Log4j vulnerability - Arduino 1.8.16

With all the fuss around the "Log4Shell" vulnerability, I checked my PC for anywhere a program uses the log4j files which apparently is an indication of a potential exposure.

I found two files here:
C:\Program Files (x86)\arduino-1.8.16\lib\log4j-api-2.12.0.jar
C:\Program Files (x86)\arduino-1.8.16\lib\log4j-core-2.12.0.jar

From what I can see, you need at least version 2.15.0 to be safe against the "Log2Shell" vulnerability,

Can the above files simply and safely be just replaced by their 2.15.0 counterparts?

What happens if you simply delete those files?

Edit: just tried with Arduino version 1.8.15. The IDE displays a splash screen, then shuts down again.

Edit2: same shutdown if I replace the 2.12.0 versions of those files with 2.15.0 versions from Apache: Apache Downloads

(I'm not a java person).

Hi @RobLatour Please see this page for all the official information:

Thanks,

I actually tried downloading the 2.15.0 versions, changing their filenames to have a version number of 2.12.0 instead of 2.15.0 in their filename, and copying the new files with the tweaked filenames into the C:\Program Files (x86)\arduino-1.8.16\lib folder.

That seems to work. The IDE opened up, and seems to be working ok.

Have no idea what evil this may cause, proceed at your own risk!

Where did you download the 2.15.0 versions of those files?

from here:
https://logging.apache.org/log4j/2.x/download.html

I had left the filenames as -2.15.0.jar

Changed that to -2.12.0.jar and it works fine with IDE version 1.8.15.

But the Arduino team says not to worry, as no network ports are opened.

The following seems to indicates 2.15.0 and previously suggested mitigations may not be enough:

also, I notice version 2.16 is now available:
https://logging.apache.org/log4j/2.x/download.html

The new Arduino IDE 1.8.18 release is using log4j version 2.16.0:

2.16 in no longer secure.
Are you working on implementing version 2.17?

The Arduino IDE developer did something even better. They removed the problematic log4j dependency completely:

That is already available in the Arduino IDE 1.8.19 release. You can download it here:

1 Like