Question

How to know if I have "log4j"?

Posted December 11, 2021 17.7k views
LAMP Stack

I just read about a severe security vulnerability in something called “log4j” from Apache. I have a LAMP droplet and I need to know how to find out if log4j is installed on the droplet? I don’t see a package by that name, but I’m not sure if I’m looking for the right thing.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
7 answers

Hi all,

In addition to what has already been mentioned, I could suggest taking a look at this answer here:

What should I do to protect against CVE-2021-44228/Log4shell vulnerability with Apache Log4j?

Best,
Bobby

Hi JigsawBob,
log4j is not installed as part of the standard LAMP stack. Unless you installed it yourself it is not on your server so you don’t need to do anything.

Hello, @JigsawBob

From what I can see Apache log4j 2 is an open-source Java-based logging framework that should not be installed by default on your Apache server, hence you’ve not manually installed/configured it then CVE-2021-44228 should not affect your server.

Regards,
Alex

Looking to see if log4j is directly installed does NOT tell you if your server is vulnerable. log4j is used in HUNDREDS of other applications. If you use one of THOSE and it’s not patched and updated, your server is vulnerable. Use Solr for search? Solr uses log4j. Do you have an application that uses the Neo4J graph database? Some versions are affected. You can find out more here. https://thenewstack.io/log4shell-we-are-in-so-much-trouble/

  • If you have Log4j running on your server then make sure to update it to the latest version which is patched for the vulnerability.

    Regards,
    Alex

I installed many packages from third parties. Is there a way to check if any of them contains Log4j or if it’s installed on my servers? What is the command to run to check if it’s installed on a server?

Try this.
locate log4j|grep -v log4js

There’s an easy nice opensource tool for log4j specifically

https://github.com/whitesource/log4j-detect-distribution

this will work on projects of maven/gradle,
it will also do a file system search