I’m obviously worried about this vulnerability, but I wonder if I even have this library on my machine?

The machine is a webserver running a couple of node expressjs frameworks over nginx, plus a geoserver

I patched the machine today with sudo apt update && sudo apt upgrade: ubuntu-advantage-tools, openssl and libssl1.1 were upgraded.

My java version is:
openjdk version "1.8.0_292" OpenJDK Runtime Environment (build 1.8.0_292-8u292-b10-0ubuntu1~18.04-b10) OpenJDK 64-Bit Server VM (build 25.292-b10, mixed mode)

The geoserver is v2.13.0 which I believe to be the only program that might use log4j. My geoserver is the platform independent binary version (not the Tomcat version), which uses jetty as its webserver I think.

How can I find out if and what version of log4j I have?

>Solution :

You can check if it is installed in apt:

apt list --installed | grep -i log4j

But you still have to also check this to find possible files that might be running somewhere:

locate log4j

Also, it’s good to check if you are running java run time on the server:

java -version

If you are not even running the java run time, log4j may not be relevant on this server as it is a java library.

There may be other places to check.