Eclair not vulnerable to Log4J 2.1x remote execution issues.

[n1bor]

It is using logback that is based off log4j version 1.x
http://logback.qos.ch/

Anyone disagree?

Just for everyone reference:
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
this is the issue that does NOT effect Eclair.

[t-bast]

Agreed, we tweeted that eclair wasn't impacted: https://twitter.com/acinq_co/status/1469678544989179917

[n1bor]

To mitigate this type of attack would the following be possible:

1. Delete seed.dat after node starts up. (Obviously keeping an off-line backup).
2. Put the bitcoin rpc user/password in a file that is read on startup - that could also be deleted after startup.
3. Run bitcoind as a separate user so user running Eclair has no access to wallet.dat etc...

Obviously 3 is possible. And 1 we can do now (I already do). So would just need a way to also do 3.
Do you think this would help much? In that getting data out of a running process is much harder that from a file in a know location.

[t-bast]

You can indeed run bitcoind as a separate user, and also use cookie authentication to avoid the user/password part.

But I'm not sure those steps give you much protection.
If an attacker got remote code execution on your machine, if they don't find these files, they would plant a malware that just waits for the files to eventually appear and steal them (since you'll need to put your seed back when restarting your node).
They could also use your eclair node to close all channels to a bitcoin address they control to steal your money (and many variations of that attack).