capicxx-core-tools icon indicating copy to clipboard operation
capicxx-core-tools copied to clipboard

Published 20 hours ago verified publisher icon COVESA

Inquiry : log4j vulnerability

Open tjpsantiago16 opened this issue 3 years ago • 1 comments

Hi,

I noticed that the project depends on org.apache.log4j which is recently found to be vulnerable to Remote Code Execution. Also due to it the vulnerability might be passed to other projects depending on this such as capicxx-dbus-tools, capicxx-someip-tools, etc.

Is there a way to :

  • remove this dependency completely?
  • update the log4j version to where the vulnerability has been fixed via maven?

Sorry for the noob question. I'm not that knowledgeable in java and maven dependencies.

tjpsantiago16 avatar Jan 13 '22 08:01 tjpsantiago16

Just a note to say that this is a tool that is typically run once, and generates C++ code that is then used independently. I don't imagine anyone has set this tool up behind an online server/service interface. As long as it is not set up as an internet server (and with the other components that were involved in exploits such as LDAP servers) then it is not likely to have any risk of remote code execution in the way that the log4j bug has become famous for. I still agree that updating the log4j version is reasonable to do at some time. I leave this in the capable hands of the code maintainers.

gunnarx avatar Jan 13 '22 10:01 gunnarx

This problem is still occurring?

goncaloalmeida avatar Sep 08 '23 12:09 goncaloalmeida