Log4j

Follow

Log4j is a widely used java logging module maintained by Apache and used to implement logging functionality in many java projects. The security vulnerabilities that have been widely reported allow external attackers to inject malicious code into log4j’s processing stream in such a way that log4j will execute that code on the device.

The following is a list of Bird products that can be accessed via the internet or that could run on a device that could be accessed from the internet. For each product there is a short statement summarizing our findings for that specific product.

  • SBIII
    • Runs a custom uclinux build that does not include any java or a jre (cannot run java locally).
    • Serves a java applet via the web page
      • The Bird java code installed on the product does not include the log4j component.
    • The field firmware update script includes a java utility. This utility does not include the log4j component.
  • ACMi & BPME
    • Runs a proprietary OS from Lantronix that does not include any jre  (cannot run java locally)
    • Serves a java applet via the web page
      • The Bird java code installed on the product does not include the log4j component.
    • Bird provides a desktop java application as an alternate UI option based on the same java code base as the web java applet.
      • The Bird java code in the desktop UI does not include the log4j component.

 

The following software applications run on a customer’s Windows PCs and is written in C#, not java, and therefore does not use log4j.

  • VPM3
  • RF Meter App

 

The following products runs a custom linux build with no JRE (cannot run java locally), written in C/C++/C#, serves a web page written with HTML and java script (not java).

  • SB2+
  • BDS2  
  • 4421A
  • 4042E  
  • 4043E

 

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.