Re: [integer-Ticket #81335] Log4J Sicherheitslücke

2021-12-18 Thread Jeffrey Walton 
On Sat, Dec 18, 2021 at 3:50 PM Christian Ehrhardt <
christian.ehrha...@canonical.com> wrote:

>
> On Tue, Dec 14, 2021 at 10:17 PM integer GmbH 
> wrote:
>
>> Hello Ubuntu-Team,
>> can you please tell me if the follwoing software is affected by the Log4J
>> exploit?
>>
>
> *disclaimer: I'm not from the security team and this is not a definitive
> or formal answer*
>
> In general for CVEs you'd want to check the https://ubuntu.com/security
> entry for it.
> It will mention its status, affected packages and link to further
> ressources one should know about.
> In this case the links to USN and the wiki page are very helpful as well.
>
> In this case that is at: https://ubuntu.com/security/CVE-2021-44228
>

Related, it looks like CVE-2021-45046 against log4j2 v2.15 applies as well.
It can result in a Remote Code Execution (RCE) under certain circumstances.
Also see https://www.openwall.com/lists/oss-security/2021/12/18/1.

Jeff
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: [integer-Ticket #81335] Log4J Sicherheitslücke

2021-12-18 Thread Christian Ehrhardt 
On Tue, Dec 14, 2021 at 10:17 PM integer GmbH  wrote:

> Hello Ubuntu-Team,
> can you please tell me if the follwoing software is affected by the Log4J
> exploit?
>

*disclaimer: I'm not from the security team and this is not a definitive or
formal answer*

Hi,
In general for CVEs you'd want to check the https://ubuntu.com/security
entry for it.
It will mention its status, affected packages and link to further
ressources one should know about.
In this case the links to USN and the wiki page are very helpful as well.

In this case that is at: https://ubuntu.com/security/CVE-2021-44228

The TL;DR could be, you do not list the affected package "apache-log4j1.2",
so not affected.
But TBH your customers website clearly runs apache2 + php which isn't
listed here.
Might there also be some java or any other solution (like an appliance
which sometimes
aren't transparent what they use internally) that uses log4j2, no one here
would know.

python3.8
> python3.8-minimal
> python3-appdirs
> python3-apt
> python3-certifi
> python3-chardet
> python3-crypto
> python3-dbus
> python3-distlib
> python3-distro
> python3-distro-info
> python3-distupgrade
> python3-distutils
> python3-dnspython
> python3-filelock
> python3-gi
> python3-gpg
> python3-idna
> python3-importlib-metadata
> python3-ldb
> python3-lib2to3
> python3-markdown
> python3-minimal
> python3-more-itertools
> python3-netifaces
> python3-packaging
> python3-pkg-resources
> python3-pygments
> python3-pyparsing
> python3-requests
> python3-samba
> python3-six
> python3-talloc
> python3-tdb
> python3-update-manager
> python3-urllib3
> python3-virtualenv
> python3-yaml
> python3-zipp
> python3.6-minimal
> readline-common
> rename
> resolvconf
> rsync
> rsyslog
> samba
> samba-common
> samba-common-bin
> samba-dsdb-modules
> samba-libs
> samba-vfs-modules
> sed
> sensible-utils
> shared-mime-info
> socat
> squid
> squid-common
> squid-langpack
> ssl-cert
> sudo
> systemd
> systemd-sysv
> systemd-timesyncd
> sysvinit-utils
> tar
> tcpd
> tdb-tools
> thermald
> tzdata
> ubuntu-advantage-tools
> ubuntu-minimal
> ubuntu-release-upgrader-core
> ucf
> udev
> update-inetd
> update-manager-core
> usb.ids
> usbutils
> util-linux
> vim-common
> vim-tiny
> virtualenv
> wget
> whiptail
> winbind
> xauth
> xdg-user-dirs
> xkb-data
> xxd
> xz-utils
> zerofree
> zlib1g
> tasksel
> tasksel-data
>
> Our client Hopfenveredlung St. Johann is using this software and we want
> to make sure they are not affected by the Log4J exploit.
>
> Best Regards
> Jonas Böck
>
>
> _ _ _
> integer GmbH Support
> Telefon 08252 - 96031 - 10
> |
> E-Mail: supp...@integer-it.de
>  
> Hans-Sachs-Weg 25
> |
> 86529
> Schrobenhausen
> Registergericht: Amtsgericht Ingolstadt
> Registernummer: HRB 7821
> Geschäftsführer: Luise Krammer
> Allgemeine Datenschutzhinweise:
> *https://integer-it.de/ds.html* 
> Folgen Sie uns auf: [image: Facebook] 
>  [image: Instagram] F
>
>
> 
> 
> 
> _ _ _
>
>
> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>


-- 
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

[integer-Ticket #81335] Log4J Sicherheitslücke

2021-12-14 Thread integer GmbH 
Hello Ubuntu-Team,
can you please tell me if the follwoing software is affected by the Log4J 
exploit?

python3.8
python3.8-minimal
python3-appdirs
python3-apt
python3-certifi
python3-chardet
python3-crypto
python3-dbus
python3-distlib
python3-distro
python3-distro-info
python3-distupgrade
python3-distutils
python3-dnspython
python3-filelock
python3-gi
python3-gpg
python3-idna
python3-importlib-metadata
python3-ldb
python3-lib2to3
python3-markdown
python3-minimal
python3-more-itertools
python3-netifaces
python3-packaging
python3-pkg-resources
python3-pygments
python3-pyparsing
python3-requests
python3-samba
python3-six
python3-talloc
python3-tdb
python3-update-manager
python3-urllib3
python3-virtualenv
python3-yaml
python3-zipp
python3.6-minimal
readline-common
rename
resolvconf
rsync
rsyslog
samba
samba-common
samba-common-bin
samba-dsdb-modules
samba-libs
samba-vfs-modules
sed
sensible-utils
shared-mime-info
socat
squid
squid-common
squid-langpack
ssl-cert
sudo
systemd
systemd-sysv
systemd-timesyncd
sysvinit-utils
tar
tcpd
tdb-tools
thermald
tzdata
ubuntu-advantage-tools
ubuntu-minimal
ubuntu-release-upgrader-core
ucf
udev
update-inetd
update-manager-core
usb.ids
usbutils
util-linux
vim-common
vim-tiny
virtualenv
wget
whiptail
winbind
xauth
xdg-user-dirs
xkb-data
xxd
xz-utils
zerofree
zlib1g
tasksel
tasksel-data

Our client Hopfenveredlung St. Johann is using this software and we want to 
make sure they are not affected by the Log4J exploit.

Best Regards
Jonas Böck


_ ​_ _

integer GmbH Support



Telefon 08252 - 96031 - 10


|



E-Mail: supp...@integer-it.de




[cid:integer-logo_d141d426-79be-4a61-9be5-61d598823bdd.png]

Hans-Sachs-Weg 25


|



86529



Schrobenhausen



Registergericht: Amtsgericht Ingolstadt
Registernummer: HRB 7821
Geschäftsführer: Luise Krammer

Allgemeine Datenschutzhinweise:
https://integer-it.de/ds.html

Folgen Sie uns auf: [cid:Facebook_a4f854d7-d64b-473d-85ef-8f08ae4ac7ff.png] 
  
[cid:Instagram_d8301ab7-baaa-48d5-948b-c30dca673e0e.png] 

F



[cid:heyalter_23c470d3-5806-4549-9ab0-eccd9ccc9fe1.png]
_ _ _





-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss