Update log4j to address CVE-2021-44228

Scrin / RuuviCollector

Utility to collect measurements from RuuviTags and store them in InfluxDB

MIT License

125 stars 62 forks source link

Update log4j to address CVE-2021-44228 #59

Closed pyryk closed 2 years ago

pyryk commented 2 years ago

This PR updates the log4j dependency in order to address CVE-2021-44228.

As far as I understand, exploiting the vulnerability would require physical proximity. Therefore, the vulnerability is not as critical as in many other pieces of software, but it might make sense to address this just to be on the safe side.

Scrin commented 2 years ago

Thanks!

This vulnerability is not directly exploitable, since RuuviCollector doesn't log any totally uncontrolled input. The closest to that is logging some of the received raw data from hcidump (in hex bytes) in case an uncaught exception is thrown, although a theoretical attack vector exists if someone manages to get hcidump to output something else. Either way it's good to fix this, but it's not a critical issue in this case

pyryk commented 2 years ago

Ah, thanks for the clarification. But agree it's good to fix just in case (and to guard against some potential future usage)