Update log4j to a vulnerable version, include malicious app as git submodule and update Dockerfile to launch it along with insecure-bank app

Author: Igor Unanua

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "log4j-cve-2021-44228"]
+	path = log4j-cve-2021-44228
+	url = https://github.com/manuel-alvarez-alvarez/log4j-cve-2021-44228

Dockerfile

@@ -1,5 +1,22 @@
-FROM tomcat:9.0-jre11
-MAINTAINER Hdiv Security
+FROM gradle:7.3.1-jdk17 AS builder
+
+COPY --chown=gradle:gradle ./log4j-cve-2021-44228 /home/gradle/src
+WORKDIR /home/gradle/src
+RUN gradle :malicious-server:bootJar --no-daemon
+
+FROM openjdk:8u181-jdk-alpine
+
+RUN mkdir /app
+COPY --from=builder /home/gradle/src/malicious-server/build/libs/*.jar /app/malicious-server.jar
+
+RUN mkdir -p /usr/local/tomcat/
+
+WORKDIR /usr/local/tomcat
+RUN wget --no-check-certificate http://dlcdn.apache.org/tomcat/tomcat-8/v8.5.73/bin/apache-tomcat-8.5.73.tar.gz
+RUN tar xvfz apache*.tar.gz
+RUN mv apache-tomcat-8.5.73/* /usr/local/tomcat/.
+
+ADD start.sh /usr/local/tomcat/
 
 # Copy the application to tomcat
 ADD target/insecure-bank.war /usr/local/tomcat/webapps
@@ -16,4 +33,4 @@ CMD export JAVA_OPTS="-javaagent:hdiv/hdiv-ee-agent.jar \
   -Dhdiv.console.url=http://console:8080/hdiv-console-services \
   -Dhdiv.console.token=04db250da579302ca273a958 \
   -Dhdiv.server.name=Testing-Docker \
-  -Dhdiv.toolbar.enabled=true" && catalina.sh run
+  -Dhdiv.toolbar.enabled=true" && ./start.sh

log4j-cve-2021-44228

@@ -124,7 +124,7 @@
 		<dependency>
 			<groupId>org.hibernate</groupId>
 			<artifactId>hibernate-validator</artifactId>
-			<version>4.1.0.Final</version>
+			<version>4.3.2.Final</version>
 		</dependency>
 		<!-- JAXB -->
 		<dependency>
@@ -160,27 +160,10 @@
 			<version>1.5.3</version>
 		</dependency>
 		<!-- Logging -->
-		<dependency>
-			<groupId>commons-logging</groupId>
-			<artifactId>commons-logging</artifactId>
-			<version>1.1.1</version>
-		</dependency>
-		<dependency>
-			<groupId>org.slf4j</groupId>
-			<artifactId>slf4j-api</artifactId>
-			<version>${org.slf4j-version}</version>
-		</dependency>
-		<dependency>
-			<groupId>org.slf4j</groupId>
-			<artifactId>slf4j-log4j12</artifactId>
-			<version>${org.slf4j-version}</version>
-			<scope>runtime</scope>
-		</dependency>
-		<dependency>
-			<groupId>log4j</groupId>
-			<artifactId>log4j</artifactId>
-			<version>1.2.17</version>
-			<scope>runtime</scope>
+		 <dependency>
+		   <groupId>org.apache.logging.log4j</groupId>
+		   <artifactId>log4j-slf4j-impl</artifactId>
+		   <version>2.14.1</version>
 		</dependency>
 		<dependency>
 			<groupId>commons-fileupload</groupId>

pom.xml

@@ -0,0 +1,15 @@
+status = warn
+
+# Name of the configuration
+name = ConsoleLogConfig
+
+# Console appender configuration
+appender.console.type = Console
+appender.console.name = consoleLogger
+appender.console.layout.type = PatternLayout
+appender.console.layout.pattern = %d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n
+
+# Root logger level
+rootLogger.level = debug
+# Root logger referring to console appender
+rootLogger.appenderRef.stdout.ref = consoleLogger

src/main/resources/log4j2.properties

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+java -jar /app/malicious-server.jar &
+
+./bin/catalina.sh run