Log4j / Log4shell exploit and farmerswife

Modified on Thu, 16 Dec, 2021 at 1:18 PM

Last updated December 16th, 2021, 13:10 CET

We are keeping this article up-to-date ...


Is farmerswife vulnerable to the new "Log4j zero-day exploit"?


No, farmerswife (fw) is NOT vulnerable to the so-called "Log4j" / "Log4shell" exploit (CVE-2021-44228) to our current knowledge!

According to the CVE the vulnerability was introduced in "Log4j" version 2.0.


The farmerswife Server app itself does not use "Log4j" at all, since it is not coded using Java.


The farmerswife “Web Client” and "Mobile Web Client" are using a version of "Log4j" prior to 2.0, therefore they are not affected. 

See more info below in the "Additional information ..." section.


The same applies to farmerswife Play.


Can a virus scan cause a false positive result?

Yes, we have come across this already.


Is there proof that farmerswife is not affected?

Among many other tools, etc., we have run this on our source code and also on the most recently released version 6.7 Service Pack 1:

https://github.com/mergebase/log4j-detector


Source code scan result using "log4j-detector":

[15:43:59] ? [/Users/username/temp/log4j-detector] java -jar target/log4j-detector-2021.12.13.jar /Users/username/fw4_dev.608 
-- Analyzing paths (could take a long time).
-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
-- Problem /Users/username/fw4_dev.608/.svn/pristine/30/30f8a4756d906cc732c6a0210611fc52545add24.svn-base - java.util.zip.ZipException: invalid entry CRC (expected 0x0 but got 0x6f4675cb)
-- No vulnerable Log4J 2.x samples found in supplied paths: [/Users/username/fw4_dev.608]
-- Congratulations, the supplied paths are not vulnerable to CVE-2021-44228 ! :-)


6.7 Service Pack one result:

[15:57:03] ? [/Users/username/temp/log4j-detector] java -jar target/log4j-detector-2021.12.13.jar /Users/username/temp/fw67sp1   
-- Analyzing paths (could take a long time).
-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
-- No vulnerable Log4J 2.x samples found in supplied paths: [/Users/username/temp/fw67sp1]
-- Congratulations, the supplied paths are not vulnerable to CVE-2021-44228 ! :-)


Additional information and pro-active measures to keep your farmerswife system secure:


Because "Java" or "JDK" have also come up in relation to the "Log4j" topic (info from here: https://www.lunasec.io/docs/blog/log4j-zero-day/):

"(...) JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the LDAP attack vector. In these versions "com.sun.jndi.ldap.object.trustURLCodebase" is set to false meaning JNDI cannot load remote code using LDAP."

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article