Regarding Log4j2 Vulnerability that was in the news recently. I just wanted to check with community would servers that have setup following tutorial "The Perfect Server - Debian 10 (Buster) with Apache, BIND, Dovecot, PureFTPD" be affected with Log4j2 Vulnerability?
Log4j is a JAVA log library. JAVA is not installed or used in the software Stack of the perfect server tutorial.
Thanks for the confirmation Till. I had done a find / -name "log4j*" on my servers and all it found was some .conf files here - but no jars. /usr/share/doc/liblog-log4perl-perl/examples/log4j* I guess other SysAdmins won't be sleeping so soundly tonight ...
Thanks - but a worrying feature is all the buster repositories I tested offered 2.11 - not the fixed 2.15. 2.11 risk can be mitigated by setting system property "log4j2.formatMsgNoLookups" to "true" or removing the JndiLookup class from the classpath [https://www.ncsc.gov.uk/news/apache-log4j-vulnerability]
If you look at the paths, then you see that you are not affected: /usr/share/doc/: contains documentation files (manuals and example configs) only. /usr/share/doc/liblog-log4perl-perl: The path says that the documentation is for the Perl library log4perl and not log4j. /usr/share/doc/liblog-log4perl-perl/examples/: Ok, so we are looking now at example config files of the program log4perl. /usr/share/doc/liblog-log4perl-perl/examples/log4j*: So we have there example files for log4perl in conjunction with log4j. As you can see, you do not even have log4j installed, you just grepped trough the documentation folders of other unrelated software and there you found a documentation example on how to use that other software together with log4j. I guess most sysadmins slept very well as it's just a certain JAVA library and most systems will not use it.
Not sure if you are aware that the version number does not indicate if it's fixed or not in Debian. Debian patches software to fix issues without increasing the manufacturers version number. So if you want to know if an issue is fixed in a specific Debian package, then you must look at the patch history e.g. on the Debian package website of that package and not the version number of the installed software.
