Log4Shell
Remote code execution in Apache Log4j 2 (CVE-2021-44228 aka Log4Shell)
It was discovered that Apache Log4j2 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
In Ubuntu, Apache Log4j2 is packaged under the apache-log4j2 source package.
This issue was fixed in Apache Log4j2 in 2.15.0. Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 21.04 and 21.10 were affected. To address the issue, ensure that appropriate versions of the apache-log4j2 source package is installed, as listed below. These updates were announced in USN 5192-1 and USN-5197-1.
Release |
apache-log4j2 Version |
21.10 |
|
21.04 |
|
20.04 LTS |
|
18.04 LTS |
|
16.04 ESM |
|
14.04 ESM |
Under review |
NOTE: Since Apache Log4j2 2.15.0 is deemed binary compatible with previous versions, to remediate this vulnerability for Ubuntu versions >= 20.04 LTS, apache-log4j2 was upgraded to the new upstream version 2.15.0. However, for Ubuntu 18.04 LTS to avoid the risk of regressions due to a larger upgrade of functionality from this new version, it was decided to remediate this vulnerability by removing the affected java/org/apache/logging/log4j/core/lookup/JndiLookup class entirely. This has the effect of disabling JNDI lookups for that release.
CVEs
Ubuntu
How to fix
Type in a terminal:
$ sudo ua fix CVE-2021-44228 $ sudo ua fix CVE-2021-45046
Packages under investigation
There are a number of other packages under review which may also be affected, across multiple supported releases. These include (but are not limited to):
- arduino
- ec2-api-tools
- r-cran-rcdklibs
- jemboss
Other Canonical Products
MicroK8s
The following addons are potentially vulnerable, and are under further review:
- Fluentd - deploys the ELK stack
- Jaeger - uses Elasticsearch as backend
- Kubeflow - uses Spark
Snaps
- The Graylog snap has been updated to Graylog 3.3.16, which updates to log4j 2.16.0, and so is no longer vulnerable.
Log4j can be present in Snaps from a number of different sources:
- There are no identified snaps that are consuming the log4j package as a staged package.
- As we review other debian packages that may also be affected, we will review these against Snaps as well (see above).
- Snaps may also be consuming log4j as embedded code, or as an embedded jar. A review is ongoing to investigate any instances of this which may be vulnerable.
Charms
- The Graylog charm consumes the Graylog snap, and so will automatically pick up the snap update above.
- The Elasticsearch charm has been identified as vulnerable. We are working to remediate this.
- The Logstash charm has been identified as vulnerable. We are working to remediate this.
- The following Charms have been verified as not affected:
- Anbox cloud
- Charmed Openstack
- Apache Flume
- cs:apache-flume-hdfs
- cs:apache-flume-kafka
- cs:apache-flume-syslog
- cs:trusty/apache-flume-hdfs
- cs:trusty/apache-flume-twitter
- cs:trusty/apache-flume-syslog
- cs:trusty/apache-flume-kafka
- Apache Solr
ROCKs
The following ROCKs have been identified to be safe:
- "redis",
- "nginx",
- "apache2",
- "memcached",
- "mysql",
- "postgres",
- “prometheus”,
- “prometheus-alertmanager”,
- “grafana”,
- “cortex”,
- “bind9”,
- “squid”,
- “telegraf”
The following ROCKs are under further review:
- “cassandra”
All other ROCKs are being further reviewed for embedded instances of log4j.
Timeline
- 2021 Dec 09: Vulnerability is publicly known
- 2021 Dec 13: Updated packages for Ubuntu 18.04 LTS, 20.04 LTS, 21.04 and 21.10 are released
- 2021 Dec 14: USN-5192-1 is published, announcing the availability of updated packages
- 2021 Dec 17: Added additional information on related packages, snaps, charms and ROCKs.
Other Resources
Web Application Firewall (WAF) rules can be added to aid with mitigation, per the following: