If you are on Linux and use some of the Java applications, you are quite familiar with the Log4j package, especially, about its vulnerabilities. Even if you have not, you should check the versions in your system for your digital security.
But as there is no straightforward way to do so, the experienced users may also wonder about how to check log4j version in Linux. And to help you with that, we are here with our detailed guide.
Even if you still have not installed any log4j version on your system, you can still follow this guide, especially if you are a developer or use customized programs. Because you never know if there is any vulnerable Log4j version within the third-party programs.
So let’s get into it without further chit-chat!
Why Do You Need to Check the Log4j Version in Linux?
Log4j is a library or package mainly installed and used in business applications or customized programs for internal use. Developers use this framework to monitor the applications and track any vulnerability or user issues in them.
Unfortunately, some versions of the Log4j library have been acting up and showing signs of vulnerabilities. These flaws can make some programs susceptible to a data breach. Because they make it easier for the exploiters to access the device or program to exploit the confidential data. Or they can ask for a ransom to provide you the access.
While installing the log4j, you must check the version. Even if you do not install the package, sometimes the third-party applications or programs on your Linux can contain it. So, to protect your data and device, you need to check the Log4j version before or after installing it.
How Can I Find Out What Version Of Log4j I Am Using?
You need to execute some commands and steps properly to know which version of the Log4j you are using. However, remember that, to follow the steps listed below, you do not have to have a log4j framework preinstalled on your system. All you have to do is –
- First, you need to update your system using the apt package manager or tool. For that, bring the terminal with the Ctrl+Alt+T keyboard shortcut and type the following entry on the shell
sudo apt update
sudo apt upgrade
- After entering the scripts, you need to confirm the update process, so type your password as required and press Enter button on the keyboard.
- The system will again ask for your confirmation and show you the disk space you need for the update. To confirm it, hold the Y button followed by the Enter key, and the system will show the message as shown in the image below
- Then type the following command on the shell or terminal to check whether you have a pre-installed log4j on Linux or not
sudo apt list apache-log4j2
- After executing the command, you can see a similar message shown in the image below, and it indicates that your system is not at risk at the moment
- Now, you need to detect the older versions of log4j by entering the following scripts. It will let you know whether your device system is at risk or not
sudo find / -name ‘log4j*’
- Sometimes the flaws in the older versions are hard to detect as they can hide several layers deep within the .jar files or any application. In that case, use the detector tool for this framework to detect them. If there are any vulnerable files, you must update the Log4j version to remove the flaws
- Proceed to install Log4j using the Apt software, for that, enter the following scripts and execute the command
sudo apt install liblog4j2-java
Then press Y to start the installation process, it might take two to five minutes to complete the process.
- In order to check the version and its vulnerability on your Linux, enter the scripts shown below
sudo apt list -a liblog4j2-java
- Once you perform the command, it will show you some of the Log4j versions. And if you can see the text “installed” shown in the square brackets next to any version, it indicates that the version is vulnerable. However, if there is no text inside the brackets, then that version is safe to keep. Observe the image attached below to understand the concept better
- Alternatively, you can use some specific scripts to check all the versions of the installed Log4j library and whether they are vulnerable or not at once. For that, type the scripts shown in the picture below and save the bash file by pressing the Ctrl + S buttons
- Finally, use the directive along with the filename as shown below to execute the bash script and check all the Log4j version
If you follow all these steps above with patience, it will be a successful attempt to detect the versions.
Frequently Asked Questions (FAQs):
Do You Need Any Prerequisites To Check Log4j Version in Linux?
Some of the tutorials might require you to gain root access to your system to check log4j versions. But if you use the Sudo program, you do not need any prerequisites to follow.
Can You Remove Vulnerable Log4j Version From the System?
Yes, it is possible to do so. You need to perform certain commands with the apt software to remove vulnerable versions of Log4j.
Can You Detect Which Applications Contain Log4j Package?
Yes, you can detect which apps have the log4j framework. There are some specific scripts or commands available to do so.
Which Log4j Version Is Safer?
The recent versions of the Log4j should be comparatively safer. You can switch to the 2.16 version as it is not yet vulnerable.
How To Update or Get the Newer Log4j Version?
The official Apache website releases different versions of Log4j. You can download the latest version to update it.
Checking the installed versions of the Log4j framework in Linux is not an easy task. So, if you are a programmer or tech-savvy and want to protect your data, follow our detailed how to check log4j version in Linux guide. Otherwise, you can contact a computer technician to help you with the process.
While following the process, make sure there is enough charge and a stable internet connection on your device. Or else, if something interrupts the process, it can crash the system.
You may also interested to know: