How to test if your Linux server is vulnerable to Log4j

How to test if your Linux server is vulnerable to Log4j

Log4j is a serious vulnerability that has swept across the IT landscape quickly. Here’s a single command you can run to test and see if you have any vulnerable packages installed.

open source security

Image: Shutterstock/LeoWolfert

The Log4j vulnerability is serious business. This zero-day flaw affects the Log4j library and can allow an attacker to execute arbitrary code on a system that depends on Log4j to write log messages.

SEE: 40+ open source and Linux terms you need to know (TechRepublic Premium)

More about open source

This vulnerability has the highest CVSS score of 10.0, so you need to pay attention. One of the big problems is knowing if you’re vulnerable. This is complicated by the many ways Log4j can be deployed. Are you using it as part of a Java project, is it rolled into a container, did you install it with your distribution package manager, and (if so) which log4j packages did you install? Or did you install it from source? Because of this, you might not even know if your server is vulnerable. 

Fortunately, for Linux servers, GitHub user, Rubo77 created a script that will check for for packages that include vulnerable Log4j instances. It’s in beta, and it’s not one 100%, but it’s a great place to start. Understand, this script doesn’t test for jar files that were packaged with applications, so do not consider it anything more than a launching point to start your forensics. 

I tested this script against a server that I knew had a vulnerable Log4j package installed, and it correctly tagged it. Here’s how you can run that same script on your Linux servers to find out if you might be vulnerable. Log into your server and issue the command:

wget -q -O - | bash

The output of the command will give you some indications if your server is vulnerable. As you can see (Figure A), my instance includes liblog4j2-java version 2.11.2-1, which includes the vulnerability. In that case, I should immediately upgrade to 2.15.0. If it’s not available, the problem will persist until the package is patched. 

Figure A

My test server is vulnerable to the Log4j issue.

Remember, this script is not a guarantee, but a good place to start. Even if it comes back to say your server is not vulnerable, keep digging to make sure you’ve updated every necessary package to avoid getting hit by this vulnerability.

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.

Also see

Open source year in review: 2021

Open source year in review: 2021

This year, we saw a Visio lawsuit, Truth Social code, CentOS clones, Apple M1 and Linux on Mars. Jack Wallen takes a look back at some major developments that happened for Linux and open source.

Open source concept

Image: Kheng Guan Toh/Shutterstock

More about open source

The year 2021 won’t go down as the year Linux finally conquered the desktop, although it did inch a bit closer to that reality, thanks to some incredible new distribution releases. Even so, it was a pretty amazing year for Linux and open source, one that should serve as a launching point for even greater things to come.

Let’s take a stroll down Memory Lane to recall some of the more important moments within the realm of open source in 2021.

SEE: 40+ open source and Linux terms you need to know (TechRepublic Premium)

Vizio lawsuit

The Software Freedom Conservancy sued Vizio for abusing the GPL by using software like BusyBox, U-Boot, bash, gawk and tar within SmartCast OS. In turn, Vizio failed to release the source code (which puts them in breach of the GPL). Instead of rectifying the situation, Vizio filed a request to have the case removed from the California State Court. To make matters worse, Vizio took this one step further and asked that the California court to agree that consumers not only have no right to ask to be supplied with source code but residents of the state have no right to ask the court to consider the question. In effect, Vizio is saying anyone who purchases their SmartCast OS-powered TVs has no right to the source code or even make a request for the source code to the company or the court. Clearly, Vizio has no idea how open source works.

Trump’s Truth Social violates open-source license

Speaking of license violations, Donald Trump’s beta of his rumored Truth Social platform was discovered to violate the AGPLv3 open-source license. Turns out the site used code from the popular open-source Mastodon project and failed to release the code to the public. As soon as the organization was made aware of the violation, the site was taken down. However, users who set up accounts on the site (before it was taken down) were not given access to the code, which is in direct violation of the license, and the Trump organization continues to ignore requests for the source, though it has admitted that it used the code from Mastadon.

The lightning maturity of CentOS clones

It seems like only yesterday CentOS jumped the shark and landed in a stream that put it at odds with its entire user base. And almost as quickly as that was announced, several distributions were brought into being to serve as replacements. Two of those replacements, AlmaLinux and Rocky Linux matured at lightning speeds. Within weeks the betas were ready, and soon after the full release was available to download.

To make this an even more attractive proposition, the makers behind AlmaLinux began offering commercial support through a new initiative, TuxCare. Because both of these distributions arrived so quickly, those who depended on CentOS didn’t have to miss a beat. In the end, both alternatives wound up being ideal drop-in replacements for what was once a must-use Linux distribution around the world.

