Terminal-command to retrieve version of log4j in NextcloudPi (Raspbian) system?

Question

NCSC recommends updating to version 2.15.0 or later, and – where not possible – mitigating the flaw in Log4j 2.10 and later by setting system property "log4j2.formatMsgNoLookups" to "true" or removing the JndiLookup class from the classpath.

Source: https://www.zdnet.com/article/log4j-zero-day-flaw-what-you-need-to-know-and-how-to-protect-yourself/

pi@nextcloudpi:~/log4j-detector-master $ uname -a
Linux nextcloudpi 5.10.63-v7+ #1496 SMP Wed Dec 1 15:58:11 GMT 2021 armv7l GNU/Linux

Is there a simple terminal command that can retrieve the version of log4j?

Tests:

Test for Apache Webserver: https://stackoverflow.com/a/55107891

pi@nextcloudpi:~ $ ps -acx|grep apache

  705 ?        Ss     0:53 apache2
 1600 ?        Sl     0:01 apache2
 1601 ?        Sl     0:01 apache2

unzipped: wget https://github.com/mergebase/log4j-detector/archive/refs/heads/master.zip

pi@nextcloudpi:~/log4j-detector-master $ java -jar log4j-detector-2021.12.14.jar [path-to-scan] > hits.txt
-bash: java: command not found

I am reluctant to install a JDK on the NCP server.

Answer 1

While the log4j software can be bundled with third-party applications, you can retrieve the status of the liblog4j2-java OS package in Raspbian with:

dpkg --get-selections | grep liblog4j2-java

This is based on the Raspberry Connect page, under "Check what Packages are installed"

I determined the package name by searching the Raspbian Java Packages page for log4j. Note that the "liblog4j1.2-java" is version 1 of log4j, while "liblog4j2-java" is version 2 of log4j, which has the recent CVE you're looking at.