I’m obviously worried about this vulnerability, but I wonder if I even have this library on my machine?
The machine is a webserver running a couple of node expressjs frameworks over nginx, plus a geoserver
I patched the machine today with sudo apt update && sudo apt upgrade: ubuntu-advantage-tools, openssl and libssl1.1 were upgraded.
My java version is:
openjdk version "1.8.0_292" OpenJDK Runtime Environment (build 1.8.0_292-8u292-b10-0ubuntu1~18.04-b10) OpenJDK 64-Bit Server VM (build 25.292-b10, mixed mode)
The geoserver is v2.13.0 which I believe to be the only program that might use log4j. My geoserver is the platform independent binary version (not the Tomcat version), which uses jetty as its webserver I think.
How can I find out if and what version of log4j I have?
>Solution :
You can check if it is installed in apt:
apt list --installed | grep -i log4j
But you still have to also check this to find possible files that might be running somewhere:
locate log4j
Also, it’s good to check if you are running java run time on the server:
java -version
If you are not even running the java run time, log4j may not be relevant on this server as it is a java library.
There may be other places to check.