Categories: BlogCanonicalUbuntu

Log4Shell: Log4j remote code execution vulnerability

A high impact vulnerability was discovered in Apache Log4j 2, a widely deployed software component used by a lot of Java applications to facilitate logging. An attacker who can control the log messages or their parameters can cause the application to execute arbitrary code. In Ubuntu, Apache Log4j2 is packaged under the apache-log4j2 source package – this has been patched already to address this vulnerability as detailed in USN-5192-1 (Dec 14) and USN-5197-1 (Dec 15). This vulnerability has been assigned CVE-2021-44228 and CVE-2021-45046.

To ensure your Ubuntu system is not vulnerable type the following commands in a terminal:

Sponsored
class="wp-block-preformatted">$ sudo ua fix CVE-2021-44228
$ sudo ua fix CVE-2021-45046

Look out for Apache Log4j 2 package usage

The widespread use of the Apache Log4j 2 package, as well as the Java platform’s packaging conventions, have made addressing that vulnerability (by the security industry as a whole) non-trivial. The reason is that this software is not only present in Ubuntu as a packaged component, but separate copies of this software are also often bundled directly in popular applications. In particular, the latter is what makes the task of determining whether a particular application or system is vulnerable quite difficult. Teams have to examine each application individually to find whether applications are vulnerable by “unbundling” them, or by using software bills of materials and manifests. Just updating the Ubuntu packaged version of this software component is likely not sufficient to ensure that all applications which use Apache Log4j 2 are remediated.

Sponsored

Recommendation

We recommend that our users and customers get the latest software security updates from Canonical and verify that any 3rd party Java software they are using is not bundling the log4j packages. To find more information about Canonical products visit this continuously updated page.

More information about the vulnerability

Ubuntu Server Admin

Recent Posts

How to Fix VMware’s “Could not open /dev/vmmon” Error on Ubuntu

You’ve recently installed VMware Workstation on your Ubuntu system and encountered the frustrating “Could not…

44 minutes ago

How to Fix Ubuntu 404 Errors While Fetching Dependencies

Have you ever found yourself staring at a terminal full of 404 errors while trying…

45 minutes ago

How to Fix ‘Please Install All Available Updates’ Error When Upgrading Ubuntu 18.04 to 20.04 LTS

One particularly frustrating error that many users face when trying to upgrade from Ubuntu 18.04 …

45 minutes ago

How to fix “Release is not valid yet” Error in Docker Containers

In the world of containerization, time synchronization issues can create unexpected roadblocks when working with…

46 minutes ago

How to fix “Externally Managed Environment” Pip Errors on Ubuntu

If you’ve recently upgraded to Ubuntu 23.04 or newer, you might have encountered a frustrating…

46 minutes ago

Ubuntu now officially supports NVIDIA Jetson: powering the future of AI at the edge

Canonical announces the General Availability of Ubuntu for the NVIDIA® Jetson Orin™ for edge AI…

8 hours ago