Timmy's picture
Timmy - Sat, 2021/12/11 - 22:11

Gotten the word from a few friends now about this Log4J vulnerability.

My servers are not externally facing so I'm not concerned at the moment but interested to know.

Forum: 
Support
Tags: 
log4j2
apache
Jeremy Davis's picture

Jeremy Davis - Mon, 2021/12/13 - 04:31

Great question and considering the hype this vulnerability appears to be generating online one that is good to answer explicitly.

I'm assuming that you are referring to the really recent Log4J vulnerability, CVE-2021-44228. And yes it's a nasty one! Log4j is one of (if not the) most popular logging libraries for Java. This vulnerability potentially allows a user to run arbitrary code on the server! Apparently it's been known about for a while in the Minecraft community as a way of hacking Minecraft servers. Minecraft runs on Java and uses Log4j for logging & chat logs show up in the logs, so anyone using Minecraft in-game text chat could hack the server!

On the plus side though, there are 2 things working in favour of TurnKey users. Firstly, it's not installed by default in any of the TurnKey appliances. So unless you've explicitly installed it in anything, you're fine. Secondly, even if you do have it installed (from the Debian repositories) then you should already have the patch installed (via the auto security updates)! The Debian Security Advisory (DSA) is DSA-5020-1 (or for v15.x/Debian 9/Stretch - Debian LTS Advisory DLA-2842-1). You can see the vulnerable versions via the Debian security tracker for CVE-2021-44228. Note that all of those refer to the source package name: "apache-log4j2", the related binary package (built from that source) is "liblog4j2-java". That is the one that you should check for (and if you have installed, be sure that it's updated).

To check whether you have an affected version of "liblog4j2-java", try this:

apt update
apt policy liblog4j2-java

Most (v16.x) users should get a response like this (v15.x users will get something similar but versions will be different; the fixed version is "2.7-2+deb9u1"):

liblog4j2-java:
  Installed: (none)
  Candidate: 2.15.0-1~deb10u1
  Version table:
     2.15.0-1~deb10u1 500
        500 http://security.debian.org buster/updates/main amd64 Packages
     2.11.1-2 500
        500 http://deb.debian.org/debian buster/main amd64 Packages

The above output shows that I don't have it installed, but if I did, then I would get "2.15.0-1~deb10u1" (which is patched against CVE-2021-44228). Note that you can see the vulnerable version ("2.11.1-2") still available via the main repository.

It should also be noted that it may be necessary to restart any related services. If you are unsure, a reboot will restart all services.

Timmy's picture

Timmy - Mon, 2021/12/13 - 16:09

I'm assuming that you are referring to the really recent Log4J vulnerability, CVE-2021-44228. And yes it's a nasty one!

Yep. Bunch of friends know I run personal servers so I've been inundated with messages about it.

On the plus side though, there are 2 things working in favour of TurnKey users. Firstly, it's not installed by default in any of the TurnKey appliances. So unless you've explicitly installed it in anything, you're fine.

Nice.

Exciting times. Guess we'll see that the fallout of this will be in the coming months for everyone else.

Add new comment