如果未安装 Java，您是否可以免受 log4j CVE-2021-44228 的影响？

Question

I have read a lot about how bad this issue is and understand the options available to locate it within the code our company is producing and update servers that are using vulnerable versions.

What I am unable to find is if a particular server does not have Java installed ie if I log in as root and run java -version and get java: command not found is this server completely safe from this issue and so I can move on?

My initial instinct was: no Java - no issue. However, GitHub released an update for their Enterprise servers stating:

CRITICAL: A remote code execution vulnerability in the Log4j library, identified as CVE-2021-44228, affected all versions of GitHub Enterprise Server prior to 3.3.1. The Log4j library is used in an open-source service running on the GitHub Enterprise Server instance. This vulnerability was fixed in GitHub Enterprise Server versions 3.0.22, 3.1.14, 3.2.6, and 3.3.1. For more information, please see this post on the GitHub Blog.

And yet Java is not installed on their enterprise server.

I am guessing the offending service must be with Java running in a docker container. So I think I need to consider Java on the machine or Java running in a container.

Are there other hidden ways I have not considered in which this log4j process can be running?

Answer 1

log4j2 is a library that must be used by a running java process, to be vulnarable. But you are right, that checking if the java command is installed to the command line is not enough.

Here are two options (not meant to be complete), how your system could still be vulnerable without having the java command available on the command line.

• Java could be downloaded into a directory without adding the java command or directory to the executable PATH. By using a.bash (or.bat) script a java process pointing to the downloaded java version could still be started. But when the directory is not added to the path, you will not find the java command enabled.
• Java could be running inside of a docker container. the java command would only be available inside of your docker container but not visible from outside. I am not sure if an additional exploit would be required to break out of the container of if this is easily possible without extra effort.

Answer 2

I don't have a full answer yet but very definitely NO you are not safe even if Java is not installed, and Docker is not installed, and Java is not running in the process list, and Java is not in your yum/apt installed applications lists.

An obvious case I had not considered is when Java is added to an app as a JRE.

A Coverity platform server we have does not install Java but Java is running eg ps -ax | grep java ps -ax | grep java

/home/coverity/cov_platform-2021.9.0/jre/bin/java -Djava.awt.headless=true -Djdk.tls......

Working out if a vulnerable version of Log4j is included in that JRE is much harder.

Further, just checking the process list is not enough either. In this case the process list contained java but Java may only be run when triggered by another process eg cron , nginx , etc