Log4j / Log4shell exploit and farmerswife

Last updated December 16th, 2021, 13:10 CET

We are keeping this article up-to-date ...

Is farmerswife vulnerable to the new "Log4j zero-day exploit"?

No, farmerswife (fw) is NOT vulnerable to the so-called "Log4j" / "Log4shell" exploit (CVE-2021-44228) to our current knowledge!

According to the CVE the vulnerability was introduced in "Log4j" version 2.0.

The farmerswife Server app itself does not use "Log4j" at all, since it is not coded using Java.

The farmerswife “Web Client” and "Mobile Web Client" are using a version of "Log4j" prior to 2.0, therefore they are not affected.

See more info below in the "Additional information ..." section.

The same applies to farmerswife Play.

Can a virus scan cause a false positive result?

Yes, we have come across this already.

Is there proof that farmerswife is not affected?

Among many other tools, etc., we have run this on our source code and also on the most recently released version 6.7 Service Pack 1:

https://github.com/mergebase/log4j-detector

Source code scan result using "log4j-detector":

[15:43:59] ? [/Users/username/temp/log4j-detector] java -jar target/log4j-detector-2021.12.13.jar /Users/username/fw4_dev.608 
-- Analyzing paths (could take a long time).
-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
-- Problem /Users/username/fw4_dev.608/.svn/pristine/30/30f8a4756d906cc732c6a0210611fc52545add24.svn-base - java.util.zip.ZipException: invalid entry CRC (expected 0x0 but got 0x6f4675cb)
-- No vulnerable Log4J 2.x samples found in supplied paths: [/Users/username/fw4_dev.608]
-- Congratulations, the supplied paths are not vulnerable to CVE-2021-44228 !  :-)

6.7 Service Pack one result:

[15:57:03] ? [/Users/username/temp/log4j-detector] java -jar target/log4j-detector-2021.12.13.jar /Users/username/temp/fw67sp1   
-- Analyzing paths (could take a long time).
-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
-- No vulnerable Log4J 2.x samples found in supplied paths: [/Users/username/temp/fw67sp1]
-- Congratulations, the supplied paths are not vulnerable to CVE-2021-44228 !  :-)

Additional information and pro-active measures to keep your farmerswife system secure:

Ensure that your farmerswife system is running on the latest released version 6.7 Service Pack 1.
Ensure the fw Server app host Operating System (OS) is up to date and patched.
Ensure that the installed "Java" on the fw Server app host machine is up to date, see more info here: How to replace Java (Oracle) with OpenJDK
Consider using a Web Application Firewall (WAF) a long this information: Using NGINX as a third party proxy service to apply your SSL certificates

Because "Java" or "JDK" have also come up in relation to the "Log4j" topic (info from here: https://www.lunasec.io/docs/blog/log4j-zero-day/):

"(...) JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the LDAP attack vector. In these versions "com.sun.jndi.ldap.object.trustURLCodebase" is set to false meaning JNDI cannot load remote code using LDAP."

Related Articles