From Log4Shell: Log4j remote code execution vulnerability | Ubuntu
“A high impact vulnerability was discovered in Apache Log4j 2, a widely deployed software component used by a lot of Java applications to facilitate logging. An attacker who can control the log messages or their parameters can cause the application to execute arbitrary code.”
While I doubt a Raspberry Pi running PiAware on a slow network is sufficiently low enough hanging fruit for very many to be used to compromise one’s network, it seems that Apache Log4j is nearly ubiquitous in most Linux based systems that utilize LAN or WAN accessible services.
Because it is used in “nearly everything” that provides some kind of web interface, it’s probably a good idea to check one’s PiAware to look for any unpatched uses of the Log4j library, especially if you are running other Internet of Things type applications on the same platform.
I don’t know if log4j is being used in a piAware build - it might not be, or it could possibly be baked in to the very heart of how the PiAware screen and SkyAware Anywhere are able to interact with users.
Most sysadmins have been scrambling and probably have their bigger servers already patched because it was such a huge event, but there are likely millions of devices on assorted home networks all over the world that bad actors might be able to quietly exploit for months before the legitimate users even notice.
Just a heads up. It might not even be an issue with a PiAware, but since it has a derivative of Debian at its core, certainly there are applications run on some Raspberry Pis that definitely need to be patched.
I run my piawares remote, so I have remote SSH access to them in-case I want to do some direct admin beyond what is available via the flightware web pages. I detect (and report) multiple attempts to hijack them every month via SSH brute force and other methods. Most are going after default and common usernames and passwords. I use a firewall to limit the attack surface and fail2ban to prevent multiple attacks from the same source as basic precautions are needed on any IoT device. Any linux computer is low hanging enough to be taken over, and IoT devices are particularly attractive for launching DDOS attacks (for example in 2016 DynDNS was targeted by a DDOS attack possibly originated from hacked cameras and recently a French ISP suffered the same fate). An rpi has plenty of horsepower to take part in a botnet and 30K piawares would be significant. Fortunately log4j is not used in piaware according to the admins response. I also ran my own tests against the served pages locally and was not able to detect the log4j vulnerability. I work in IT and we have been mitigating and patching against multiple log4j defects since the vulnerability was found.
