Menu
▾
▴
Re: [Cs-studio-core] CS-Studio + CSS Epics and Log4j
|
From: Kasemir, K. <kas...@or...> - 2022-02-23 14:37:40
|
> I would like to inquire whether the software "Control System Studio" and "CSS-Epics" are affected by the Log4j vulnerability known since December 2021. In my understanding, the attack surface is also very different. The main concern about the Log4j, specifically Log4j2 vulnerability, I think, is when it's used within a web application. A bad actor might then be able to basically send code which gets erroneously executed by the logger, because Log4j allows you to say: To format a log message, run this code. That obviously very bad since it allows anybody on the internet to run code on your computer under for example the "apache" or "web server" user ID. CSS is for the most part a desktop application. When you run CSS, you are already sitting in front of that computer, you have logged in, you have physical access to mouse and keyboard. You can already do whatever your user ID is permitted to do. Log4j2 won't open any additional doors in that case. -Kay |
