Having read the scary news about Log4J I’m wondering what is the best way to check HA components and add-ons etc. I know that Python is not affected but Worx Landroid package used to (still does?) list it as a dependency, I wonder how many other official or unofficial add-ons / Integrations do.
Thanks.
Agreed, it looks like anything running Apache with the log4j could potentially be affected. Not knowing how deep every implementation goes (always use devices with Apache, but only on the surface level), could any of our devices connected to HA have an unpatched potential for this threat? How many potential instances of Apache/log4j could there be within HA and it’s add-ons?
Let’s say something as small as a WLED implementation with a local web service to log into and change settings - is that Apache based? I am wondering how deep we are going to be as a group if something is able to tunnel in as there are a lot of random devices pinging all the time.
No integration will, since HA is Python and that’s Java.
A user on the Node-Red forum shared this useful link:
https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/#affected-products
Hi Tinkerer. I don’t think you meant it that way… but I at first read your comment as meaning Python is Java…? I don’t think it is, but then I wondered. Are you implying that HA, which is Python, could be vulnerable because Java lurks somewhere beneath the surface?
No, I’m saying that log4j is Java… Home Assistant is purely Python. It’s not possible for Log4j to be lurking inside HA itself.
Cool - I figured you probably meant that, but good to check!
Sorry for the simple question but just to clear things up when you say “inside HA itself” do you mean a fresh install of the latest version of HA and the official integrations or do you mean it’s impossible that anything related to HA including (Stuff in HACS etc.) can be affected?
Thanks, Justin
Home Assistant and all the integrations are purely Python. A fresh Home Assistant install has no Java, and no integration or custom component will use Java either.
Add-ons and other software could run anything.
Looking at the source code repository it appears Home Assistant uses the C++ based Log4qt port of Log4j so is not affected due to not having the taint of Java.
just to re-iterate what was mentioned earlier:
Node-red seems vulnerable and potentially things installed via HACS may be vulnerable as well
NodeRed on a Home Assistant system which has the web interface exposed to the web would be a high risk
just my 2 cents,
chrisV
Any custom components, cards, AppDaemon apps, or NetDaemon apps won’t be vulnerable since none of those use Java. I don’t think it’s capable of installing anything else.