A serious vulnerability has been found in the Log4j logging tool used by many Java applications and services, such as Steam, Apple iCloud and Minecraft. The vulnerability, called LogJam or Log4Shell, allows an unauthenticated attacker to remotely execute arbitrary code with the privileges of the vulnerable Java application.
The National Vulnerability Database (NIST)indicates that malicious parties are already actively scanning for the vulnerability. In this article we will therefore specifically address two important questions related to LogJam. Are A2 or Bluehost wp hosting provider’s systems vulnerable and are your services vulnerable?
The measures for the systems of Hosting Companies
They use Log4j on a number of our systems. they therefore analyzed their systems and took steps to protect them against this vulnerability:
- They checked which of our systems use log4j.
- Where Log4j is required, they have secured the configuration of the affected systems so that they cannot be misused.
- If Log4j was not necessarily but present on a system, they have removed it.
- They monitor for new security updates for Log4j and apply them immediately.
- They continuously monitor our systems through our vulnerability management tooling and take action where necessary.
- They monitor our systems for signs of abuse.
In addition, they are investigating additional measures to ensure that their infrastructure is remains safe.
Are my hosting app services vulnerable?
When you use A2 or Bluehost web hosting services, domain VPS services, they are already protected against the Log4j vulnerability. They manage the underlying servers and the measures their mentioned in the previous paragraph also apply to them.
Do you use a VPS? Then it is more complicated: Java applications often bundle software in a way (in jar files) that you cannot easily determine whether you are using Log4j. It is therefore quite possible that Log4j is present on your server.
Fortunately, this post will help you with this and shows an overview of software, indicating whether it is vulnerable or not and, if so, whether a patch is available to protect the software. Do you see software that you use and is there already a patch available? Install it immediately. If it says that the software in question is still vulnerable, check this post daily to see if a patch is available and if so, apply it immediately. This list will almost certainly be expanded, so check it regularly.
In any case, we have good news for DirectAdmin and Plesk users: DirectAdmin and Plesk do not use Log4j. Have you not installed any additional software on your VPS? Then you don’t have to take any action.
Cpanel installations do use Log4j, but they can be updated from WHM. To do this, go to ‘Home’->’cPanel’->’Update to the latest version’ to update your installation and secure your VPS.
In all other cases, we recommend scanning your VPS to determine whether you are using Log4j. There is a handy tool available on GitHub for this that you can use as follows:
Linux
Please check this page first to see if a newer version is available. If so, edit the download link and name in the commands below. Then run the following commands with sudo or as root user.
$ syft jboss/wildfly|grep log4 New version of syft is available: 0.32.2Loaded image
During the scan you will see messages that you do not have permission to scan files in the /sys/ folder. You can safely ignore this one. The output only concerns the very last bit: 0 vulnerable files found, 0 vulnerable libraries found.
Windows
• Download the latest scanner for Windows ending in ‘D64.zip’ from Github.
• Extract the file to a directory of your choice, for example c:\Temp.
• Start Windows powershell and navigate to the folder where you extracted the file, for example cd c:\Temp
• Then scan your disk with the command
If the scan shows that your VPS uses Log4j, we recommend that you take a snapshot of your VPS and make a backup of important data. Then update your VPS, restart it and change your passwords.
Finally, we recommend that you update your VPS regularly, for example weekly. Sometimes a vulnerability is known, such as with the Log4j vulnerability, but not all software developers have a patch available immediately. Moreover, it is sometimes difficult to determine which software is installed on your server, especially if it is now part of another application (as is often the case with Java applications).