Log4Shell

Differences between revisions 26 and 36 (spanning 10 versions)
Revision 26 as of 2021-12-22 09:23:25
Size: 7648
Editor: nmavrogiannopoulos
Comment:
Revision 36 as of 2025-04-17 11:37:15
Size: 7256
Editor: lucistanescu
Comment: Migrated to main website
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
#DEPRECATED
#REFRESH 10 https://ubuntu.com/security/vulnerabilities/log4shell
Line 6: Line 9:
It was [[https://logging.apache.org/log4j/2.x/security.html | discovered]] that Apache Log4j2 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. A few other issues were discovered shortly after the original vulnerability and got assigned the following CVEs It was [[https://logging.apache.org/log4j/2.x/security.html | discovered]] that Apache Log4j2 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. A few other issues were discovered shortly after the original vulnerability and got assigned different CVEs. The issues were fixed in Apache Log4j2 and Log4j1.2 for Ubuntu 14.04, LTS, 16.04 LTS, 18.04 LTS, 20.04 LTS, 21.04 and 21.10. To address the issue, ensure that appropriate versions of the `apache-log4j2` or `apache-log4j1.2` source package is installed, as listed below:
Line 8: Line 11:
 * [[https://ubuntu.com/security/CVE-2021-44228|CVE-2021-44228]]: High

 * [[https://ubuntu.com/security/CVE-2021-45046|CVE-2021-45046]]: High

 * [[https://ubuntu.com/security/CVE-2021-45105|CVE-2021-45105]]: Medium		 || Timeline || Dec 10 || Dec 14 || Dec 14 || Dec 19 || Dec 28 ||
|| CVE || [[https://ubuntu.com/security/CVE-2021-44228|CVE-2021-44228]] || [[https://ubuntu.com/security/CVE-2021-45046|CVE-2021-45046]] || [[https://ubuntu.com/security/CVE-2021-4104|CVE-2021-4104]] || [[https://ubuntu.com/security/CVE-2021-45105|CVE-2021-45105]] || [[https://ubuntu.com/security/CVE-2021-44832|CVE-2021-44832]] ||
|| Package || apache-log4j2 || apache-log4j2 || apache-log4j1.2 || apache-log4j2 || apache-log4j2 ||
|| Priority || High || High || Medium || Medium || Medium ||
|| USN || [[https://ubuntu.com/security/notices/USN-5192-1|USN-5192-1]] || [[https://ubuntu.com/security/notices/USN-5197-1|USN-5197-1]] || [[https://ubuntu.com/security/notices/USN-5223-1|USN-5223-1]] || [[https://ubuntu.com/security/notices/USN-5203-1|USN-5203-1]] [[https://ubuntu.com/security/notices/USN-5222-1|USN-5222-1]] || [[https://ubuntu.com/security/notices/USN-5222-1|USN-5222-1]] ||
|| Trusty || Does not exist || Does not exist || 1.2.17-4ubuntu3+esm1 || Does not exist || Does not exist ||
|| Xenial || 2.4-2ubuntu0.1~esm1 || Not vulnerable || 1.2.17-7ubuntu1+esm1 || Needed || Needed ||
|| Bionic || 2.10.0-2ubuntu0.1 || Not vulnerable || 1.2.17-8+deb10u1ubuntu0.1 || 2.12.4-0ubuntu0.1 || 2.12.4-0ubuntu0.1 ||
|| Focal || 2.15.0-0.20.04.1 || 2.16.0-0.20.04.1 || 1.2.17-9ubuntu0.1 || 2.17.0-0.20.04.1 || 2.17.1-0.20.04.1 ||
|| Hirsute || 2.15.0-0.21.04.1 || 2.16.0-0.21.04.1 || 1.2.17-10ubuntu0.21.04.1 || 2.17.0-0.21.04.1 || 2.17.1-0.21.04.1 ||
|| Impish || 2.15.0-0.21.10.1 || 2.16.0-0.21.10.1 || 1.2.17-10ubuntu0.21.10.1 || 2.17.0-0.21.10.1 || 2.17.1-0.21.10.1 ||
|| Jammy || 2.15.0-1 || 2.16.0-1 || 1.2.17-11 || 2.17.0-1 || 2.17.1-1 ||
Line 15: Line 25:
In Ubuntu, Apache Log4j2 is packaged under the `apache-log4j2` source package.

