Glowforge and Log4j vulnerability

Hello! We have placed over a dozen glowforges in schools in our area and the school district is asking if the Log4j vulnerability impacts the glowforges in any way?

Would anyone have an answer to this? Thanks in advance :slight_smile:

Only GF staff could answer this definitively, but…

The machine does not allow remote network connections, so there’s no way to “hack into” it, and
The updates to the software/OS are initiated by the machine itself, using hard-coded addresses to secure Google servers

So I would say it is “highly unlikely” that any kind of malware could be introduced, unless GlowForge themselves were hacked and it was put into their update process.

6 Likes

I don’t believe this is true.

You can print to your Glowforge from other networks than the one your machine is connected to, yes?

That said, you’re machine is only talking to Glowforge’s servers – but I think Log4j means there’s likely vulnerabilities across the board on anything connected to the internet, including Glowforge.

Although I’m honestly not too worried. I’m sure Glowforge is doing their own due diligence, and I also don’t expect our lasers are a high value hacking target.

2 Likes

The potential issue isn’t that people will hack the glowforge and take over the lasers… Although it would be interesting to see what designs they’d come up with maybe… The issue is using the glowforge if there is a vulnerability to access the network and everything else on that network. Regardless if the glowforge is on a home, business, or larger network it should be a cause of great concern…

1 Like

Thank you so much for the details. I’m looking into it now. As soon as I have more information I’ll let you know.

1 Like

Unless something has changed recently the software running on the Glowforge doesn’t use Java and so it won’t be running anything that uses Log4j.

It’s been a few years since I dug around in the GF software, so it’s possible that it’s changed, but it doesn’t seem likely.

I have no idea what they run on their servers though.

1 Like

The vulnerability allows a targeted system to run arbitrary code. But that arbitrary code still has to be written by someone, first. To be worth the effort, there needs to be some value in attacking the target. I’d be really, really surprised if anyone thought targeting a Glowforge (or even GF’s servers) was a project worth doing other than maybe for ransomware and that’d target servers not individual users. Assuming the printers themselves are vulnerable…

1 Like

The team looked into this question and has determined:

Neither our devices nor the services we manage are affected by the log4j vulnerability. No patches are required.

Thanks so much for asking!

3 Likes