How to Check the Log4j Version on Linux

Log4j, a popular Java package for logging error messages, is widely used in business applications and programs. Log4j is essential for logging programs and application activities. You can easily learn how to check the log4j version on your Linux machines.

Logging is a helpful exercise for programmers to track applications and web services problems. However, perpetrators sometimes try to rig this logging software package by making it vulnerable. The zero-day flaw affects this package, and hackers can try to execute the arbitrary code on a user’s system to write log messages. 

In this guide, you will learn how to check the log4j version on Linux. You will also know how to check if your package is vulnerable or not.

What is Apache Log4j Utility

The Apache Log4j is a Java-based logging utility used for logging messages. It is a part of Apache Logging services and was initially written by Ceki Gülcü. Developers use Log4j utility to keep track of what is happening with their software and trace problems that may arise in their application or online service.  

Prerequisites

For this tutorial, you will need a Linux machine with root access. Alternatively, you can also have the sudo privilege to perform the steps listed in this article. However, this article does not require a pre-installed log4j framework.

1. Update the System

Before installing any package, the first thing you have to do is to update it. Open the terminal by pressing “Ctrl + Alt + T”. To update the system, we will use the apt package manager. Type the following commands to perform the update:

sudo apt update
sudo apt upgrade

It will prompt for the system password. Type your password and press the “Enter key”. Hit “Y” and press “Enter” when the terminal shows a message about the space that will be used in the update. 

You will get a similar output:

Check the Log4j Version on Linux

2. Check the System for Vulnerability

Before installing log4j, you have to first make sure that it is not already installed in the system. To check this, type:

sudo apt list apache-log4j2

If you get a similar output, it means that log4j is not yet installed on your Linux machine, and your system is currently not vulnerable. 

Log4j Vulnerability

To search for older versions of log4j library, execute the following code:

sudo find / -name 'log4j*'

If you find any vulnerable files in older versions, update log4j as soon as possible. Also, if the vulnerability is hidden inside .jar files, the find command will not be able to search for it. For this purpose, there is a public project on GitHub known as Log4-detector that can search for log4j code inside archives.

3. Install Log4j Library on Linux

Next, we will install the Java log4j library on the Linux machine. For this step, the method is to use the apt install command. Specifically, type:

sudo apt install liblog4j2-java

Your output would look something like this:

Check the Log4j Version on Linux

It will prompt you about disk space. Hit “Y” to continue with the installation. Wait for the installation to complete successfully. 

4. Check Log4j Version on Linux

Once the installation is complete, you can check the installed log4j version on your Linux machine. For this step, use the apt list command as shown below:

sudo apt list -a liblog4j2-java

You should get a similar output as seen below:

Check the Log4j Version

As you can see from the output, log4j version 2.1 is installed on the Linux machine. If there is a message inside the square brackets, it means that this installation has made our system vulnerable. Hence, we need to fix that. However, if there is no message inside the square brackets, that means the installation did not make our system vulnerable. 

This vulnerability has the highest CVSS score of 10.0, so you need to pay attention if the system is vulnerable. Another method to check all the installed versions of log4js is to use a bash script. The bash script will consist of the code to detect the installed version. Type the following code and press “Ctrl + S” to save the bash script.

echo "checking for log4j vulnerability..." 
OUTPUT="$(locate log4jlgrep - v log4js)" 
if [ "$OUTPUT" ]; 
Afterwards, input:
echo "[WARNING] maybe vulnerable, those files contain the name:"
echo "$OUTPUT"
fi
OUTPUT="$(dpkg -llgrep log4jlgrep - v log4js)"
if [ "$OUTPUT" ]; 
Furthermore, input:
echo "[WARNING] maybe vulnerable, dpkg installed packages :"
echo "$OUTPUT"
fi

To execute the script, type the keyword bash followed by the filename.

bash bashscript.sh

Alternatively, you can also use the syntax below to execute the bash script.

Input:

./bashscript.sh

In case you get the permission error, be sure to change the permission mode to execute. For example:

chmod +x bashscript.sh

5. Check Which Applications Use Log4j

To check which applications on your system use log4j for logging, you can use the following commands:

# for gradle
gradelw dependencyInsight --dependency org.apache.logging.log4j:log4j-core --configuration runtimeClasspath
# for maven
mvn dependency:tree -Dincludes=org.apache.logging.log4j:log4j-core
# for jdk
jdeps -R -verbose:class filename.jar | grep log4j
# for Linux
find / 2>/dev/null -regex ".*.jar" -type f | xargs -I{} grep JndiLookup.class "{}"

6. Remove Log4j from Linux

If your system detects the log4j to be vulnerable, it is necessary to remove it from the system as soon as possible. Use the apt package manager to remove the log4j library for this step. For instance:

sudo apt remove liblog4j2-java

It will ask for confirmation. Hit “Y” to continue with the process. And you have successfully removed the log4j package.

Remove Log4j

Alternatively, if you want to remove any version of log4j from the system, use the “*” character. For example:

sudo apt remove liblog4j*

Log4j package is an open-source logging framework. Apache server or Java framework does not install it by default. Hence, the Linux machine is not vulnerable. 

However, this article aims to guide you how to install this framework for logging purposes. The article also covers checking your system for any vulnerability that arises after installing log4j. We hope you found this article to be useful. 

If this guide helped you, please share it.

Leave a Reply
Related Posts