## Versions section should include:
## - version fixed in upstream
## - version first introduced in upstream (if applicable)
## - version fixed in Ubuntu
## - reference to the USN
This issue was fixed in Apache Log4j2 in 2.15.0. Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 21.04 and 21.10 were affected. To address the issue, ensure that appropriate versions of the `apache-log4j2` source package is installed, as listed below. These updates were announced in

 * [[https://ubuntu.com/security/notices/USN-5192-1|USN 5192-1]]

 * [[https://ubuntu.com/security/notices/USN-5197-1|USN-5197-1]]

 * [[https://ubuntu.com/security/notices/USN-5203-1|USN-5203-1]]
Line 31: Line 26:
==== Note on Apache Log4j 1.2 (CVE-2021-4104) vulnerability ====

A related issue was discovered in Log4j 1.2 and CVE-2021-4104 was assigned. Although the issue is related, the issue is not as severe as the other CVEs as it is not vulnerable in default configurations, and is not a remote code execution vulnerability.

For an environment to be vulnerable, an attacker would need write access to the log4j.properties configuration file to specifically enable the JMS Appender and configure it with a JNDI lookup to a third party server. If an attacker has write access to the log4j.properties configuration file, there are also other configuration options that can be used to perform code execution attacks. We therefore recommend configuration files be set with appropriate permissions to only permit being modified by trusted individuals.

This issue is tracked separately from the [[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Log4Shell|Log4Shell vulnerability]]. You can find more information about this issue in [[https://ubuntu.com/security/CVE-2021-4104|CVE-2021-4104 page]]

== Ubuntu ==

|| '''Release''' || '''apache-log4j2 Version''' ||
|| 21.10 || [[ https://launchpad.net/ubuntu/+source/apache-log4j2/2.15.0-0.21.10.1/ | apache-log4j2 2.15.0-0.21.10.1 ]] ||
|| 21.04 || [[ https://launchpad.net/ubuntu/+source/apache-log4j2/2.15.0-0.21.04.1/ | apache-log4j2 2.15.0-0.21.04.1 ]] ||
|| 20.04 LTS || [[ https://launchpad.net/ubuntu/+source/apache-log4j2/2.15.0-0.20.04.1/ | apache-log4j2 2.15.0-0.20.04.1 ]] ||
|| 18.04 LTS || [[ https://launchpad.net/ubuntu/+source/apache-log4j2/2.10.0-2ubuntu0.1/ | apache-log4j2 2.10.0-2ubuntu0.1 ]] ||
|| 16.04 LTS || [[ https://launchpad.net/ubuntu/+source/apache-log4j2/ | apache-log4j2 2.4-2ubuntu0.1~esm1 ]] ||
|| 14.04 LTS ||Under review||

----
NOTE: Since Apache Log4j2 2.15.0 is deemed binary compatible with previous versions, to remediate this vulnerability for Ubuntu versions >= 20.04 LTS, `apache-log4j2` was upgraded to the new upstream version 2.15.0. However, for Ubuntu 18.04 LTS to avoid the risk of regressions due to a larger upgrade of functionality from this new version, it was decided to remediate this vulnerability by removing the affected `java/org/apache/logging/log4j/core/lookup/JndiLookup` class entirely. This has the effect of disabling JNDI lookups for that release.		 NOTE: Since Apache Log4j2 2.15.0 is deemed binary compatible with previous versions, to remediate this vulnerability for Ubuntu versions >= 20.04 LTS, `apache-log4j2` was upgraded to the new upstream version 2.15.0 or newer. However, for Ubuntu 18.04 LTS to avoid the risk of regressions due to a larger upgrade of functionality from this new version, it was decided to remediate this vulnerability by removing the affected `java/org/apache/logging/log4j/core/lookup/JndiLookup` class entirely. This has the effect of disabling JNDI lookups for that release.
Line 61: Line 37:
$ sudo ua fix CVE-2021-4104
Line 62: Line 39:
$ sudo ua fix CVE-2021-44832
Line 63: Line 41:

