Log4j2 Vulnerability CVE-2021-44228

Hi there, given the very high risk vulnerability CVE-2021-44228 which has a CVSS score of 10 can the FlightAware team make a statement regarding if this vulnerability is present in their build and any mitigations required.

I am running several unattended stations so it would be good to know. Especially as one of mine went offline on Monday and is no longer reachable after half a year of operation (which of course could be a coincidence). I have tested my local piawares by attacking the main page and /skyaware/, /graphs1090/ with a scan tool from another Pi on my network.

So far no hits and the test tools say negative but I think a developer statement is required/preferred. The tool I am using to scan is GitHub - fullhunt/log4j-scan: A fully automated, accurate, and extensive scanner for finding log4j RCE CVE-2021-44228. This exercises the attack vector against the web server.

1 Like

PiAware and the PiAware sdcard image are unaffected.

(notably, the piaware sdcard does not even include a JVM)

Beyond the standard image, I can’t speak for additional software you’ve installed.

6 Likes

Thankyou for confirming!