[Snyk] Upgrade org.springframework:spring-aop from 4.3.7.RELEASE to 4.3.30.RELEASE #69

Summary
Jobs
- build
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/extended-test.yml at bf0802e

	name: Extended test

	on:
	pull_request:
	branches: [ main ]

	workflow_dispatch:


	jobs:
	build:
	runs-on: ubuntu-latest

	steps:
	- uses: actions/checkout@v2

	- name: Build the images
	run: \|
	./build_images.sh

	# Simple non-vulnerable scenarios
	- name: Test the exploit lab using the python cli with --java-version 8 --log4j-version 2.12.2 [Non vulnerable]
	run: \|
	#!/bin/sh
	set -x
	python log4shell_validator.py --java-version 8 --log4j-version 2.12.2 --debug 2>&1 \| tee output.txt
	grep "not vulnerable to CVE-2021-44228" output.txt
	rm output.txt

	- name: Test the exploit lab using the python cli with --java-version 8 --log4j-version 2.15.0 [Non vulnerable]
	run: \|
	#!/bin/sh
	set -x
	python log4shell_validator.py --java-version 8 --log4j-version 2.15.0 --debug 2>&1 \| tee output.txt
	grep "not vulnerable to CVE-2021-44228" output.txt
	rm output.txt


	# Simple vulnerable scenarios
	- name: Test the exploit lab using the python cli with --java-version 8 --log4j-version 2.12.1 [vulnerable]
	run: \|
	#!/bin/sh
	set -x
	python log4shell_validator.py --java-version 8 --log4j-version 2.12.1 --debug 2>&1 \| tee output.txt
	grep -v "not vulnerable to CVE-2021-44228" output.txt
	rm output.txt

	- name: Test the exploit lab using the python cli with --java-version 8 --log4j-version 2.14.0 [vulnerable]
	run: \|
	#!/bin/sh
	set -x
	python log4shell_validator.py --java-version 8 --log4j-version 2.14.0 --debug 2>&1 \| tee output.txt
	grep -v "not vulnerable to CVE-2021-44228" output.txt
	rm output.txt



	# Testing Disable message lookup mitigation
	- name: Test Disable message lookup mitigation with --java-version 8 --log4j-version 2.14.0 (java8) [Not vulnerable]
	run: \|
	#!/bin/sh
	set -x
	python log4shell_validator.py --java-version 8 --log4j-version 2.14.0 --debug --disable-message-lookup 2>&1 \| tee output.txt
	grep "not vulnerable to CVE-2021-44228" output.txt
	rm output.txt
	- name: Test Disable message lookup mitigation with --java-version 8 --log4j-version 2.9.0 (java8) [Vulnerable]
	run: \|
	#!/bin/sh
	set -x
	python log4shell_validator.py --java-version 8 --log4j-version 2.9.0 --debug --disable-message-lookup 2>&1 \| tee output.txt
	grep -v "not vulnerable to CVE-2021-44228" output.txt
	rm output.txt

	# Testing Remove JNDI lookup class mitigation
	- name: Test Remove JNDI lookup class mitigation with --java-version 8 --log4j-version 2.14.0 [Not vulnerable]
	run: \|
	#!/bin/sh
	set -x
	python log4shell_validator.py --java-version 8 --log4j-version 2.14.0 --remove-jndi-lookup-class 2>&1 \| tee output.txt
	grep "not vulnerable to CVE-2021-44228" output.txt
	rm output.txt
	- name: Test Thread Context exploit --java-version 8 --log4j-version 2.14.0 [Not vulnerable]
	run: \|
	#!/bin/sh
	set -x
	python log4shell_validator.py --java-version 8 --log4j-version 2.14.0 --remove-jndi-lookup-class --exploit-via-thread-context 2>&1 \| tee output.txt
	grep -v "not vulnerable to CVE-2021-44228" output.txt
	grep "vulnerable to CVE-2021-44228" output.txt
	rm output.txt

	# Testing com.sun.jndi.ldap.object.trustURLCodebase mitigation
	- name: Test com.sun.jndi.ldap.object.trustURLCodebase mitigation with --java-version 8 --log4j-version 2.14.0 (java8) [vulnerable to exfil (at least)]
	run: \|
	#!/bin/sh
	set -x
	python log4shell_validator.py --java-version 8 --log4j-version 2.14.0 --disable-trust-url 2>&1 \| tee output.txt
	grep "Possible exfiltration" output.txt
	grep "not vulnerable to CVE-2021-44228" output.txt
	rm output.txt
	- name: Test com.sun.jndi.ldap.object.trustURLCodebase mitigation with --java-version 8 --log4j-version 2.3.0 (java8) [Not vulnerable]
	run: \|
	#!/bin/sh
	set -x
	python log4shell_validator.py --java-version 8 --log4j-version 2.9.1 --disable-trust-url 2>&1 \| tee output.txt
	grep "not vulnerable to CVE-2021-44228" output.txt
	rm output.txt

	# Testing a error handling for non existing log4j versions:
	- name: Testing a error handling for non existing log4j versions
	run: \|
	#!/bin/sh
	set -x
	python log4shell_validator.py --java-version 8 --log4j-version 2.8.0 --disable-trust-url 2>&1 \| tee output.txt
	grep "The version of log4j you specified does not seem to exist" output.txt
	rm output.txt

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Upgrade org.springframework:spring-aop from 4.3.7.RELEASE to 4.3.30.RELEASE #69

Workflow file

[Snyk] Upgrade org.springframework:spring-aop from 4.3.7.RELEASE to 4.3.30.RELEASE #69

Jobs

Run details

Workflow file for this run