23, 2022
LocalisationDemo - A sample project to demonstrate localization in android

LocalisationDemo This is a sample project to demonstrate localization in android

shubham423 0 Jan 8, 2022
A sample Music Player project that help you learn about Compose in Android
A sample Music Player project that help you learn about Compose in Android

Music App Compose UI A sample Music Player project that help you learn about Compose in Android. Note that this app only contain UI and has no logic.

Hamidreza Sahraei 25 Dec 13, 2022
Kotlin multi platform project template and sample app with everything shared except the UI. Built with clean architecture + MVI
Kotlin multi platform project template and sample app with everything shared except the UI. Built with clean architecture + MVI

KMMNewsAPP There are two branches Main News App Main The main branch is a complete template that you can clone and use to build the awesome app that y

Kashif Mehmood 188 Dec 30, 2022
An example project for configuring Rust with Java 18's Panama/jextract

rust-panama A template project for setting up both Rust and the Java 18 Panama Foreign Linker API (via jextract). How to Setup Clone the repo. Modify

Aidan 14 Jul 5, 2022
This project uses Quarkus, the Supersonic Subatomic Java Framework.

foodhouse Project This project uses Quarkus, the Supersonic Subatomic Java Framework. If you want to learn more about Quarkus, please visit its websit

null 0 Nov 29, 2021
This project uses Quarkus, the Supersonic Subatomic Java Framework

api Project This project uses Quarkus, the Supersonic Subatomic Java Framework.

Leonardo Cavazzola 0 Feb 26, 2022
Owner
Eliezio Oliveira
Eliezio Oliveira
GitHub
Common - Packet Definition between Client and Server

CheaTank common A simple game aimed at developing a cheat client and suppressing

CheaTank 0 Jan 27, 2022
A Gradle plugin providing various utility methods and common code required to set up multi-version Minecraft mods.

Essential Gradle Toolkit A Gradle plugin providing various utility methods and common code required to set up multi-version Minecraft mods via archite

Essential 29 Nov 1, 2022
sample project that shows you how you can use Ktor to creat a server for real Project.

Ktor-Sample This is a sample project that shows you how you can use Ktor to creat a server for real Project. What is done Save data to database (Get a

Mohamed Emad 4 Dec 23, 2022
This is a template to help you get started building amazing Kotlin applications and libraries.

Welcome to the Starter This is a template to help you get started building amazing Kotlin applications and libraries. Over time, examples will be comp

Backbone 8 Nov 4, 2022
Ktor is an asynchronous framework for creating microservices, web applications and more.

ktor-sample Ktor is an asynchronous framework for creating microservices, web applications and more. Written in Kotlin from the ground up. Application

mohamed tamer 5 Jan 22, 2022
Building Web Applications with React and Kotlin JS Hands-On Lab

Building Web Applications with React and Kotlin JS Hands-On Lab This repository is the code corresponding to the hands-on lab Building Web Application

Brian Donnoe 0 Nov 13, 2021
SPHTech Android Applications Assignment

SPHTech This is the project for SPHTech Android Applications Assignment, where I have to create a native Android application to display the amount the

Mohammad Rezania 0 Nov 23, 2021
Torus CustomAuth integration samples for Android applications

CustomAuth Android Samples Examples of using Torus CustomAuth Android SDK. Usage Clone the repository and open with Android Studio Run the app, you'll

Minh-Phuc Tran 1 Dec 3, 2021
Kotlin implementation of WalletConnect v2 protocol for Android applications

WalletConnect V2 - Kotlin Kotlin implementation of WalletConnect v2 protocol for

WalletConnect 92 Jan 6, 2023
Kotter - aims to be a relatively thin, declarative, Kotlin-idiomatic API that provides useful functionality for writing delightful console applications.

Kotter (a KOTlin TERminal library) aims to be a relatively thin, declarative, Kotlin-idiomatic API that provides useful functionality for writing delightful console applications.

Varabyte 348 Dec 21, 2022