Wondering if there is a centralized place we can go to see if Home Assistant or 3rd party integrations are vulnerable to the Log4Shell exploit raging across the internet?
1 Like
Since that is for Java applications, and Home Assistant is Python how is that applicable?
HA itself won’t be a problem. But there could be Add-ons that are built with Java in the backend. If those were exposed to the web, that could be a risk to consider.
I myself only have a core installation. But I have a Unifi controller container in Proxmox (not exposed to the web), which has a vulnerable log4j version. If I’m not mistaken there is an addon for the Unifi container, so that one could have the same problem. That being said, I assume this particular addon won’t expose Unifi to the web. Hence it wouldn’t be an issue in this case. But that’s the reason why I think this thread is valid.
1 Like
My response was directly aimed at the question, which was about “Home Assistant or 3rd party integrations”, both are Python.
As far as I know I belive the latest Unifi controller has the vulnerability fixed (6.5.54, add-on v1.1.2), but correct me if I’m wrong.
However I agree, would like to see if any of the other addons are impacted by the vulnerability, e.g. Node-RED, Deconz, etc.
1 Like
As mentioned above, my controller is running in a Proxmox container, and I haven’t updated that yet. Which underlines the importance of keeping software up to date. 
I have no idea. i have been looking for the same thing.
it would be a nice thing to have a moderator driven thread in theese situations with facts gathered in one place.
i made a serach in github under home-assistant/addons
The only one i found was homematic but i suppose i shuld have found “UniFi Network Application” aswell Ubi have released a fix, so its just to upgrade in that case.
and i dont use homematic.
Good to see mostly everyone getting the spirit of the post and not getting hung up on the semantics. Thanks for all the input everyone.