Remote code execution and other vulnerabilities in Apache Log4j 2 (Log4Shell)

It was discovered that Apache Log4j2 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. A few other issues were discovered shortly after the original vulnerability and got assigned different CVEs. The issues were fixed in Apache Log4j2 and Log4j1.2 for Ubuntu 14.04, LTS, 16.04 LTS, 18.04 LTS, 20.04 LTS, 21.04 and 21.10. To address the issue, ensure that appropriate versions of the apache-log4j2 or apache-log4j1.2 source package is installed, as listed below:

Timeline

Dec 10

Dec 14

Dec 14

Dec 19

Dec 28

CVE

CVE-2021-44228

CVE-2021-45046

CVE-2021-4104

CVE-2021-45105

CVE-2021-44832

Package

apache-log4j2

apache-log4j2

apache-log4j1.2

apache-log4j2

apache-log4j2

Priority

High

High

Medium

Medium

Medium

USN

USN-5192-1

USN-5197-1

USN-5223-1

USN-5203-1 USN-5222-1

USN-5222-1

Trusty

Does not exist

Does not exist

1.2.17-4ubuntu3+esm1

Does not exist

Does not exist

Xenial

2.4-2ubuntu0.1~esm1

Not vulnerable

1.2.17-7ubuntu1+esm1

Needed

Needed

Bionic

2.10.0-2ubuntu0.1

Not vulnerable

1.2.17-8+deb10u1ubuntu0.1

2.12.4-0ubuntu0.1

2.12.4-0ubuntu0.1

Focal

2.15.0-0.20.04.1

2.16.0-0.20.04.1

1.2.17-9ubuntu0.1

2.17.0-0.20.04.1

2.17.1-0.20.04.1

Hirsute

2.15.0-0.21.04.1

2.16.0-0.21.04.1

1.2.17-10ubuntu0.21.04.1

2.17.0-0.21.04.1

2.17.1-0.21.04.1

Impish

2.15.0-0.21.10.1

2.16.0-0.21.10.1

1.2.17-10ubuntu0.21.10.1

2.17.0-0.21.10.1

2.17.1-0.21.10.1

Jammy

2.15.0-1

2.16.0-1

1.2.17-11

2.17.0-1

2.17.1-1

NOTE: Since Apache Log4j2 2.15.0 is deemed binary compatible with previous versions, to remediate this vulnerability for Ubuntu versions >= 20.04 LTS, apache-log4j2 was upgraded to the new upstream version 2.15.0 or newer. However, for Ubuntu 18.04 LTS to avoid the risk of regressions due to a larger upgrade of functionality from this new version, it was decided to remediate this vulnerability by removing the affected java/org/apache/logging/log4j/core/lookup/JndiLookup class entirely. This has the effect of disabling JNDI lookups for that release.

NOTE: Although the log4j component is included in the community-maintained repositories of Ubuntu (universe), given the criticality of the issue, Canonical is providing a fix for all Ubuntu releases that are under the standard support or ESM phase.

How to fix

Type in a terminal: 

$ sudo ua fix CVE-2021-44228
$ sudo ua fix CVE-2021-45046
$ sudo ua fix CVE-2021-4104
$ sudo ua fix CVE-2021-45105
$ sudo ua fix CVE-2021-44832

Packages under investigation

There are a number of other packages under review which may also be affected, across multiple supported releases. These include (but are not limited to):

  • arduino
  • ec2-api-tools
  • r-cran-rcdklibs
  • jemboss

Other Canonical Products

MicroK8s

The following addons are potentially vulnerable, and are under further review:

  • Fluentd - deploys the ELK stack
  • Jaeger - uses Elasticsearch as backend
  • Kubeflow - uses Spark

Snaps

  • The Graylog snap has been updated to Graylog 3.3.16, which updates to log4j 2.16.0, and so is no longer vulnerable.

