Skip to main content
stephane.legargeant
stephane.legargeant
ST Employee
December 16, 2021
Solved

STM32Cube tools and log4j

  • December 16, 2021
  • 1 reply
  • 1579 views

The impact of log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046 for STM32Cube tools has been assessed by the development team, and the tools can be used without risk.

  • STM32CubeMX,
  • STM32CubeIDE,
  • ST-MCU-FINDER-PC 
    • The log4j version used is not impacted by CVE-2021-44228
    • No risk of remote code execution using CVE-2021-44228

  • STM32CubeMonitor-RF,
  • STM32CubeMonitor-UCPD,
  • STM32CubeMonitor-PWR
    • The log4j version is impacted by the CVE-2021-44228 (log4j version 2.8.1)
    • There is no internet and no remote access for this tools, so attacker would have to be logged on the computer and need to have access to tool GUI to inject data in log4j.
    • No risk of remote code execution using CVE-2021-44228

  • STM32CubeProgrammer,
  • STM32CubeMonitor :
    • log4j is not used for this tools
    • No risk of remote code execution using CVE-2021-44228

This topic has been closed for replies.
Best answer by Richard.Chvr

Thank you for this assessment

1 reply

Richard.Chvr
Richard.ChvrBest answer
ST Technical Moderator
March 31, 2022

Thank you for this assessment

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.
Terms & ConditionsAccessibility statement