Page 1 of 1

Java Security Vulnerability

Posted: Sat Dec 11, 2021 12:05 am
by oldghost
So a quick search of the Yawcam files with Notepad++ shows references to log4j, leading me to believe that Yawcam may be vulnerable to the Java log4j vulnerability. Can anyone confirm this?

https://www.huntress.com/blog/rapid-res ... cting-java

Re: Java Security Vulnerability

Posted: Sun Dec 12, 2021 2:49 pm
by malun
Hello,

The short answer:
Yawcam does not use log4j and is not affected by this security vulnerability.
So as far as I know, Yawcam should still be safe to use.

Some more info:
Some of Yawcam's third party libraries use a "wrapper" for logging called: Apache Commons Logging.
https://commons.apache.org/proper/commons-logging/

This is so that the library can write log messages without knowing which underlying logging library actually is used.
The wrapper can handle multiple logging libraries, where log4j is one of them. This is why you get a hit if you search for the string "log4j".

However Yawcam does not use log4j as the underlying logging library. In fact Yawcam doesn't use any logging framework at all. It only uses print statements to output logs to stdout.

/malun