Apache Log4j: remote code execution vulnerability

See the full post here ➡️ https://ubuntu.com//blog/log4j-vulnerability-2021

Excerpt below:

A high impact vulnerability was discovered in Apache Log4j 2, a widely deployed software component used by a lot of Java applications to facilitate logging. An attacker who can control the log messages or their parameters can cause the application to execute arbitrary code. In Ubuntu, Apache Log4j2 is packaged under the apache-log4j2 source package – this has been patched already to address this vulnerability as detailed in USN-5192-1 (Dec 14) and USN-5197-1 (Dec 15).

Look out for Apache Log4j 2 package usage

However, the widespread use of the Apache Log4j 2 package, as well as the Java platform’s packaging conventions, have made addressing that vulnerability (by the security industry as a whole) non-trivial. The reason is that this software is not only present in Ubuntu as a packaged component, but separate copies of this software are also often bundled directly in popular applications. In particular, the latter is what makes the task of determining whether a particular application or system is vulnerable quite difficult. Teams have to examine each application individually to find whether applications are vulnerable by “unbundling” them, or by using software bills of materials and manifests. Just updating the Ubuntu packaged version of this software component is likely not sufficient to ensure that all applications which use Apache Log4j 2 are remediated.

Recommendation

We recommend that our users and customers get the latest software security updates from Canonical and verify that any 3rd party Java software they are using is not bundling the log4j packages.

...


Click >>> here <<< to share your news for free!

About Linux Chatter

Linux Chatter is a news aggregator service that curates some of the best Linux, Cloud, Technical Guides, Hardware, and Security news. We display just enough content from the original post to spark your interest. If you like the topic, click on the 'read full post' button to visit the author's website. Then, use Linux Chatter to find content from amazing authors!

Why should you share your news?

Contributing is one of the best ways to promote a website. This technique has been used for decades now and is still very effective. But, this strategy can make or break your rankings depending on its application.

A news website is one of the best places to publish your blog. This is because such sites always have massive amounts of targeted traffic. If you write quality content, your post will get lots of hits, and many people will follow your blog.

Disclaimer

The content provided has been modified and is not displayed as intended by the author. Any trademarks, copyrights, and rights remain with the source. Linux Chatter sources content from RSS feeds and personal content submissions. The views and opinions expressed in these articles are those of the authors and do not necessarily reflect Linux Chatter.