What is the Log4j RCE Vulnerability?

Linode Staff

I've been hearing a lot about a new vulnerability in Apache. What is it and how can I mitigate this?

4 Replies

Hi there,

It has come to light that specific versions of the popular Apache Log4j utility are vulnerable to remote code execution (RCE). If you are using Log4j, you should update to version 2.15.0 as soon as possible. The latest version can be found at the Apache Log4j download page:

If you are unable to upgrade to version 2.15, then as per the National Vulnerability Database, you will want to make an adjustment to your system configuration as follows:

In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true”

For more information please review Apache's security release:

I hope this information helps!

-- BD.

As the question refers to this as a "new vulnerability in Apache", I think it might be helpful to also make it abundantly clear that this vulnerability has no relation to Apache httpd at all.

This is purely about the very popular logging component for Java software named log4j (also by the Apache Software Foundation).

The implication being that a lot of Java-based software inherits this vulnerability because of how common it is to use log4j.

Whether you use log4j yourself or not, investigate any Java-based software that you have installed.

Do I need to take any steps with my Linode account? Does it use Log4j?

Do I need to take any steps with my Linode account?

Probably not.

Does it use Log4j?

Not unless you installed it and set it up…

-- sw


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct