If you’re using a version of the Arduino IDE older then 1.18.18, it’s time to go update via https://www.arduino.cc/en/software. The versions before that have a vulnerable version of the Log4J library that’s being actively used to attack systems on the Internet. The Arduino IDE could be attacked via vectors like libraries and support packages.
I am sure my Windows Defender installation would block all attacks :0
Anyhow, what a major f-up. It has left a looooot of my customers scrambling to patch software (especially Internet facing ones) days before they are due to break for Christmas.
This does not do the ‘open source’ world any favours though as it breaks confidence. Conversely, if I build a commercial app that includes open-source and don’t do any security or pen testing, then I am equally to blame.
Yeah, we’re dealing with it big time at my employer. I just noticed this when scanning my system looking for Java-based tools, so saw the update on the Arduino site.
I knew about the problem but didn’t realise the Arduino IDE uses Log4j.
I don’t have much Java-based software so it hasn’t really affected me much.
In fairness, I’d say this reflects more on Apache than open source in general. It’s a decently large (1000 members) nonprofit organisation, and the library has been in use for 20 years, so they really ought to have known better.
That said, sometimes people do try to use open source software in situations that the software isn’t designed for, including using software that wasn’t designed to be secure in situations that require good security. If the maintainers don’t claim that the software is secure then it’s probably not wise to presume that it is secure, even if it’s very popular and widely used.
Also, bear in mind that open source licences waive all warranty and fitness for purpose as standard. If a company needs the developers of their third party software to be held accountable, they probably ought to negotiate the purchase of a warranty for the software.
(Again, not really relevant in this case because of the circumstances, but something to bear in mind.)
Absolutely … its free for a reason.
Yikes! Thanks for the heads-up here, I was running 1.18.15 until now, I hadn’t heard about this beforehand.