Log4Shell: Log4j remote code execution vulnerability

Canonical

on 16 December 2021

Tags: Java , Security , Ubuntu Server , Vulnerabilities

This article was last updated 4 years ago.

Last updated on 18th January 2022 to include the latest vulnerability updates.

A high impact vulnerability was discovered in Apache Log4j 2, a widely deployed software component used by a lot of Java applications to facilitate logging. An attacker who can control the log messages or their parameters can cause the application to execute arbitrary code. The initial vulnerability announcement resulted to the discovery a family of vulnerabilities in log4j within December 2021 that were assigned CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2021-44832 and CVE-2021-45105.

In Ubuntu, Apache Log4j2 is packaged under the apache-log4j2 source package – this has been patched to include fixes as detailed in USN-5192-1 (released Dec 14) and USN-5197-1 (released Dec 15), USN-5222-1 (released Jan 11), USN-5223-1 (released Jan 12). To apply all available fixes to your Ubuntu system type the following commands in a terminal:

$ sudo ua fix CVE-2021-44228
$ sudo ua fix CVE-2021-45046
$ sudo ua fix CVE-2021-4104
$ sudo ua fix CVE-2021-45105
$ sudo ua fix CVE-2021-44832

Look out for Apache Log4j 2 package usage

The widespread use of the Apache Log4j 2 package, as well as the Java platform’s packaging conventions, have made addressing that vulnerability (by the security industry as a whole) non-trivial. The reason is that this software is not only present in Ubuntu as a packaged component, but separate copies of this software are also often bundled directly in popular applications. In particular, the latter is what makes the task of determining whether a particular application or system is vulnerable quite difficult. Teams have to examine each application individually to find whether applications are vulnerable by “unbundling” them, or by using software bills of materials and manifests. Just updating the Ubuntu packaged version of this software component is likely not sufficient to ensure that all applications which use Apache Log4j 2 are remediated.

Recommendation

We recommend that our users and customers get the latest software security updates from Canonical and verify that any 3rd party Java software they are using is not bundling the log4j packages. To find more information about which Canonical products are affected visit this continuously updated page.

More information about the vulnerability

Ubuntu Server

Scale out with Ubuntu Server

Ubuntu Server brings economic and technical scalability to your data centre, public or private cloud.

Whether you want to deploy an OpenStack cloud, a Kubernetes cluster or a 50,000-node render farm, Ubuntu Server delivers the best value scale-out performance available.

Explore Ubuntu Server ›

Newsletter signup

Get the latest Ubuntu news and updates in your inbox.

By submitting this form, I confirm that I have read and agree to Canonical's Privacy Policy.

Related posts

AppArmor vulnerability fixes available

Qualys discovered several vulnerabilities in the AppArmor code of the Linux kernel. These are being referred to as CrackArmor, while CVE IDs are in the...

How to manage Ubuntu fleets using on-premises Active Directory and ADSys

The “hybrid fleet” is today’s reality: organizations diversify operating systems while Microsoft Active Directory (AD) remains the dominant identity “source...

How to Harden Ubuntu SSH: From static keys to cloud identity

30 years after its introduction, Secure Shell (SSH) remains the ubiquitous gateway for administration, making it a primary target for brute force attacks and...