Eclipse Community Forums: Newcomers » Developer Issue with eclipse Neon IDE delivering log4j 1.2.15 version which is vulnerability

Home » Newcomers » Newcomers » Developer Issue with eclipse Neon IDE delivering log4j 1.2.15 version which is vulnerability(We have been working on eclipse plugin developer project which is eclipse GUI tool where we deliver our business code as eclipse-plugins to our customers . So that, users can work with our buisiness l)

Show: Today's Messages :: Show Polls :: Message Navigator

Developer Issue with eclipse Neon IDE delivering log4j 1.2.15 version which is vulnerability [message #1850810]

Thu, 17 March 2022 12:39

Manoj Kumar

Messages: 6
Registered: March 2022

Junior Member

We have been working on eclipse plugin developer project which is eclipse GUI tool where we deliver our business code as eclipse-plugins to our customers . So that, users can work with our buisiness logic on by installing on top of eclipse IDE as install new software. FYI, We are working with NEON 3 IDE.
The issue is with one of the eclipse delivering plugin which is log4j 1.2.15 version where vulnerability is present (JmsAppender.class and SimpleSocketServer.class) under org/apache/log4j/net packaging and we are using the same eclipse delivering log4j 1.2.15 version in our buisiness code both compile time and runtime/user environment. We are trying to uplift log4j version to latest (2.x.x) where we are facing issue at customer environment because some of the eclipse plugins (xtext ,etc...) are still refering to eclipse delivering log4j_1.2.15 and they are getting failed though we provide latest log4j (2.x.x) at buildpath .
From a lot of troubleshooting and testings we find that eclipse providing 3pps which we use in project like xtext are going to get failed at user environment as eclipse delivering 3pp plugins are referring to log4j 1.2.15 though we implement changes by providing log4j 2.x.x at build path.

Could you please help in suggesting the way forwards regarding this issues as this is related to eclipse 3pp plugins ?
Could you please provide eclipse Neon 3 IDE with log4j 2.17.x where vulnerability is minimized / Any plan for release of vulnerability removed log4j 2.17.x at /eclipse/plugins/ path as our project is tightly coupled with eclipse Neon 3 IDE ?

We need eclipse IDE team support regarding this issue .

Report message to a moderator

Re: Developer Issue with eclipse Neon IDE delivering log4j 1.2.15 version which is vulnerability [message #1850822 is a reply to message #1850810]

Thu, 17 March 2022 15:16

Ed Merks

Messages: 33133
Registered: July 2009

Senior Member

There will be no updates to Neon. Uses the latest 2022-03 release instead. Please read this thread:

https://www.eclipse.org/forums/index.php/t/1110313/

Ed Merks
Professional Support: https://www.macromodeling.com/

Report message to a moderator

Re: Developer Issue with eclipse Neon IDE delivering log4j 1.2.15 version which is vulnerability [message #1851010 is a reply to message #1850822]

Thu, 24 March 2022 13:20

Manoj Kumar

Messages: 6
Registered: March 2022

Junior Member

Hi Ed Merks,
As you suggested i have downloaded 2022-03 release Eclipse java developers IDE where i have noticed that still there are references to old version of log4j (i.e org.apache.log4j_1.X) . For example (org.apache.commons.logging -> META-INF->MANIFEST.MF) .
Also i see that some of the plugins has been removed as well .
As i have mentioned my project is completely dependent on Eclipse IDE plugins where we are providing modeling features to our users at runtime eclipse environment .

We are looking for the updated eclipse ide where complete org.apache.log4j (i.e 1.x) version references need to be removed.
Could you please help in this issue ?
Thanks & Regards
Manojkumar

Report message to a moderator

Re: Developer Issue with eclipse Neon IDE delivering log4j 1.2.15 version which is vulnerability [message #1851013 is a reply to message #1851010]

Thu, 24 March 2022 13:38

Ed Merks

Messages: 33133
Registered: July 2009

Senior Member

https://www.eclipse.org/forums/index.php/mv/msg/1110313/1851011/#msg_1851011

Ed Merks
Professional Support: https://www.macromodeling.com/

Report message to a moderator

Re: Developer Issue with eclipse Neon IDE delivering log4j 1.2.15 version which is vulnerability [message #1851112 is a reply to message #1851013]

Mon, 28 March 2022 10:00

Manoj Kumar

Messages: 6
Registered: March 2022

Junior Member

Hi Ed Marks,
Thanks for providing the information.
As per my company security team discussion's we have two vulnerable classes in side of log4j 1.x version . Please find two vulnerable classes JMSAppender and socketServer classes in the package (org.apache.log4j.net) of log4j 1.x version.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571
The above vulnerablities has been notified even in maven repository (https://mvnrepository.com/artifact/log4j/log4j/1.2.15).
Could you please help in support of latest version of log4j or complete migrate to JUL(java.util.logging) as we can still see in latest / above provided Eclipse IDE 2022-03 (provided by you) has internally referring to older log4j (org.apache.log4j) ?
FYI, org.apache.log4j is referring in apache commons and most of the plugins delivering from latest eclipse ide (Example : (org.apache.commons.logging -> META-INF->MANIFEST.MF)).

Thanks & Regards
Manojkumar

Report message to a moderator

Re: Developer Issue with eclipse Neon IDE delivering log4j 1.2.15 version which is vulnerability [message #1851116 is a reply to message #1851112]

Mon, 28 March 2022 10:47

Ed Merks

Messages: 33133
Registered: July 2009

Senior Member

Did you look at this page to see that version 1.2.19, shipped with Eclipse IDE 2022-03, fixes both the CVEs you mention?

https://reload4j.qos.ch/

There is nothing left to do.