Log4j can be present in Snaps from a number of different sources:

  • There are no identified snaps that are consuming the log4j package as a staged package.
  • As we review other debian packages that may also be affected, we will review these against Snaps as well (see above).
  • Snaps may also be consuming log4j as embedded code, or as an embedded jar. A review is ongoing to investigate any instances of this which may be vulnerable.

Charms

  • The Graylog charm consumes the Graylog snap, and so will automatically pick up the snap update above.
  • The Elasticsearch charm has been identified as vulnerable. We are working to remediate this.
  • The Logstash charm has been identified as vulnerable. We are working to remediate this.
  • The following Charms have been verified as not affected:
    • Anbox cloud
    • Charmed Openstack
    • Apache Flume
      • cs:apache-flume-hdfs
      • cs:apache-flume-kafka
      • cs:apache-flume-syslog
      • cs:trusty/apache-flume-hdfs
      • cs:trusty/apache-flume-twitter
      • cs:trusty/apache-flume-syslog
      • cs:trusty/apache-flume-kafka
    • Apache Solr

ROCKs

The following ROCKs have been identified to be safe:

  • "redis",
  • "nginx",
  • "apache2",
  • "memcached",
  • "mysql",
  • "postgres",
  • “prometheus”,
  • “prometheus-alertmanager”,
  • “grafana”,
  • “cortex”,
  • “bind9”,
  • “squid”,
  • “telegraf”

The following ROCKs are under further review:

  • “cassandra”

All other ROCKs are being further reviewed for embedded instances of log4j.

Timeline

  • 2021 Dec 09: Vulnerability is publicly known
  • 2021 Dec 13: Updated packages for Ubuntu 18.04 LTS, 20.04 LTS, 21.04 and 21.10 are released
  • 2021 Dec 14: USN-5192-1 is published, announcing the availability of updated packages
  • 2021 Dec 17: Added additional information on related packages, snaps, charms and ROCKs.

Other Resources

Web Application Firewall (WAF) rules can be added to aid with mitigation, per the following:

CategoryTemplate

Remote code execution and other vulnerabilities in Apache Log4j 2 (Log4Shell)

It was discovered that Apache Log4j2 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. A few other issues were discovered shortly after the original vulnerability and got assigned different CVEs. The issues were fixed in Apache Log4j2 and Log4j1.2 for Ubuntu 14.04, LTS, 16.04 LTS, 18.04 LTS, 20.04 LTS, 21.04 and 21.10. To address the issue, ensure that appropriate versions of the apache-log4j2 or apache-log4j1.2 source package is installed, as listed below:

