I’ve been away from this project for awhile but my systems are slaving away monitoring energy in various locations.
I’m not a linux whiz at all. I tried following a few guides to find out if my emoncms servers are vulnerable and did not detect a Log4j installaion, but it’s very possible that I don’t know what I’m doing and it is in fact there.
Does anyone with more knowledge know if the Log4j vulnerability affects emoncms installs as provided on bare Raspberry Pi hardware exposed to the internet? If so, what versions might be in range (or how can I check myself)?
@TrystanLea is the one to give a definitive answer to this, but as far as I’m aware, Java is not used in emonCMS, which is principally - if not exclusively - written in PHP.
Thanks Robert. The search tools in the InfoWorld article are a bit complex. The install process for Syft is already generating more questions than answers for me!
I did find log4j in OpenHAB which was on one of my Pi’s (don’t remember if I installed it or if it came on an EMONCMS bundle. In any case I’m not using it). I unplugged that Pi until they patch it in the next release.
NodeRed community reports no exposure to the vulnerability.
Yes as far as I’m aware we don’t have exposure to this vulnerability, as @MyForest mentioned, we dont use java and as far as I can tell none of the other components installed on the emonSD image or emoncms.org use log4j.
