FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

I am using CubeMX. there is a significant security vulnerability of Apache Log4j on net. CubeMX has this issue? if yes, do you have any fix solution?

Go to solution
JSun.2
Associate

‎2021-12-13 07:38 PM

 
Labels:
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
Go to solution
waclawek.jan
Guru

‎2021-12-18 04:45 AM

Thanks, @Tomas DRESLER​ .

Meantime, @stephane.legargeant​  posted a detailed report, too, thanks.

https://community.st.com/s/question/0D53W00001Fp7edSAB/stm32cube-tools-and-log4j

JW

View solution in original post

0 Kudos
4 REPLIES 4
Go to solution
Khouloud OTHMAN
Lead

‎2021-12-14 05:39 AM

Hello @JSun.2​ ,

First let me thank you for your feedback.

We are surely aware about this issue and it has been already raised internally for further investigation. Meanwhile, assuming that STM32CubeMX tool is using an earlier Log4j  release not concerned with this  security vulnerability (Log4j vulnerable version starts from 2.0-beta9 to 2.14.1), the tool can be used safely.

With that being said, I assure you that we've taken this notification seriously to ensure that we are providing our customers with the most secure tools.

I'll keep you posted with any updates.

Khouloud.

0 Kudos
Go to solution
Danish1
Lead II
In response to Khouloud OTHMAN

‎2021-12-15 02:03 AM

Hello Khouloud OTHMAN,

I find what you say interesting. You say the vulnerability started with version 2.0 and since STM32CubeMX uses an earlier version it is not affected by that particular vulnerability.

Looking on the Apache website, I see they say 1.x went end-of-life back in 2015.

https://logging.apache.org/log4j/1.2/roadmap.html says:

Apache log4j 1.2 has been superceded by Apache Log4j 2. Significant changes are unlikely. Bug fixes and maintenance releases are not anticipated.

On August 5, 2015 the Logging Services Project Management Committee announced that Log4j 1.x had reached end of life. For complete text of the announcement please see the Apache Blog. Users of Log4j 1 are recommended to upgrade to Apache Log4j 2

So the version that you continue to use in STM32CubeMX has not had any recent fixes by Apache even if vulnerabilities were discovered.

2015 is a long time ago in computer years.

Regards,

Danish

0 Kudos
Go to solution
Tomas DRESLER
Senior II
In response to Danish1

‎2021-12-17 11:28 AM

The Cube tools don't open any web server, so log4j isn't open outside of your computer login profile. No risk is associated with the tools at the moment.

0 Kudos
Go to solution
waclawek.jan
Guru

‎2021-12-18 04:45 AM

Thanks, @Tomas DRESLER​ .

Meantime, @stephane.legargeant​  posted a detailed report, too, thanks.

https://community.st.com/s/question/0D53W00001Fp7edSAB/stm32cube-tools-and-log4j

JW

0 Kudos
Top