SwitchEV / RISE-V2G

The only fully-featured reference implementation of the Vehicle-2-Grid communication interface ISO 15118
MIT License
220 stars 92 forks source link

Mitigates CVE-2021-45046 #80

Open FlUxIuS opened 2 years ago

FlUxIuS commented 2 years ago

Need to update the dependency version, or to filter by using 'formatMsgNoLookups'.

This vulnerability isn't strickly easy to exploit, but an EVCC can send this encoded payload to the EVSE, and trigger the bug during even in the first supportedAppProtocolReq state:

80027123DB53732349D363230B81D1797BC123DB437B9BA2730B6B2BE97261A2517199B33BC98B0B9B6B09B311BB119B198BBBD3B3CB33B9B38BA9731B0B730B93CBA37B5B2B7399731B7B697B0BE8020000280040
dportnrj commented 2 years ago

There is 2.17.1 already in https://github.com/SwitchEV/RISE-V2G/blob/master/RISE-V2G-Shared/pom.xml

    <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-api</artifactId>
        <version>2.17.1</version>
    </dependency>
    <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-core</artifactId>
        <version>2.17.1</version>
    </dependency>