Join Log in
Score:14
avatar Ubuntu

Is Ubuntu itself vulnerable to Log4shell?

ua flag
Andy Padula Jr

We run different versions of Ubuntu OS (mostly ver 18 and 20), on MANY machines. My question; Is Ubuntu OS affected by the Log4shell vulnerability now reported in log4js? TIA

8370
0 + 0
Zeiss Ikon avatar
cn flag
Zeiss Ikon
Do your users have the ability to install Notepad++ on your Ubuntu machines?
0
Reply
ua flag
Andy Padula Jr
Unknown - why do you ask?
2
Reply
Zeiss Ikon avatar
cn flag
Zeiss Ikon
I understood the known vector was a Notepad++ installer (for Windows, I presume).
0
Reply
guiverc avatar
cn flag
guiverc
By 18 & 20 do you mean Ubuntu Core 18 & Ubuntu Core 20? As Ubuntu has used the *year* format for *snap* only products since 2016 and they can be impacted by different CVEs to 18.04 & 20.04 for example. If you're worried about CVEs why not check using the check site? (On 18 & 20 user apps are *confined* thus have far more limited access to the root file-system when contrasted with 18.04 & 20.04 for example - they are different systems)
3
Reply
user535733 avatar
cn flag
user535733
Reference: https://ubuntu.com/security/CVE-2021-44228
1
Reply
bq flag
aggregate1166877
@ZeissIkon Notepad++ is written in C++, not Java. See https://community.notepad-plus-plus.org/topic/22260/log4j-vulnerability/3
5
Reply
phuclv avatar
sd flag
phuclv
@ZeissIkon how on earth is Notepad++ installer a known vector?
7
Reply
cn flag
Graham Nye
@ZeissIkon This vulnerability is reported to be easy to exploit, hence the fuss about it. Although I'm not familiar with the details, exploits won't be limited to a single vector.
2
Reply
user535733 avatar
cn flag
user535733
[Ubuntu Security Podcast #142](https://ubuntusecuritypodcast.org/episode-142/) spends over 10 minutes discussing the ramifications of this vulnerability. Worth a listen.
3
Reply
Score:40
user535733 avatar Ubuntu
cn flag
user535733

Generally, No. Only folks who have a specific java package installed might be vulnerable.

  • The deb package (apache-log4j2) is not part of a stock Ubuntu install. Most vulnerable systems run either webservers or java applications (like Minecraft servers). If you didn't install a server application, then you're unlikely to be affected by this vulnerability.

  • Most affected folks who installed the software using the deb package have already received a patch to close the vulnerability.

  • Ubuntu Security Podcast #142 discusses the CVE, and is definitely worth listening to! Thanks to the hard-working engineers on the Ubuntu Security Team, keeping our Ubuntu systems safe.

  • If you installed log4j2 as part of webserver or java application using a Snap package, check with the author of that snap for a security upgrade.

  • If you installed log4j2 as part of your webserver or java application some other way (Appimage, Flatpak, Pip, Brew, compiled, etc), then it's up to you to return to that source and find a patched version...or to read the CVE for manual mitigation settings.

  • If you have installed a whole software stack or platform consisting of many interrelated applications, then it's possible that the vulnerable software might be embedded in that stack. Consult the source you got it from.

From https://ubuntu.com/security/notices/USN-5192-1

Releases
Ubuntu 21.10 Ubuntu 21.04 Ubuntu 20.04 LTS Ubuntu 18.04 LTS

Packages
apache-log4j2 - Apache Log4j - Logging Framework for Java

...and...

Update instructions The problem can be corrected by updating your system to the following package versions:

Let's expand this a bit for deb package users:

How to tell if you are affected

Simply ask apt:

me@me:~$ apt list apache-log4j2

There are three possible results:

Listing... Done

me@me:~$      <-- No output at all. It's not installed.
                  You're not vulnerable.


apache-log4j2/focal,now 2.11.2-1 amd64  <-- It's available, but NOT installed.
                  You're not vulnerable.


apache-log4j2/focal,now 2.11.2-1 amd64 [installed] <-- It's installed
                  You MIGHT be vulnerable.

If you're not vulnerable, you can stop here.

If you MIGHT be vulnerable, the next thing to look at is the package version returned by that string.

Ubuntu 18.04
apache-log4j2/bionic,now 2.10.0-2 amd64 [installed]           Vulnerable
apache-log4j2/bionic,now 2.10.0-2ubuntu0.1 amd64 [installed]  NOT Vulnerable

Ubuntu 20.04
apache-log4j2/focal,now 2.11.2-1 amd64 [installed]            Vulnerable
apache-log4j2/focal,now 2.15.0-0.20.04.1 amd64 [installed]    NOT Vulnerable

Ubuntu 21.04
apache-log4j2/hirsute,now 2.13.3-1 amd64 [installed]          Vulnerable
apache-log4j2/hirsute,now 2.15.0-0.21.04.1 amd64 [installed]  NOT Vulnerable

Ubuntu 21.10
apache-log4j2/impish,now 2.13.3-1 amd64 [installed]           Vulnerable
apache-log4j2/impish,now 2.15.0-0.21.10.1 amd64 [installed]   NOT Vulnerable

The versions that are NOT Vulnerable have already been patched by the Ubuntu Security Team. Most folks have already received the patched version via Unattended Upgrades.

  • That's what Unattended Upgrades does! It installs security upgrades without bothering you.

If your system is Vulnerable, then simply sudo apt update and sudo apt upgrade to pull in the latest security upgrades.

About Snaps: It might be possible that an unpatched log4j2 dwells within some snap packages.

  • We probably won't know about it. Snap software audits, if any, are done by community members. An audit is not required to release a snap package.
  • The whole point of snap confinement is to prevent such vulnerabilities from threatening the entire system.
  • If you find a vulnerable snap package, file a bug report with the author!
  • Snapd checks for upgraded packages multiple times each day. If a vulnerable snap package gets patched, you'll have that patch within a few hours.
0 + 0
marcelm avatar
cn flag
marcelm
It's probably a good idea to mention user-installed software. Stuff like PPAs, software suites with their own installers, compiled from source, etc. Those are not a part of Ubuntu, but Ubuntu users may have installed something like that, and they _must_ check such installations.
4
Reply
user535733 avatar
cn flag
user535733
Good point. Added a bullet to the first paragraph.
3
Reply
Score:0
serf avatar Ubuntu
cn flag
serf

Some applications embed log4j code into their own java files, and a simple filename or package scan will not find the embedded code. US-CERT has released a very nice scanner which looks inside .jar/.war/.ear files to find vulnerable log4j code. This scanner found two unrelated applications on our servers containing vulnerable log4j code. The US-CERT scanner can be found at: https://github.com/CERTCC/CVE-2021-44228_scanner

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.