How to intentionally install vulnerable package I want to intentionally install the old vulnerable version of the liblog4j2-java package in order to test the CVE-2021-44228 vulnerability. I'm using an Ubuntu machine. ...--prophetes.ai

How to intentionally install vulnerable package I want to intentionally install the old vulnerable version of the liblog4j2-java package in order to test the CVE-2021-44228 vulnerability. I'm using an Ubuntu machine. I know I can list old package versions with `apt-cache madison liblog4j2-java`, but are these still vulnerable? How can I download the old, but official packages?

The fixed packages are shipped in the updates and/or security repositories; the old, vulnerable packages are still available in the base repository. You can therefore install the latter by specifying the desired version:

* in 18.04, `sudo apt install liblog4j2-java=2.10.0-2`;
* in 20.04, `sudo apt install liblog4j2-java=2.11.2-1`;
* in 21.04 and 21.10, `sudo apt install liblog4j2-java=2.13.3-1`.

The versions are shown by `apt-cache madison`.

Further reading: How to install specific Ubuntu packages, with exact version? and USN-5192-1: Apache Log4j 2 vulnerability.