We are keeping this article up-to-date ...
Is farmerswife vulnerable to the new "Log4j zero-day exploit"?
No, farmerswife (fw) is NOT vulnerable to the so-called "Log4j" / "Log4shell" exploit (CVE-2021-44228) to our current knowledge!
According to the CVE the vulnerability was introduced in "Log4j" version 2.0.
The farmerswife Server app itself does not use "Log4j" at all, since it is not coded using Java.
The farmerswife “Web Client” and "Mobile Web Client" are using a version of "Log4j" prior to 2.0, therefore they are not affected.
See more info below in the "Additional information ..." section.
The same applies to farmerswife Play.
Can a virus scan cause a false positive result?
Yes, we have come across this already.
Is there proof that farmerswife is not affected?
Among many other tools, etc., we have run this on our source code and also on the most recently released version 6.7 Service Pack 1:
https://github.com/mergebase/log4j-detector
Source code scan result using "log4j-detector":
6.7 Service Pack one result:
Additional information and pro-active measures to keep your farmerswife system secure:
- Ensure that your farmerswife system is running on the latest released version 6.7 Service Pack 1.
- Ensure the fw Server app host Operating System (OS) is up to date and patched.
- Ensure that the installed "Java" on the fw Server app host machine is up to date, see more info here: How to replace Java (Oracle) with OpenJDK
- Consider using a Web Application Firewall (WAF) a long this information: Using NGINX as a third party proxy service to apply your SSL certificates
Because "Java" or "JDK" have also come up in relation to the "Log4j" topic (info from here: https://www.lunasec.io/docs/blog/log4j-zero-day/):
"(...) JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the LDAP attack vector. In these versions "com.sun.jndi.ldap.object.trustURLCodebase" is set to false meaning JNDI cannot load remote code using LDAP."