I’m really worried about this vulnerability in Ubuntu, but do I have this library on my system?
My webserver is running a couple of node expressjs frameworks over nginx, plus a geoserver .
I did an update on the machine today with sudo apt update && sudo apt upgrade: ubuntu-advantage-tools, openssl and libssl1.1.
My java version is: openjdk version "1.8.0_292" OpenJDK Runtime Environment (build 1.8.0_292-8u292-b10-0ubuntu1~18.04-b10) OpenJDK 64-Bit Server VM (build 25.292-b10, mixed mode)
The geoserver is version 2.13.0, and it appears to be the only software that uses log4j. My geoserver is the platform-independent binary version (not Tomcat), and it appears to utilize jetty as its webserver.
How can I tell if I have log4j and what version I have?
3 Answers
Introduction
Log4j is a Java-based logging utility that is widely used in web applications, including the popular Apache web server. Recently, a vulnerability was discovered in log4j that could allow attackers to execute arbitrary code on a system. This vulnerability has been classified as critical, and many organizations are scrambling to determine whether they are at risk. In this blog post, we will explore how to determine whether log4j is installed on an Ubuntu system and what version is installed.
Checking for log4j
To determine whether log4j is installed on your Ubuntu system, you can use the following command:
dpkg -l | grep log4j
This command will search for any packages that contain the string “log4j” in their name. If log4j is installed on your system, you should see one or more packages listed in the output.
If you do not see any packages listed, it is likely that log4j is not installed on your system. However, it is important to note that some applications may bundle their own version of log4j, so it is still possible that you could be at risk.
Determining the log4j version
If you have determined that log4j is installed on your system, the next step is to determine what version is installed. To do this, you can use the following command:
dpkg -s <package-name> | grep Version
Replace
If you have multiple packages that contain log4j installed on your system, you will need to run this command for each package to determine the version number.
Checking for the log4j vulnerability
If you have determined that log4j is installed on your system, the next step is to determine whether you are vulnerable to the log4j vulnerability. The vulnerability is tracked as CVE-2021-44228 and is classified as critical.
To determine whether you are vulnerable, you can use the following command:
grep -r "log4j" /
This command will search your entire file system for any references to log4j. If you have any applications that use log4j, they will likely have log4j configuration files that reference the library.
If the output of this command includes any references to log4j version 2.0 or later, you may be vulnerable to the log4j vulnerability. However, it is important to note that some applications may use log4j without having log4j configuration files on the file system, so this command may not be definitive.
Updating log4j
If you have determined that you are vulnerable to the log4j vulnerability, the next step is to update log4j to a version that is not vulnerable. The log4j project has released versions 2.15.0 and 2.16.0 that address the vulnerability.
To update log4j on your Ubuntu system, you can use the following command:
sudo apt-get update && sudo apt-get install <package-name>
Replace
If you have applications that use log4j bundled with the application, you will need to update the log4j library in those applications separately.
Conclusion
The log4j vulnerability is a critical vulnerability that could allow attackers to execute arbitrary code on a system. If you are running Ubuntu, it is important to determine whether log4j is installed on your system and what version is installed. If you are vulnerable to the log4j vulnerability, it is important to update log4j to a version that is not vulnerable as soon as possible. By following the steps outlined in this blog post, you can determine whether you are at risk and take steps to protect your system.
To check if log4j is installed on your Ubuntu system, you can try running the following command:
dpkg -l | grep log4j
This will list any packages that are installed on your system and contain “log4j” in the name. If log4j is installed, you should see a package called “liblog4j1.2-java” or something similar listed in the output.
Alternatively, you can check if log4j is installed by looking for the log4j jar file in the classpath of your Java applications. If log4j is being used by one of your Java applications, you should see a log4j jar file in the classpath of that application.
To check the version of log4j that is installed, you can try running the following command:
dpkg -s liblog4j1.2-java | grep Version
This will display the version of the log4j package that is installed on your system.
It’s also possible that log4j is not installed on your system but is being used by one of your Java applications. In this case, you can check the version of log4j that is being used by your Java application by looking for the log4j jar file in the classpath of that application and checking the version information contained in the file.
If you are concerned about the vulnerability in log4j, you should check to see if log4j is installed on your system and, if it is, verify that you have the latest version installed. You can do this by following the steps I described above.
If log4j is installed on your system, you should also check to see if any of your Java applications are using log4j. If they are, you should verify that they are using the latest version of log4j.
If you find that log4j is installed on your system and is being used by one of your Java applications, but you are not using the latest version, you may want to consider upgrading to the latest version to ensure that you are not vulnerable to the reported vulnerabilities.
It’s also a good idea to regularly check for updates to log4j and other software you use to ensure that you are using the most secure and up-to-date versions.
I can check if Log4j is installed on my system through apt by running the following command:
apt list --installed | grep -i log4j
However, I still need to check for possible files that might be running somewhere by using the following command:
locate log4j
In addition, it’s a good idea to check if I am running the Java Runtime on my server by running the following command:
java -version
If I am not even running the Java Runtime, Log4j may not be relevant on this server, as it is a Java library. There may be other places for me to check as well.