diff options
author | Fabian Meumertzheim <fabian@meumertzhe.im> | 2021-12-10 16:07:03 +0100 |
---|---|---|
committer | Fabian Meumertzheim <fabian@meumertzhe.im> | 2021-12-13 13:21:09 +0100 |
commit | 6ae678426a2915fedf2342becacb2c36c04d659c (patch) | |
tree | 04d8b09794bdb2ac22f1fa227c517ca2447baf41 | |
parent | 86f5b94657ef07f848bb95d51f489893907e31c7 (diff) | |
download | jazzer-api-6ae678426a2915fedf2342becacb2c36c04d659c.tar.gz |
Add log4j CVE-2021-44228 example
-rw-r--r-- | examples/BUILD.bazel | 20 | ||||
-rw-r--r-- | examples/src/main/java/com/example/Log4jFuzzer.java | 82 | ||||
-rw-r--r-- | maven.bzl | 4 | ||||
-rw-r--r-- | maven_install.json | 30 |
4 files changed, 134 insertions, 2 deletions
diff --git a/examples/BUILD.bazel b/examples/BUILD.bazel index 06f0d2a0..7f65a15b 100644 --- a/examples/BUILD.bazel +++ b/examples/BUILD.bazel @@ -103,6 +103,26 @@ java_fuzz_target_test( ) java_fuzz_target_test( + name = "Log4jFuzzer", + timeout = "long", + srcs = [ + "src/main/java/com/example/Log4jFuzzer.java", + ], + fuzzer_args = [ + "-fork=4", + "-use_value_profile=1", + ], + # Finding this bug takes ~5 minutes on a decent laptop, but the GitHub Actions machines are not + # powerful enough to run it as part of our test suite. + tags = ["manual"], + target_class = "com.example.Log4jFuzzer", + deps = [ + "@maven//:org_apache_logging_log4j_log4j_api", + "@maven//:org_apache_logging_log4j_log4j_core", + ], +) + +java_fuzz_target_test( name = "JpegImageParserFuzzer", srcs = [ "src/main/java/com/example/JpegImageParserFuzzer.java", diff --git a/examples/src/main/java/com/example/Log4jFuzzer.java b/examples/src/main/java/com/example/Log4jFuzzer.java new file mode 100644 index 00000000..41870c9c --- /dev/null +++ b/examples/src/main/java/com/example/Log4jFuzzer.java @@ -0,0 +1,82 @@ +// Copyright 2021 Code Intelligence GmbH +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.example; + +import com.code_intelligence.jazzer.api.FuzzedDataProvider; +import org.apache.logging.log4j.Level; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; +import org.apache.logging.log4j.core.Appender; +import org.apache.logging.log4j.core.Core; +import org.apache.logging.log4j.core.LogEvent; +import org.apache.logging.log4j.core.appender.AbstractAppender; +import org.apache.logging.log4j.core.config.Configurator; +import org.apache.logging.log4j.core.config.builder.api.AppenderComponentBuilder; +import org.apache.logging.log4j.core.config.builder.api.RootLoggerComponentBuilder; +import org.apache.logging.log4j.core.config.builder.impl.DefaultConfigurationBuilder; +import org.apache.logging.log4j.core.config.plugins.Plugin; +import org.apache.logging.log4j.core.config.plugins.PluginAttribute; +import org.apache.logging.log4j.core.config.plugins.PluginFactory; +import org.apache.logging.log4j.core.layout.PatternLayout; +import org.apache.logging.log4j.status.StatusLogger; + +// This fuzzer reproduces the log4j RCE vulnerability CVE-2021-44228. +public class Log4jFuzzer { + private final static Logger log = LogManager.getLogger(Log4jFuzzer.class.getName()); + + public static void fuzzerTestOneInput(FuzzedDataProvider data) { + log.error(data.consumeRemainingAsString()); + } + + public static void fuzzerInitialize() { + // Install a logger that constructs the log message, but never prints it. + // This noticeably increases the fuzzing performance + DefaultConfigurationBuilder configBuilder = new DefaultConfigurationBuilder(); + configBuilder.setPackages(FuzzingAppender.class.getPackage().getName()); + AppenderComponentBuilder