Is Ubuntu itself vulnerable to Log4shell?

We run different versions of Ubuntu OS (mostly ver 18 and 20), on MANY machines. My question; Is Ubuntu OS affected by the Log4shell vulnerability now reported in log4js? TIA


Generally, No. Only folks who have a specific java package installed might be vulnerable.

  • The deb package (apache-log4j2) is not part of a stock Ubuntu install. Most vulnerable systems run either webservers or java applications (like Minecraft servers). If you didn't install a server application, then you're unlikely to be affected by this vulnerability.

  • Most affected folks who installed the software using the deb package have already received a patch to close the vulnerability.

  • Ubuntu Security Podcast #142 discusses the CVE, and is definitely worth listening to! Thanks to the hard-working engineers on the Ubuntu Security Team, keeping our Ubuntu systems safe.

  • If you installed log4j2 as part of webserver or java application using a Snap package, check with the author of that snap for a security upgrade.

  • If you installed log4j2 as part of your webserver or java application some other way (Appimage, Flatpak, Pip, Brew, compiled, etc), then it's up to you to return to that source and find a patched version...or to read the CVE for manual mitigation settings.

  • If you have installed a whole software stack or platform consisting of many interrelated applications, then it's possible that the vulnerable software might be embedded in that stack. Consult the source you got it from.

From https://ubuntu.com/security/notices/USN-5192-1

Releases
Ubuntu 21.10 Ubuntu 21.04 Ubuntu 20.04 LTS Ubuntu 18.04 LTS

Packages
apache-log4j2 - Apache Log4j - Logging Framework for Java

...and...

Update instructions The problem can be corrected by updating your system to the following package versions:


Let's expand this a bit for deb package users:

How to tell if you are affected

Simply ask apt:

me@me:~$ apt list apache-log4j2

There are three possible results:

Listing... Done

me@me:~$      <-- No output at all. It's not installed.
                  You're not vulnerable.


apache-log4j2/focal,now 2.11.2-1 amd64  <-- It's available, but NOT installed.
                  You're not vulnerable.


apache-log4j2/focal,now 2.11.2-1 amd64 [installed] <-- It's installed
                  You MIGHT be vulnerable.

If you're not vulnerable, you can stop here.

If you MIGHT be vulnerable, the next thing to look at is the package version returned by that string.

Ubuntu 18.04
apache-log4j2/bionic,now 2.10.0-2 amd64 [installed]           Vulnerable
apache-log4j2/bionic,now 2.10.0-2ubuntu0.1 amd64 [installed]  NOT Vulnerable

Ubuntu 20.04
apache-log4j2/focal,now 2.11.2-1 amd64 [installed]            Vulnerable
apache-log4j2/focal,now 2.15.0-0.20.04.1 amd64 [installed]    NOT Vulnerable

Ubuntu 21.04
apache-log4j2/hirsute,now 2.13.3-1 amd64 [installed]          Vulnerable
apache-log4j2/hirsute,now 2.15.0-0.21.04.1 amd64 [installed]  NOT Vulnerable

Ubuntu 21.10
apache-log4j2/impish,now 2.13.3-1 amd64 [installed]           Vulnerable
apache-log4j2/impish,now 2.15.0-0.21.10.1 amd64 [installed]   NOT Vulnerable

The versions that are NOT Vulnerable have already been patched by the Ubuntu Security Team. Most folks have already received the patched version via Unattended Upgrades.

  • That's what Unattended Upgrades does! It installs security upgrades without bothering you.

If your system is Vulnerable, then simply sudo apt update and sudo apt upgrade to pull in the latest security upgrades.

About Snaps: It might be possible that an unpatched log4j2 dwells within some snap packages.

  • We probably won't know about it. Snap software audits, if any, are done by community members. An audit is not required to release a snap package.
  • The whole point of snap confinement is to prevent such vulnerabilities from threatening the entire system.
  • If you find a vulnerable snap package, file a bug report with the author!
  • Snapd checks for upgraded packages multiple times each day. If a vulnerable snap package gets patched, you'll have that patch within a few hours.