Home AMX User Forum Duet/Cafe Duet

log4j usage in modules?

martingmarting Posts: 20
in Duet/Cafe Duet

In light of this recent vulnerability, which seems to be pretty critical, does anyone know if any of the AMX-provided modules use this library?

Comments

  • HARMAN_ChrisHARMAN_Chris Posts: 598

    Martin,
    We are reviewing our repositories to understand what, if any, exposure we have and if remedial actions are needed.

  • HARMAN_ChrisHARMAN_Chris Posts: 598

    Martin - here is the official AMX response:

    A zero-day vulnerability was identified in the Apache Log4j logging software on Friday December 10th 2021 (CVE-2021-44228). A related log4j vulnerability was identified on Tuesday December 14th 2021 (CVE-2021-45046). These vulnerabilities could allow bad actors to take control of organizational networks. AMX has assessed all AMX products and services for usage of the Log4j logging software and has concluded that there is no risk of exposure to the Apache Log4j vulnerabilities described by CVE-2021-44228 or CVE-2021-45046.

  • thomas.judthomas.jud Posts: 42

    Dear Chris,

    While the NX controler starts a message jumps in my eyes..

    Line 9 2021-12-20 (23:58:07):: log4j:WARN No appenders could be found for logger (org.apache.security.juice.provider.JDKDigestSignatureOpenSSL).
    Line 10 2021-12-20 (23:58:07):: Memory Available = 472907776 <364544>
    Line 11 2021-12-20 (23:58:07):: log4j:WARN Please initialize the log4j system properly.

    ....
    what happen with this?

  • HARMAN_ChrisHARMAN_Chris Posts: 598

    Thomas,
    I am unsure of your firmware version, or what is contained in your program. The RMS SDK does leverage log4j, but is a very old version (v1.2.17) and outside of the vulnerability range of 2.0-2.15 that is identified in CVE-2021-44228 or CVE-2021-45046.

  • HARMAN_icraigieHARMAN_icraigie Posts: 660

    @thomas.jud said:
    Dear Chris,

    While the NX controler starts a message jumps in my eyes..

    Line 9 2021-12-20 (23:58:07):: log4j:WARN No appenders could be found for logger (org.apache.security.juice.provider.JDKDigestSignatureOpenSSL).
    Line 10 2021-12-20 (23:58:07):: Memory Available = 472907776 <364544>
    Line 11 2021-12-20 (23:58:07):: log4j:WARN Please initialize the log4j system properly.

    ....
    what happen with this?

    Hi Thomas - what master firmware and Duet modules are running on that system?

  • richardhermanrichardherman Posts: 387

    It's in master firmware 1.6.179 as a minimum. One of our clients emailed me the same thing as posted by @thomas.jud and was asking for more info on the matter. No Duet modules were running

  • HARMAN_ChrisHARMAN_Chris Posts: 598

    I will report the finding back to engineering and seek to have them identify the version in use. If RMS SDK is an indication, it is likely very old and not affected - but we should not assume. We will look to get you an answer.

  • thomas.judthomas.jud Posts: 42

    Its in the Master 1.6.179
    No duet and on rms integration

  • HARMAN_ChrisHARMAN_Chris Posts: 598

    The 1.6x branch of controller firmware leverages an open source SSL provider that included log4j v1.2.9 which is not impacted by the recent vulnerability found in log4j versions 2.0-2.15. The 1.8x branch of firmware does not leverage the same java security provider, and to my knowledge, does not leverage any version of log4j.

Sign In or Register to comment.