Log4j vulnerability - does it affect emoncms installs?

Hi Openenergy folks,

I’ve been away from this project for awhile but my systems are slaving away monitoring energy in various locations.

I’m not a linux whiz at all. I tried following a few guides to find out if my emoncms servers are vulnerable and did not detect a Log4j installaion, but it’s very possible that I don’t know what I’m doing and it is in fact there.

Does anyone with more knowledge know if the Log4j vulnerability affects emoncms installs as provided on bare Raspberry Pi hardware exposed to the internet? If so, what versions might be in range (or how can I check myself)?

Thanks in advance,


@TrystanLea is the one to give a definitive answer to this, but as far as I’m aware, Java is not used in emonCMS, which is principally - if not exclusively - written in PHP.

N.B. Java and JavaScript are NOT the same thing, see What is the Difference Between Java and JavaScript? | Software Guild .

I think unless you have installed Java on your RPi for another reason, you won’t have it. There’s no Java runtime that I can find.

This might help:

Thanks Robert. The search tools in the InfoWorld article are a bit complex. The install process for Syft is already generating more questions than answers for me!

It would appear to be fine. EmonCMS does not use Java and doesn’t even mention log4j.

Just for extra peace-of-mind, there are no log4j components in the Docker image either:

$ docker run --entrypoint=find openenergymonitor/emoncms / -iname "*log4j*" | wc -l

Thanks David. Whew!

I did find log4j in OpenHAB which was on one of my Pi’s (don’t remember if I installed it or if it came on an EMONCMS bundle. In any case I’m not using it). I unplugged that Pi until they patch it in the next release.

NodeRed community reports no exposure to the vulnerability.

1 Like

Yes as far as I’m aware we don’t have exposure to this vulnerability, as @MyForest mentioned, we dont use java and as far as I can tell none of the other components installed on the emonSD image or emoncms.org use log4j.

This log4j vulnerability scanner GitHub - fullhunt/log4j-scan: A fully automated, accurate, and extensive scanner for finding log4j RCE CVE-2021-44228 doesnt suggest that any of the OpenEnergyMonitor sites are vulnerable. There’s no detected vulnerability on emonPi’s using dataplicity for remote access either.

1 Like