Alibaba Cloud detected the security vulnerability (CVE-2021-44228) about Apache Log4j2 and managed security risks at the earliest opportunity. For the affected cloud desktops that use Ubuntu and CentOS images, Elastic Desktop Service (EDS) has upgraded the images and fixed the vulnerability on December 30, 2021. For cloud desktops that use Ubuntu and CentOS images were created before December 30, 2021, we recommend that you apply the mitigation below to fix the vulnerability at the earliest opportunity.

Vulnerability details

  • Vulnerability ID: CVE-2021-44228
  • Severity: Critical
  • Affected cloud desktop images:
    • Linux-Ubuntu-1804
    • Linux-Ubuntu-1804 vGPU
    • Linux-Ubuntu-2004
    • Linux-Ubuntu-2004 vGPU
    • Linux-CentOS-79
    • Linux-CentOS-79 vGPU

Security suggestions

If you created a cloud desktop that used a Ubuntu or CentOS image on and before December 30, 2021, we recommend that you perform the following steps to fix the vulnerability:

  1. Launch Terminal on the cloud desktop.
  2. Enter the following command in Terminal, and press the Enter key to run the command.
    wget https://ecd-client.oss-cn-shanghai.aliyuncs.com/guest-env/scripts/fix_log4j2.sh && chmod +x fix_log4j2.sh && sudo ./fix_log4j2.sh