SmartThings exposure to Log4j2 / Log4Shell vulnerabilities

I’ve not seen any public statement from SmartThings or Samsung about their exposure, if any, to the recent log4j2 / log4shell vulnerabilities. It is widely known that much of SmartThings back-end is written in Java, so it is reasonable to assume that there was (even for a short time) some exposure.

As a developer on, and user of the platform, I’d like to understand:

  1. Date any vulnerable log4j2 version was introduced to production systems
  2. Date that all vulnerable systems were patched, or fully mitigated against exploitation of these vulnerabilities
  3. Exposure in terms of systems affected, and possible impact of exploitation.
  4. Result of any investigation into exploitation of the vulnerability.
  5. Any actions I need to take as a developer or user. Should I change my password? Should I change my app’s OAuth secrets?



Please respond, Samsung. This vulnerability was rated a 10.0 severity rating and is generally considered one of the worst vulnerabilities of all time due to the ease of exploit and how widespread it’s use is. It pops up in the most unexpected places (my Hubitat was vulnerable), so it’s not unreasonable to ask if Samsung devices, software, and services are affected. We would like a response as soon as possible.

Let’s tag @posborne, who might can provide some useful information, but looking at the last FOSS release package (from May 2020) that hasn’t had anywhere any mention of log4j.