You are here
Timmy - Sat, 2021/12/11 - 22:11
Gotten the word from a few friends now about this Log4J vulnerability.
My servers are not externally facing so I'm not concerned at the moment but interested to know.
Forum:
Gotten the word from a few friends now about this Log4J vulnerability.
My servers are not externally facing so I'm not concerned at the moment but interested to know.
Shouldn't be an issue for TurnKey users.
Great question and considering the hype this vulnerability appears to be generating online one that is good to answer explicitly.
I'm assuming that you are referring to the really recent Log4J vulnerability, CVE-2021-44228. And yes it's a nasty one! Log4j is one of (if not the) most popular logging libraries for Java. This vulnerability potentially allows a user to run arbitrary code on the server! Apparently it's been known about for a while in the Minecraft community as a way of hacking Minecraft servers. Minecraft runs on Java and uses Log4j for logging & chat logs show up in the logs, so anyone using Minecraft in-game text chat could hack the server!
On the plus side though, there are 2 things working in favour of TurnKey users. Firstly, it's not installed by default in any of the TurnKey appliances. So unless you've explicitly installed it in anything, you're fine. Secondly, even if you do have it installed (from the Debian repositories) then you should already have the patch installed (via the auto security updates)! The Debian Security Advisory (DSA) is DSA-5020-1 (or for v15.x/Debian 9/Stretch - Debian LTS Advisory DLA-2842-1). You can see the vulnerable versions via the Debian security tracker for CVE-2021-44228. Note that all of those refer to the source package name: "apache-log4j2", the related binary package (built from that source) is "liblog4j2-java". That is the one that you should check for (and if you have installed, be sure that it's updated).
To check whether you have an affected version of "liblog4j2-java", try this:
Most (v16.x) users should get a response like this (v15.x users will get something similar but versions will be different; the fixed version is "2.7-2+deb9u1"):
liblog4j2-java: Installed: (none) Candidate: 2.15.0-1~deb10u1 Version table: 2.15.0-1~deb10u1 500 500 http://security.debian.org buster/updates/main amd64 Packages 2.11.1-2 500 500 http://deb.debian.org/debian buster/main amd64 PackagesThe above output shows that I don't have it installed, but if I did, then I would get "2.15.0-1~deb10u1" (which is patched against CVE-2021-44228). Note that you can see the vulnerable version ("2.11.1-2") still available via the main repository.
It should also be noted that it may be necessary to restart any related services. If you are unsure, a reboot will restart all services.
Hurray for Turnkey users
Yep. Bunch of friends know I run personal servers so I've been inundated with messages about it.
Nice.
Exciting times. Guess we'll see that the fallout of this will be in the coming months for everyone else.
Add new comment