Log4j is a widely used java logging module maintained by Apache and used to implement logging functionality in many java projects. The security vulnerabilities that have been widely reported allow external attackers to inject malicious code into log4j’s processing stream in such a way that log4j will execute that code on the device.
The following is a list of Bird products that can be accessed via the internet or that could run on a device that could be accessed from the internet. For each product there is a short statement summarizing our findings for that specific product.
- SBIII
- Runs a custom uclinux build that does not include any java or a jre (cannot run java locally).
- Serves a java applet via the web page
- The Bird java code installed on the product does not include the log4j component.
- The field firmware update script includes a java utility. This utility does not include the log4j component.
- ACMi & BPME
- Runs a proprietary OS from Lantronix that does not include any jre (cannot run java locally)
- Serves a java applet via the web page
- The Bird java code installed on the product does not include the log4j component.
- Bird provides a desktop java application as an alternate UI option based on the same java code base as the web java applet.
- The Bird java code in the desktop UI does not include the log4j component.
The following software applications run on a customer’s Windows PCs and is written in C#, not java, and therefore does not use log4j.
- VPM3
- RF Meter App
The following products runs a custom linux build with no JRE (cannot run java locally), written in C/C++/C#, serves a web page written with HTML and java script (not java).
- SB2+
- BDS2
- 4421A
- 4042E
- 4043E
Comments
Please sign in to leave a comment.