jouniaro
commented
2 years ago Yes, we have been investigating CVE-2021-44228.
The OPC UA Java Stack itself is not directly vulnerable, since it is using the SLF4J for logging. So the issue depends on how the applications (such as the sample applications) then direct the SLF4J logging.
http://slf4j.org/log4shell.html
The sample applications in the stack are using log4J version 1, so they should not be affected by this issue. However, it is probably affected by other security issues:
https://www.lunasec.io/docs/blog/log4j-zero-day/
The stack is still supporting Java 6, so the samples cannot just update to the latest log4j 2.15.0, although, overall that might be the best. So, I think we will just remove the dependency to log4j altogether and leave it for the users to choose the proper library for their applications.
Issue CVE-2020-0601 does not affect the OPC UA Java Stack, since there is no ECC cryptography implemented in the OPC UA Java Stack, at all. But, thanks for the note for that, too.
4N1S
Hello; It seems to me that you should investigate on log4j that you use in parallel with crypto-api; There are two important CVE which combined could create a lot of incident on the OPC protocol;
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0601 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
Sincerely