Like many of us, I've been trying to following mitigation howtos, running various python scripts to test vulnerabilities of my server.
I have a few Ubuntu and Centos servers. None of them run LDAP or even have java installed, to the point where I can't even follow step 1 of many of the "test your server" articles.
Am I correct that the only other entry point of the vulnerability would be to install Java-specific software that utilizes the log4 component?
I'm racking my brain to think of anything that I'd install that is beyond the use of hosting websites: Apache, nginx, LetsEncrypt, fail2ban, php - those are the extent of the type of additional software that is installed.
Even a find / -name "*log4j*
or find / -name "*.jar"
comes up empty.
Log4j is a Java-based logging utility, the jars of them are called log4j-api-2.x.jar
, log4j-core-2.x.jar
etc. If you don't have them, you have with large probability no Log4j at all (excepting the obscure case compiling the classes statically or copy&pasted and renamed them to something else).
And yes, your assumption is correct - it is a module exclusively used by programs written in Java, and if you don't find any *.jar
at all, it is highly unlikely that you have some of them.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.