Finding the log4j RCE With Fuzzing

December 13 2021 | 1 min

On December 9th, 2021, the Remote Code Execution (RCE) CVE-2021-44228 in Apache log4j 2 was published and started seeing active exploitation soon after.  Since then, development teams have been working hard and tirelessly, trying to fix the issue to prevent (further) damage.

Can Fuzz Testing Help? 

Yes – CI Fuzz version 2.28.0 and up can find this vulnerability if log4j is included in the list of libraries to instrument for fuzzing. Due to the high interest in this class of vulnerabilities, we are making the relevant bug detector  available to the open-source community. With Jazzer, our open-source fuzzing engine that is part of Google’s OSS fuzz, you can now find the log4j vulnerability as well as similar RCE issues in the same way as with our core product CI Fuzz

Protecting Open-Source Projects With Fuzzing

Since Jazzer is part of OSS-Fuzz, all integrated open-source projects written in Java and other JVM-based languages, are now continuously searched for similar vulnerabilities. A fuzz target for log4j that reproduces the vulnerability can be found here

log4jThe logs of a Jazzer run that finds log4j CVE-2021-44228

About Fabian Meumertzheim

Fabian Meumertzheim (@fhenneke) is a Senior Software Engineer aCode Intelligence. A mathematician by education, he has always been passionate about IT security. He maintains and contributes to multiple open-source projects, such as Chromium, system, and Android Password Store, all with the aim of making security unobtrusive and ubiquitous.

See Jazzer on GitHub

Recent Posts

Fuzzing Clojure Code With Jazzer

Finding the log4j RCE With Fuzzing

Continuous REST API Testing With CI Fuzz

Share Article

Subscribe to updates