I’ve not seen any public statement from SmartThings or Samsung about their exposure, if any, to the recent log4j2 / log4shell vulnerabilities. It is widely known that much of SmartThings back-end is written in Java, so it is reasonable to assume that there was (even for a short time) some exposure.
As a developer on, and user of the platform, I’d like to understand:
- Date any vulnerable log4j2 version was introduced to production systems
- Date that all vulnerable systems were patched, or fully mitigated against exploitation of these vulnerabilities
- Exposure in terms of systems affected, and possible impact of exploitation.
- Result of any investigation into exploitation of the vulnerability.
- Any actions I need to take as a developer or user. Should I change my password? Should I change my app’s OAuth secrets?