Log4j vulnerability - Arduino 1.8.16

RobLatour · December 13, 2021, 4:05pm

With all the fuss around the "Log4Shell" vulnerability, I checked my PC for anywhere a program uses the log4j files which apparently is an indication of a potential exposure.

I found two files here:
C:\Program Files (x86)\arduino-1.8.16\lib\log4j-api-2.12.0.jar
C:\Program Files (x86)\arduino-1.8.16\lib\log4j-core-2.12.0.jar

From what I can see, you need at least version 2.15.0 to be safe against the "Log2Shell" vulnerability,

Can the above files simply and safely be just replaced by their 2.15.0 counterparts?

jremington · December 13, 2021, 4:23pm

What happens if you simply delete those files?

Edit: just tried with Arduino version 1.8.15. The IDE displays a splash screen, then shuts down again.

Edit2: same shutdown if I replace the 2.12.0 versions of those files with 2.15.0 versions from Apache: Apache Download Mirrors

(I'm not a java person).

ptillisch · December 13, 2021, 5:29pm

Hi @RobLatour Please see this page for all the official information:

RobLatour · December 13, 2021, 5:29pm

Thanks,

I actually tried downloading the 2.15.0 versions, changing their filenames to have a version number of 2.12.0 instead of 2.15.0 in their filename, and copying the new files with the tweaked filenames into the C:\Program Files (x86)\arduino-1.8.16\lib folder.

That seems to work. The IDE opened up, and seems to be working ok.

Have no idea what evil this may cause, proceed at your own risk!

jremington · December 13, 2021, 5:33pm

Where did you download the 2.15.0 versions of those files?

RobLatour · December 13, 2021, 5:36pm

from here:
https://logging.apache.org/log4j/2.x/download.html

jremington · December 13, 2021, 5:39pm

I had left the filenames as -2.15.0.jar

Changed that to -2.12.0.jar and it works fine with IDE version 1.8.15.

But the Arduino team says not to worry, as no network ports are opened.

RobLatour · December 15, 2021, 11:26pm

The following seems to indicates 2.15.0 and previously suggested mitigations may not be enough:
https://isc.sans.edu/forums/diary/Log4j+2150+and+previously+suggested+mitigations+may+not+be+enough/28134/

also, I notice version 2.16 is now available:
https://logging.apache.org/log4j/2.x/download.html

ptillisch · December 16, 2021, 5:22am

The new Arduino IDE 1.8.18 release is using log4j version 2.16.0:

gr4mx · December 21, 2021, 1:25pm

2.16 in no longer secure.
Are you working on implementing version 2.17?

ptillisch · December 21, 2021, 2:42pm

The Arduino IDE developer did something even better. They removed the problematic log4j dependency completely:

That is already available in the Arduino IDE 1.8.19 release. You can download it here:

system · July 9, 2022, 3:37am

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.