Legacy Local Blynk server vulnerability (Log4j2 fix)

Dmitriy · December 14, 2021, 9:30pm

Hello all,

Recently was published a 0-day exploit in Java logging library - log4j2 (this library is used by Blynk Local Server). This is the largest fu…p I have seen in Java world .

So for all local server owners - please update ASAP to the latest server version.

Other possible ways of avoiding the exploits you can find in the above article.

All Blynk servers were already patched with the fix.

dennymoney · December 15, 2021, 10:09pm

Thank You Dmitriy

arcs_n_sparks · December 16, 2021, 11:15pm

Dmitriy,

Thank you for this. However, when I updated to the latest server, it would not run. I am running on a Raspberrry Pi, have Java version: “1.8.0_65” and was running server-0.41.2-java8.jar before. I suspect I need to upgrade something else???

I also want to thank you for Blynk. The legacy version has been very stable and has meshed nicely with Home Assistant running my home automation. Of course, Pete Knight has been very helpful as well.

Sincerely,
Mark Strauch

AlexArGC · December 17, 2021, 4:39am

Dmitry, will there be compilation for JAVA8?

wanek · December 30, 2021, 4:20pm

Thank you and respect for your effort!
What Java version is needed for this version on the RPI?

wanek · December 31, 2021, 1:30pm

@Dmitriy , when i try to start the new version, it gives this error:

pi@rpiw:~ $   java -jar server-0.41.17.jar -dataFolder /home/pi/Blynk      Error: A JNI error has occurred, please check your installation and try again

Exception in thread “main” java.lang.UnsupportedClassVersionError: cc/blynk/server/launcher/ServerLauncher has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class file versions up to 52.0
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:756)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:473)
at java.net.URLClassLoader.access$100(URLClassLoader.java:74)
at java.net.URLClassLoader$1.run(URLClassLoader.java:369)
at java.net.URLClassLoader$1.run(URLClassLoader.java:363)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:362)
at java.lang.ClassLoader.loadClass(ClassLoader.java:418)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:352)
at java.lang.ClassLoader.loadClass(ClassLoader.java:351)
at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:601)
pi@rpiw:~ $

what could be the problem?
Thanks!

ps:

ok,i’ve got it. the uploaded version on the github is compiled for java 11, and on the rpi we use java 8. unfortunately the java 11 is not running on rpi zero w, so there is no way i can use this update

Dmitriy · January 2, 2022, 8:40pm

Java 8 support for 1.0 server was dropped a few years ago. So we won’t provide a fix for it. I recommend you all find a way to install Java 11 to raspberry pi, there are should exist some JVM, like libertica.

wanek · March 29, 2022, 12:46pm

Someone can help me please, what command should I use to install java 11 on a RPI zero v2?
Thanks!

John93 · March 29, 2022, 1:10pm

Try this:
sudo apt update
sudo apt install -y openjdk-11-jdk

wanek · March 29, 2022, 1:30pm

hey, thanks for the reply. by the time i managed with this command:
sudo apt install default-jdk

the result is this:

pi@pi:~ $ java -version
openjdk version "11.0.14" 2022-01-18
OpenJDK Runtime Environment (build 11.0.14+9-post-Raspbian-1deb11u1)
OpenJDK Server VM (build 11.0.14+9-post-Raspbian-1deb11u1, mixed mode)

so, i guess it is ok.