Ed Merks
Professional Support: https://www.macromodeling.com/

Report message to a moderator

Re: Developer Issue with eclipse Neon IDE delivering log4j 1.2.15 version which is vulnerability [message #1851118 is a reply to message #1851112]

Mon, 28 March 2022 10:58

Thomas Wolf

Messages: 576
Registered: August 2016

Senior Member

Neither the Java nor the JavaEE Eclipse packages contain org.apache.log4j. Bundle org.apache.commons.logging has in its MANIFEST an optional dependency on org.apache.log4j without version range. But as there is no org.apache.log4j included in Eclipse, this is a complete no-op. If you build your own application, make sure to either not include org.apache.log4j as well or include a fixed version (see the link Ed gave).

Report message to a moderator

Re: Developer Issue with eclipse Neon IDE delivering log4j 1.2.15 version which is vulnerability [message #1851138 is a reply to message #1851118]

Mon, 28 March 2022 16:23

Manoj Kumar

Messages: 6
Registered: March 2022

Junior Member

Hi Ed Merks and Thomas,

@Ed Merks, Yeah , The vulnerable classes (JmsAppender and socketServer) are still present in the Eclipse 2022-03 (latest Eclipse IDE provided by you where delivering in log4j 1.2.19 version under package {org.apache.log4j.net}) and also most of the plugins present in latest eclipse repository (2022-03 - https://download.eclipse.org/releases/2022-03/) are still effected with this issue . Please check (org.eclipse.xtext.ui.ecore_2.26.0.v20220228-0812.jar) from 2022-03 repository where it is directly trying to import ( Import-Package: org.apache.log4j;version="1.2.15") and also we have been seeing this type of references in most of the latest eclipse plugins . The vulnerabilities are not completely removed from our troubleshooting where this creates blocking issues /problems at runtime eclipse where internal imports will fail and this is the case which is facing by us at our customer environment .

@Thomas Wolf, As i have mentioned above though we do not include log4j which is provided by Eclipse IDE (latest 2022-03 ) in our project the impact is same at runtime environment as other eclipse plugins are calling (org.apache.log4j ) at runtime and where if fails because of unable to find the log4j jar by runtime eclipse . So, This has blocked complete our customer environment and need your support in this issue .

Could you help regarding below queries ?
Any plan to release latest Eclipse IDE with log4j 2.x.x (latest) under plugins where vulnerabilities are not present and by removing internal references for both eclipse ide delivering plugins (I mean plugins bundled with eclipse ide software) as well as in repository plugins (2022-03 - https://download.eclipse.org/releases/2022-03) ?
Why there is a version mismatch in eclipse plugins (All plugins are not on track like not using same version of other dependency plugins (In our case log4j)) ?

Thanks a lot for providing quick responses .

Thanks & Regards
Manojkumar

Report message to a moderator

Re: Developer Issue with eclipse Neon IDE delivering log4j 1.2.15 version which is vulnerability [message #1851141 is a reply to message #1851138]

Mon, 28 March 2022 20:19

Thomas Wolf

Messages: 576
Registered: August 2016

Senior Member

Import-Package: org.apache.log4j;version="1.2.15" is a lower bound. If you include the 1.2.19 version, xtext will use that.

If you want to request that this lower bound be increased, please file a bug at https://github.com/eclipse/xtext-eclipse .

Report message to a moderator

Re: Developer Issue with eclipse Neon IDE delivering log4j 1.2.15 version which is vulnerability [message #1851204 is a reply to message #1851141]

Wed, 30 March 2022 13:42

Manoj Kumar

Messages: 6
Registered: March 2022

Junior Member

Hi ,

We have been facing issues with multiple eclipse plugins which are installed from eclipse repositories and some of them are removed .

Some of the plugins not available to install from repository : Example -
org.eclipse.papyrus.dsml.validation
com.adocus.mma.core
com.adocus.alm.flexnetrt
com.adocus.mma.papyrus.v2
Model comparison (EMF Compare) - Papyrus support

also, if we exclude log4j plugin in our project we have been facing runtime eclipse issues because of internal references .

Could you please help in providing the link of eclipse repository plugins forum where we can raise support request ?

Could you please provide information on any plan to move complete Eclipse IDE and Eclipse latest repository plugins to JUL ?

Thanks a lot for the information .

Thanks & Regards
Manojkumar

Report message to a moderator

Re: Developer Issue with eclipse Neon IDE delivering log4j 1.2.15 version which is vulnerability [message #1851207 is a reply to message #1851204]

Wed, 30 March 2022 15:05

Ed Merks

Messages: 33133
Registered: July 2009

Senior Member

I'm just answering questions here for free. So it's nice you ask please, but I make actual money doing things other than answering questions so you should mostly expect to do your own homework and you should mostly expect that when you get free things, you'll need to do more than raise support requests for them to be changed, i.e., you'll need to get involved directly or sponsor other people to do your work for you.

These are the two projects that you're referring too so you can find information about them there:

https://www.eclipse.org/papyrus/
https://www.eclipse.org/emf/compare/

But again, offers to get involved or to sponsor development will be much more likely to produce results than support requests...

These are instructions you can use to try to find repositories hosted at Eclipse:

https://wiki.eclipse.org/Eclipse_Oomph_Authoring#How_to_find_a_P2_repository_at_Eclipse_using_the_Repository_Explorer

Clearly com.adocus.* doesn't come from Eclipse.

I have no idea what JUL is but I'm pretty sure there are no plans to move repositories elsewhere.

Ed Merks
Professional Support: https://www.macromodeling.com/

Report message to a moderator

Previous Topic:	info lost in file conversion (vcf)
Next Topic:	no suitable driver found in jsp but not as java application

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Thu Apr 18 12:15:14 GMT 2024

.:: Contact :: Home ::.

Breadcrumbs

Sign up to our Newsletter