A high impact vulnerability was discovered in Apache Log4j 2, a widely deployed software component used by a lot of Java applications to facilitate logging. An attacker who can control the log messages or their parameters can cause the application to execute arbitrary code. In Ubuntu, Apache Log4j2 is packaged under the apache-log4j2 source package – this has been patched already to address this vulnerability as detailed in USN-5192-1 (Dec 14) and USN-5197-1 (Dec 15). This vulnerability has been assigned CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105.
To apply all available fixes to your Ubuntu system type the following commands in a terminal:
$ sudo ua fix CVE-2021-44228
$ sudo ua fix CVE-2021-45046
$ sudo ua fix CVE-2021-45105
Look out for Apache Log4j 2 package usage
The widespread use of the Apache Log4j 2 package, as well as the Java platform’s packaging conventions, have made addressing that vulnerability (by the security industry as a whole) non-trivial. The reason is…