What is the Log4j RCE Vulnerability?

Hi there,

It has come to light that specific versions of the popular Apache Log4j utility are vulnerable to remote code execution (RCE). If you are using Log4j, you should update to version 2.15.0 as soon as possible. The latest version can be found at the Apache Log4j download page:

• Apache Log4j 2.15 Release

If you are unable to upgrade to version 2.15, then as per the National Vulnerability Database, you will want to make an adjustment to your system configuration as follows:

In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true”

For more information please review Apache's security release:

• Apache Log4j Security Vulnerabilities - Apache Software Foundation

I hope this information helps!

-- BD.

As the question refers to this as a "new vulnerability in Apache", I think it might be helpful to also make it abundantly clear that this vulnerability has no relation to Apache httpd at all.

This is purely about the very popular logging component for Java software named log4j (also by the Apache Software Foundation).

The implication being that a lot of Java-based software inherits this vulnerability because of how common it is to use log4j.

TL;DR
Whether you use log4j yourself or not, investigate any Java-based software that you have installed.

Do I need to take any steps with my Linode account? Does it use Log4j?

Do I need to take any steps with my Linode account?

Probably not.

Does it use Log4j?

Not unless you installed it and set it up…

-- sw