Timeline

Dec 10

Dec 14

Dec 14

Dec 19

Dec 28

CVE

CVE-2021-44228

CVE-2021-45046

CVE-2021-4104

CVE-2021-45105

CVE-2021-44832

Package

apache-log4j2

apache-log4j2

apache-log4j1.2

apache-log4j2

apache-log4j2

Priority

High

High

Medium

Medium

Medium

USN

USN-5192-1

USN-5197-1

USN-5223-1

USN-5203-1 USN-5222-1

USN-5222-1

Trusty

Does not exist

Does not exist

1.2.17-4ubuntu3+esm1

Does not exist

Does not exist

Xenial

2.4-2ubuntu0.1~esm1

Not vulnerable

1.2.17-7ubuntu1+esm1

Needed

Needed

Bionic

2.10.0-2ubuntu0.1

Not vulnerable

1.2.17-8+deb10u1ubuntu0.1

2.12.4-0ubuntu0.1

2.12.4-0ubuntu0.1

Focal

2.15.0-0.20.04.1

2.16.0-0.20.04.1

1.2.17-9ubuntu0.1

2.17.0-0.20.04.1

2.17.1-0.20.04.1

Hirsute

2.15.0-0.21.04.1

2.16.0-0.21.04.1

1.2.17-10ubuntu0.21.04.1

2.17.0-0.21.04.1

2.17.1-0.21.04.1

Impish

2.15.0-0.21.10.1

2.16.0-0.21.10.1

1.2.17-10ubuntu0.21.10.1

2.17.0-0.21.10.1

2.17.1-0.21.10.1

Jammy

2.15.0-1

2.16.0-1

1.2.17-11

2.17.0-1

2.17.1-1

NOTE: Since Apache Log4j2 2.15.0 is deemed binary compatible with previous versions, to remediate this vulnerability for Ubuntu versions >= 20.04 LTS, apache-log4j2 was upgraded to the new upstream version 2.15.0 or newer. However, for Ubuntu 18.04 LTS to avoid the risk of regressions due to a larger upgrade of functionality from this new version, it was decided to remediate this vulnerability by removing the affected java/org/apache/logging/log4j/core/lookup/JndiLookup class entirely. This has the effect of disabling JNDI lookups for that release.

NOTE: Although the log4j component is included in the community-maintained repositories of Ubuntu (universe), given the criticality of the issue, Canonical is providing a fix for all Ubuntu releases that are under the standard support or ESM phase.

How to fix

Type in a terminal: 

$ sudo ua fix CVE-2021-44228
$ sudo ua fix CVE-2021-45046
$ sudo ua fix CVE-2021-4104
$ sudo ua fix CVE-2021-45105
$ sudo ua fix CVE-2021-44832

Packages under investigation

There are a number of other packages under review which may also be affected, across multiple supported releases. These include (but are not limited to):

  • arduino
  • ec2-api-tools
  • r-cran-rcdklibs
  • jemboss

Other Canonical Products

MicroK8s

The following addons are potentially vulnerable, and are under further review:

  • Fluentd - deploys the ELK stack
  • Jaeger - uses Elasticsearch as backend
  • Kubeflow - uses Spark

Snaps

  • The Graylog snap has been updated to Graylog 3.3.16, which updates to log4j 2.16.0, and so is no longer vulnerable.

Log4j can be present in Snaps from a number of different sources:

  • There are no identified snaps that are consuming the log4j package as a staged package.
  • As we review other debian packages that may also be affected, we will review these against Snaps as well (see above).
  • Snaps may also be consuming log4j as embedded code, or as an embedded jar. A review is ongoing to investigate any instances of this which may be vulnerable.

Charms

  • The Graylog charm consumes the Graylog snap, and so will automatically pick up the snap update above.
  • The Elasticsearch charm has been identified as vulnerable. We are working to remediate this.
  • The Logstash charm has been identified as vulnerable. We are working to remediate this.
  • The following Charms have been verified as not affected:
    • Anbox cloud
    • Charmed Openstack
    • Apache Flume
      • cs:apache-flume-hdfs
      • cs:apache-flume-kafka
      • cs:apache-flume-syslog
      • cs:trusty/apache-flume-hdfs
      • cs:trusty/apache-flume-twitter
      • cs:trusty/apache-flume-syslog
      • cs:trusty/apache-flume-kafka
    • Apache Solr

ROCKs

The following ROCKs have been identified to be safe:

  • "redis",
  • "nginx",
  • "apache2",
  • "memcached",
  • "mysql",
  • "postgres",
  • “prometheus”,
  • “prometheus-alertmanager”,
  • “grafana”,
  • “cortex”,
  • “bind9”,
  • “squid”,
  • “telegraf”

The following ROCKs are under further review:

  • “cassandra”

All other ROCKs are being further reviewed for embedded instances of log4j.

Timeline

  • 2021 Dec 09: Vulnerability is publicly known
  • 2021 Dec 13: Updated packages for Ubuntu 18.04 LTS, 20.04 LTS, 21.04 and 21.10 are released
  • 2021 Dec 14: USN-5192-1 is published, announcing the availability of updated packages
  • 2021 Dec 17: Added additional information on related packages, snaps, charms and ROCKs.

Other Resources

Web Application Firewall (WAF) rules can be added to aid with mitigation, per the following:

CategoryTemplate

SecurityTeam/KnowledgeBase/Log4Shell (last edited 2025-04-17 11:37:15 by lucistanescu)