System76 inches toward a possible in-house distribution

The idea first started when Linux community favorite System76 crafted its own additions to the GNOME desktop, dubbed COSMIC, which used GNOME as its base and made plenty of tweaks to help differentiate it from the default. Was COSMIC better than straight-up GNOME? That is debatable. What’s not, however, is that it started becoming more clear that System76 had a much bigger goal in mind. Take, for instance, the news that the company had started developing its own Rust-based desktop, which would have nothing to do with GNOME. Next up, System76 migrated its repository from Launchpad (Ubuntu’s main PPA repository) to its own. So now we have System76 building its own desktop and possibly migrating away from Ubuntu. The writing couldn’t be any more clear: System76 has big plans for Pop!_OS.

SEE: Linux turns 30: Celebrating the open source operating system (free PDF) (TechRepublic)

Back to the future as open source takes over in German city

We’ve seen this before: A German city migrates from proprietary software to open-source, only to backtrack and return to the non-open-source solutions. This time, the city is Dortmund (the eighth largest city in Germany) and it’s making this transition the right way. First, it’ll be deploying open source were possible (instead of forcing it on federal and state users). The city will also be making all software developed or commissioned by the city government publicly available. 

The organizers of this effort went to great lengths to work with the city’s IT department and other administrations. They are taking their time to make sure the transition is done right. 

Companies desperate to hire open-source talent

During the Open Source Summit in Seattle, The Linux Foundation (in conjunction with edX) released the 2021 Open Source Jobs Report, which made it very clear the demand for open source talent had skyrocketed. The survey unveiled that 92% of managers were having trouble finding enough talent and even retaining senior open-source staff members.

It was also found that 50% of employers said they were increasing their hires, and over 46% of those hiring were looking for people with Kubernetes skills.

Linux turns 30

It seems only yesterday that I was installing Caldera Open Linux 1 to start my journey with the open-source operating system. Next thing I know, I’m waking up and Linux has turned 30. This particular anniversary had many a pundit telling their stories on how Linux has changed their lives (including my own take on the 30th anniversary of Linux) and prognosticating on what’s in store for the next 30 years.

Microsoft Linux … sort of

We all knew it was coming. OK, we all hoped it was coming. But not like this. Microsoft finally released its own version of Linux. However, this wasn’t a replacement for Windows (such a shame). Instead, Microsoft released CBL-Mariner, which is a specialized Linux distribution for securing edge computing services.

Maybe 2022 will finally see an MS Linux desktop? Don’t hold your breath.

University of Minnesota students intentionally submit kernel patches with malicious code

A few students at the University of Minnesota were writing a thesis, and to prove their hypothesis they intentionally submitted kernel patches that contained malicious code. This was no “whoopsie” moment but, rather, an attempt to prove it could be done. The more fool they. This action led the kernel maintainers to ban the university from submitting further patches to the kernel.

You reap what you sow.

Ubuntu 21.04 makes it easy to join Linux to Active Directory

Canonical took another step toward its goal of getting Linux desktops more readily accepted in the enterprise world by adding the easy means to join Ubuntu desktops to Active Directory. The feature is available during installation and is incredibly simple. Soon after this, other distributions (such as Fedora) began to follow suit.

It’s only a matter of time now before Linux is found on business desktops across the globe. Right?

Red Hat roles out free RHEL for non-profits

The company behind Red Hat Enterprise Linux saw a need, and that need was with the world of non-profits and small organizations. With CentOS being shunned by companies everywhere, Red Hat decided to create a project, called RHEL for Open Source Infrastructure, which makes it possible for non-profit organizations and projects to use RHEL at no cost for small production workloads and customer development teams. 

Linux goes to Mars

The headline says it all. The Perseverance science lab included a dual propeller drone that continued to make headlines as it engaged in self-piloted flights around the surface of the great red planet. That drone is powered by a combination of Linux and in-house (NASA) software based on the Jet Propulsion Laboratory’s open-source F` (F Prime) framework.

That’s pretty cool.

Linux on Apple M1

And, finally, shortly after Apple announced its new in-house chipsets to power the likes of the MacBook Pro and iMac computers, developers set out to make it possible to run Linux on the hardware. At first, it seemed a project doomed to fail. But 2021 proved the adage, where there’s a will, there’s a way. The developers made it happen, and now it’s possible to boot Linux on Apple M1 hardware. In fact, back in January 2021, Corellium CTO Chris Wade announced that Linux was completely usable on a Mac Mini M1.

I would suspect we’ll see more distributions ready to take on the M1 chipset in the coming year.

And that’s a wrap. 2021 is in the can, and the majority of the world is ready to see it in the rearview mirror. Here’s to a prosperous, healthy and joyous 2022. Fingers crossed, but maybe don’t hold your breath.

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.

Also see