Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Modeling » M2T (model-to-text transformation) » log4j 1.X series high-risk vulnerability(Is the log4j 1.X series high-risk vulnerability affect the xpand?)
log4j 1.X series high-risk vulnerability [message #1849506] Sat, 22 January 2022 02:51 Go to next message
guo qing is currently offline guo qingFriend
Messages: 2
Registered: January 2022
Junior Member
Is the log4j 1.X series high-risk vulnerability affect the xpand? if anyone know about it, give me a reply, thanks
Re: log4j 1.X series high-risk vulnerability [message #1849514 is a reply to message #1849506] Sat, 22 January 2022 17:50 Go to previous messageGo to next message
Ed Willink is currently offline Ed WillinkFriend
Messages: 7518
Registered: July 2009
Senior Member
Hi

It is thought that many Eclipse project use log4j 1.2.5 in a very trivial logging fashion that offers no opportunities to the esoteric hazard. Nobody is rushing to cure the not-a-problem.

Regards

Ed Willink
Re: log4j 1.X series high-risk vulnerability [message #1849534 is a reply to message #1849506] Mon, 24 January 2022 08:40 Go to previous messageGo to next message
Karsten Thoms is currently offline Karsten ThomsFriend
Messages: 762
Registered: July 2009
Location: Dortmund, Germany
Senior Member

AFAIK the Log4Shell vulnerability is affecting log4j4 2 only.
Vulnerability is only when accessible form the net. Xpand is usually only used at build time anyway.
Re: log4j 1.X series high-risk vulnerability [message #1849536 is a reply to message #1849534] Mon, 24 January 2022 09:26 Go to previous message
Ed Willink is currently offline Ed WillinkFriend
Messages: 7518
Registered: July 2009
Senior Member
Hi

The cross-project thread did indeed identify that the recent threat is for Log4j 2, but also noted that there is an outstanding problem for log4j 1 . My understanding is that if the logging of a message provides an opportunity for an external web entity to format the message then a malicious external web entity can do bad things.. I understand that the log4j 1 reloaded project [1] removes this dangerous flexibility. Of course normal programs just format and log the message locally without troubling the web. So not-a-problem. I suspect that the reloaded log4j will appear in Orbit soon and we will all use it.

Regards

Ed Willink

[1] https://reload4j.qos.ch/
Previous Topic:[Acceleo] Are there tutorials / examples available?
Next Topic:Acceleo Traceability
Goto Forum:
  


Current Time: Mon Oct 03 02:17:51 GMT 2022

Powered by FUDForum. Page generated in 0.02525 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top