Java Security Vulnerability

Report and discuss bugs here!
Post Reply
oldghost
Posts: 1
Joined: Fri Dec 10, 2021 11:59 pm

Java Security Vulnerability

Post by oldghost » Sat Dec 11, 2021 12:05 am

So a quick search of the Yawcam files with Notepad++ shows references to log4j, leading me to believe that Yawcam may be vulnerable to the Java log4j vulnerability. Can anyone confirm this?

https://www.huntress.com/blog/rapid-res ... cting-java

Advertisement



malun
Site Admin
Posts: 1548
Joined: Sun Jan 04, 2004 1:29 pm

Re: Java Security Vulnerability

Post by malun » Sun Dec 12, 2021 2:49 pm

Hello,

The short answer:
Yawcam does not use log4j and is not affected by this security vulnerability.
So as far as I know, Yawcam should still be safe to use.

Some more info:
Some of Yawcam's third party libraries use a "wrapper" for logging called: Apache Commons Logging.
https://commons.apache.org/proper/commons-logging/

This is so that the library can write log messages without knowing which underlying logging library actually is used.
The wrapper can handle multiple logging libraries, where log4j is one of them. This is why you get a hit if you search for the string "log4j".

However Yawcam does not use log4j as the underlying logging library. In fact Yawcam doesn't use any logging framework at all. It only uses print statements to output logs to stdout.

/malun

Post Reply