Brick Pony

Challenge Information

Project: log4j2

Type: delta

Harnesses: 1

Vulnerabilities: 1

GitHub • Challenge Download • Challenge Diff

AFC Challenge Performance

Number of Unique Vulnerabilities Discovered: #

Number of Teams with Scoring PoVs: 3

Number of Teams with Scoring Patches: 2

Number of Teams with Scoring Bundles: 2

Total Points Scored for this Challenge: 27.473390640750054

What design decisions were considered for this challenge?

This challenge replays log4shell, one of the most impactful Java vulnerabilities in recent memory.

Why this set of vulnerabilities?

Log4shell is the most famous Java vulnerability in recent memory and a high-value benchmark for detection capabilities.

Delta vs Full and why?

Delta, to replay the specific pull request that introduced the log4shell vulnerability.

Challenge Harnesses

SimpleLoggerFuzzer

Challenge Sarif Broadcast

Target .aixcc/vulns/vuln_0/vuln.yaml

Sarif is correct

PLACEHOLDER FOR SARIF

Challenge Vulnerabilities

log4shell

Vulnerability Information

Author: anonymous

Harness: SimpleLoggerFuzzer

CWE Classification: CWE-917 , CWE-20

What functions and functionality is relevant?

Logging user generated data can lead to arbitrary code execution.

Why is this vulnerable?

Logging user controlled data can make calls to LDAP and JNDI servers, which can lead to arbitrary code execution.

Is this a replay and/or is inspired by anything?

This is a replay of log4shell – CVE-2021–44228. We added a boolean “ENABLE_JNDI” that should not be “true” as default.

What makes it interesting?

This is one of the most famous, severe and widespread vulnerabilities in the Java ecosystem in recent memory. This is straightforward to recognize given its notoriety, and Jazzer includes a sanitizer designed to find exactly this class of vulnerability.