YAAC doesn't use Log4J. Its logging is very simple and uses plain System.out.println() Java calls, with standard output duplicated to the YAAC.out rolling log file. The dnsjava library does use SLF4J, but it is not invoked with logging enabled, and this library is only used to configure and initialize AGWPE and KISS-over-TCP ports (and for no other purpose within YAAC).
So YAAC users should be safe from the Log4J vulnerability.
Andrew, KA2DDO
author of YAAC
________________________________________
From: Greg D <ko6th.greg@...>
Sent: Thursday, December 23, 2021 1:40 AM
To: Andrew P.
Subject: Log4J - presume you've been asked this...
Hi Andrew,
I'm guessing you've already been asked this, so apologies in advance. A
quick search didn't turn up anything.
There's been a lot of discussion very recently about the Log4J logging
utility, and the vulnerability that it presents. It's certainly a long
shot, but does YAAC use it for its logging? If so, I wonder if a
carefully crafted packet might be used to trigger an attack on a station.
I'm looking into the possibility of rebuilding my ham station, moving
from a PC to a Raspberry Pi for the 24x7 APRS stuff so that I don't have
to leave the PC running all the time. YAAC is the obvious application
to host that station (moving from the current APRSIS32). It would be on
the home network, inside the firewall, so I'm just being (perhaps
overly) careful.
Thanks,
Greg KO6TH
