Log4Shell vulnerability fixed?

Hello,

I chose the group that seemed the most appropriate among the choices...

I was just curious if the "Log4Shell" vulnerability announced last week applies to Hubitat, and if so, when a fix is planned. I'm running 2.3.0.119.

Thanks,
Paul

Pre-2.3.0.119 versions make HTTP request as described in the CVE, but do not execute remote code. JRE version installed on the hubs prevents remote code loading.

2.3.0.119 has an updated log4j version that prevents HTTP requests as well.

11 Likes

Thanks. You were asking what was on my mind as well.

1 Like

Thank you!

Can you explain this statement? That's a very interesting statement that has no obvious implementation in any known version of Java. Do you build your own?

Download the Hubitat app