← Go back to Info :: LinuxServer.io

log4j Vulnerability

December 13, 2021 at 3:00 PM

Vulnerabilities unifi-controller booksonic-air fleet airsonic habridge nzbhydra2 davos booksonic ubooquity

◆ This issue is not resolved yet

Multiple vulnerabilities (CVE-2021-44228 and CVE-2021-45046) have been discovered in log4j which can lead to denial of service and remote code execution. The following Linuxserver containers have been confirmed not to be affected by CVE-2021-44228 or CVE-2021-45046 due to existing mitigations, upstream patches, or workarounds applied to the container images.

Please note these lists apply to the stated version tags and later only. If you are running older versions of the images they may still be vulnerable.

The following Linuxserver containers have been confirmed not to be affected by CVE-2021-44228 due to existing mitigations, upstream patches, or workarounds applied to the container images, but may still be vulnerable to CVE-2021-45046.

The following Linuxserver containers are known to be using a vulnerable version of log4j in their current versions and cannot be mitigated by us. This does not mean they are definitely exploitable, but they may be, especially if exposed to the internet.

The following Linuxserver containers are unconfirmed as to their vulnerability status, but are Java based and so may be using log4j in some capacity.

We will update this post as more information becomes available.

Last updated: December 17, 2021 at 10:50 AM