fuzzingAppender = + configBuilder.newAppender("nullAppender", "FuzzingAppender"); + configBuilder.add(fuzzingAppender); + RootLoggerComponentBuilder rootLogger = configBuilder.newRootLogger(); + rootLogger.add(configBuilder.newAppenderRef("nullAppender")); + configBuilder.add(rootLogger); + Configurator.reconfigure(configBuilder.build()); + + // Disable logging of exceptions caught in log4j itself. + StatusLogger.getLogger().reset(); + StatusLogger.getLogger().setLevel(Level.OFF); + } + + @Plugin( + name = "FuzzingAppender", category = Core.CATEGORY_NAME, elementType = Appender.ELEMENT_TYPE) + public static class FuzzingAppender extends AbstractAppender { + protected FuzzingAppender(String name) { + super(name, null, PatternLayout.createDefaultLayout(), true); + } + + @PluginFactory + public static FuzzingAppender createAppender(@PluginAttribute("name") String name) { + return new FuzzingAppender(name); + } + + @Override + public void append(LogEvent event) { + try { + getLayout().toByteArray(event); + } catch (Exception ignored) { + // Prevent exceptions from being logged to stderr. + } + } + } +} @@ -15,6 +15,8 @@ JAZZER_API_VERSION = "0.10.0" JAZZER_API_COORDINATES = "com.code-intelligence:jazzer-api:%s" % JAZZER_API_VERSION +# **WARNING**: These Maven dependencies have known vulnerabilities and are only used to test that +# Jazzer finds these issues. DO NOT USE. MAVEN_ARTIFACTS = [ "junit:junit:4.12", "org.apache.commons:commons-imaging:1.0-alpha2", @@ -29,4 +31,6 @@ MAVEN_ARTIFACTS = [ "javax.xml.bind:jaxb-api:2.3.1", "javax.el:javax.el-api:3.0.1-b06", "org.hibernate:hibernate-validator:5.2.4.Final", + "org.apache.logging.log4j:log4j-api:jar:2.14.1", + "org.apache.logging.log4j:log4j-core:jar:2.14.1", ] diff --git a/maven_install.json b/maven_install.json index 1312ca22..faef1860 100644 --- a/maven_install.json +++ b/maven_install.json @@ -1,8 +1,8 @@ { "dependency_tree": { "__AUTOGENERATED_FILE_DO_NOT_MODIFY_THIS_FILE_MANUALLY": "THERE_IS_NO_DATA_ONLY_ZUUL", - "__INPUT_ARTIFACTS_HASH": 1253627227, - "__RESOLVED_ARTIFACTS_HASH": 2123690276, + "__INPUT_ARTIFACTS_HASH": -1844081556, + "__RESOLVED_ARTIFACTS_HASH": 40706841, "conflict_resolution": {}, "dependencies": [ { @@ -200,6 +200,32 @@ "url": "https://repo1.maven.org/maven2/org/apache/commons/commons-imaging/1.0-alpha2/commons-imaging-1.0-alpha2.jar" }, { + "coord": "org.apache.logging.log4j:log4j-api:2.14.1", + "dependencies": [], + "directDependencies": [], + "file": "v1/https/repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.14.1/log4j-api-2.14.1.jar", + "mirror_urls": [ + "https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.14.1/log4j-api-2.14.1.jar" + ], + "sha256": "8caf58db006c609949a0068110395a33067a2bad707c3da35e959c0473f9a916", + "url": "https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.14.1/log4j-api-2.14.1.jar" + }, + { + "coord": "org.apache.logging.log4j:log4j-core:2.14.1", + "dependencies": [ + "org.apache.logging.log4j:log4j-api:2.14.1" + ], + "directDependencies": [ + "org.apache.logging.log4j:log4j-api:2.14.1" + ], + "file": "v1/https/repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.14.1/log4j-core-2.14.1.jar", + "mirror_urls": [ + "https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.14.1/log4j-core-2.14.1.jar" + ], + "sha256": "ade7402a70667a727635d5c4c29495f4ff96f061f12539763f6f123973b465b0", + "url": "https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.14.1/log4j-core-2.14.1.jar" + }, + { "coord": "org.hamcrest:hamcrest-core:1.3", "dependencies": [], "directDependencies": [], |