0

Like many of us, I've been trying to following mitigation howtos, running various python scripts to test vulnerabilities of my server.

I have a few Ubuntu and Centos servers. None of them run LDAP or even have java installed, to the point where I can't even follow step 1 of many of the "test your server" articles.

Am I correct that the only other entry point of the vulnerability would be to install Java-specific software that utilizes the log4 component?

I'm racking my brain to think of anything that I'd install that is beyond the use of hosting websites: Apache, nginx, LetsEncrypt, fail2ban, php - those are the extent of the type of additional software that is installed.

Even a find / -name "*log4j* or find / -name "*.jar" comes up empty.

Creative Arc
  • 33
  • 5
  • We were writing the same question at about the same time but I got some better answers. In short no you are not safe. https://stackoverflow.com/questions/70353435/are-you-safe-from-log4j-cve-2021-44228-if-java-is-not-installed?noredirect=1#comment124381463_70353435 – Martin Feb 03 '22 at 16:03

1 Answers1

0

Log4j is a Java-based logging utility, the jars of them are called log4j-api-2.x.jar, log4j-core-2.x.jar etc. If you don't have them, you have with large probability no Log4j at all (excepting the obscure case compiling the classes statically or copy&pasted and renamed them to something else).

And yes, your assumption is correct - it is a module exclusively used by programs written in Java, and if you don't find any *.jar at all, it is highly unlikely that you have some of them.

sebres
  • 700
  • 4
  • 12