[USN-5223-1] Apache Log4j 1.2 vulnerability

Paulo Flabiano Smorigo pfsmorigo at canonical.com
Thu Jan 13 13:11:17 UTC 2022

Ubuntu Security Notice USN-5223-1
January 12, 2022

apache-log4j1.2 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 21.10
- Ubuntu 21.04
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS


Apache Log4j 1.2 could be made to crash or run programs if it received specially
crafted input.

Software Description:
- apache-log4j1.2: Java-based open-source logging tool


It was discovered that Apache Log4j 1.2 was vulnerable to deserialization of
untrusted data if the configuration file was editable. An attacker could use
this vulnerability to cause a DoS or possibly execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 21.10:
  liblog4j1.2-java                1.2.17-10ubuntu0.21.10.1

Ubuntu 21.04:
  liblog4j1.2-java                1.2.17-10ubuntu0.21.04.1

Ubuntu 20.04 LTS:
  liblog4j1.2-java                1.2.17-9ubuntu0.1

Ubuntu 18.04 LTS:
  liblog4j1.2-java                1.2.17-8+deb10u1ubuntu0.1

In general, a standard system update will make all the necessary changes.


Package Information:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20220113/8c4eeeac/attachment.sig>

More information about the ubuntu-security-announce mailing list