Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Newcomers » Newcomers » Is org.apache.log4j_1.2.15 impacted by critical CVE-2021-44228(Is org.apache.log4j_1.2.15 impacted by critical CVE-2021-44228)
Is org.apache.log4j_1.2.15 impacted by critical CVE-2021-44228 [message #1848645] Sun, 12 December 2021 05:48 Go to next message
Santosh Kumar is currently offline Santosh KumarFriend
Messages: 6
Registered: July 2009
Junior Member
We are using Eclipse 4.19 for our project for building tools. It uses WTP, Egit etc.

It uses org.apache.log4j_1.2.15.v201012070815.jar. We are wondering if the
this version is impacted by the critical Vulnerability announced for Apache Log4J ?

Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

https://www.zdnet.com/article/security-warning-new-zero-day-in-the-log4j-java-library-is-already-being-exploited/

https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/

The maintainers of Apache Log4j have released a new version 2.15.0. yesterday.

Appreciate feedback and insights.

[Updated on: Sun, 12 December 2021 06:09]

Report message to a moderator

Re: Is org.apache.log4j_1.2.15 impacted by critical CVE-2021-44228 [message #1848646 is a reply to message #1848645] Sun, 12 December 2021 07:21 Go to previous messageGo to next message
Ed Merks is currently offline Ed MerksFriend
Messages: 33113
Registered: July 2009
Senior Member
You can follow this thread for ongoing discussions:

https://www.eclipse.org/lists/cross-project-issues-dev/msg18752.html

The short answer is not to confuse the bundle org.apache.log4j with the bundle org.apache.logging.logj4. The problem is specifically in the latter not the former, and the latter, in the latest release, is used only by org.eclipse.passage.*, so if you don't have that installed you won't have the problematic bundle installed. Note too that it's also not clear that even if you did install passage that it logs content that can be subverted externally.

Using Help -> About -> Installation Details -> Plug-ins and typing org.apache.logging.logj4 in the filter field, you can confirm that you don't have this problematic bundle installed for whatever (older) version of Eclipse you are using...


Ed Merks
Professional Support: https://www.macromodeling.com/
Re: Is org.apache.log4j_1.2.15 impacted by critical CVE-2021-44228 [message #1848665 is a reply to message #1848646] Mon, 13 December 2021 14:21 Go to previous messageGo to next message
Santosh Kumar is currently offline Santosh KumarFriend
Messages: 6
Registered: July 2009
Junior Member
Thank you Ed for the feedback. Appreciate the same.
Currently we don't have org.apache.logging.logj4. Its only using org.apache.log4j 1-2.15.

Is it fair conclusion that org.apache.log4j 1-2.15 is not impacted by log4shell given its using log4j < 2.x. ?

Any place I can check/discuss plans for upgrading org.apache.log4j 1-2.15 to 2.log4j 2.15 or higher in coming future.

regards
Santosh
Re: Is org.apache.log4j_1.2.15 impacted by critical CVE-2021-44228 [message #1848671 is a reply to message #1848665] Mon, 13 December 2021 15:54 Go to previous messageGo to next message
Ed Merks is currently offline Ed MerksFriend
Messages: 33113
Registered: July 2009
Senior Member
As I mentioned in that thread, it's specifically the class org.apache.logging.log4j.core/lookup.JndiLookup that is at fault and neither that class nor even that package is provided by org.apache.log4j but rather by org.apache.logging.log4j. I don't think there is a pressing need to update org.apache.log4j itself, although it's very old. It's provided by the https://www.eclipse.org/orbit/ project which has the https://www.eclipse.org/forums/index.php/f/84/ forum, but it's not very active. You could ask on their mailing list or open a Bugzilla enhancement request...

Ed Merks
Professional Support: https://www.macromodeling.com/
Re: Is org.apache.log4j_1.2.15 impacted by critical CVE-2021-44228 [message #1848674 is a reply to message #1848671] Mon, 13 December 2021 16:41 Go to previous messageGo to next message
Santosh Kumar is currently offline Santosh KumarFriend
Messages: 6
Registered: July 2009
Junior Member
Thank you Ed for the info. I will take this discussion in Orbit channel.
Re: Is org.apache.log4j_1.2.15 impacted by critical CVE-2021-44228 [message #1848777 is a reply to message #1848645] Thu, 16 December 2021 13:38 Go to previous messageGo to next message
philipp huebner is currently offline philipp huebnerFriend
Messages: 65
Registered: July 2009
Member
The problem is that it won't matter wether this plugin includes the functionality or not. Only this relaase number will lead to the rejection of eclipse applications by IT security.

To be able to release commercial software based on eclipse, this bundle needs to be updated!

[Updated on: Thu, 16 December 2021 13:41]

Report message to a moderator

Re: Is org.apache.log4j_1.2.15 impacted by critical CVE-2021-44228 [message #1848778 is a reply to message #1848777] Thu, 16 December 2021 14:02 Go to previous messageGo to next message
Ed Merks is currently offline Ed MerksFriend
Messages: 33113
Registered: July 2009
Senior Member
When facts don't matter, we've reached an impasse. Not that it matters, but these are the relevant facts for org.apache.log4j_1.2.15

https://www.whitesourcesoftware.com/vulnerability-database/CVE-2019-17571

But if we'd upgraded to what's suggested here two years go we'd, now have the new much more serious problem...


Ed Merks
Professional Support: https://www.macromodeling.com/
Re: Is org.apache.log4j_1.2.15 impacted by critical CVE-2021-44228 [message #1848852 is a reply to message #1848778] Tue, 21 December 2021 09:48 Go to previous messageGo to next message
philipp huebner is currently offline philipp huebnerFriend
Messages: 65
Registered: July 2009
Member
Yes. Facts doesn't matter. Big company security teams wll reject every software include a vulerable log4j - also the old one.

It is not a dead end. The way out is obvious. Eclipse needs to get rid of this way too old library, otherwise the IDE and RCP-based applications will be banned from corporate infrastructures. That's what they say.

[Updated on: Tue, 21 December 2021 10:16]

Report message to a moderator

Re: Is org.apache.log4j_1.2.15 impacted by critical CVE-2021-44228 [message #1848858 is a reply to message #1848852] Tue, 21 December 2021 11:45 Go to previous messageGo to next message
Ed Merks is currently offline Ed MerksFriend
Messages: 33113
Registered: July 2009
Senior Member
Is what your explaining a fact? If so, does it matter?

Of course Eclipse projects will move forward from this point, but that doesn't happen in a day and it doesn't happen without cost. Are the corporations with infrastructure contributing? Some do, but many don't. That's what we notice.


Ed Merks
Professional Support: https://www.macromodeling.com/

[Updated on: Tue, 21 December 2021 11:46]

Report message to a moderator

Re: Is org.apache.log4j_1.2.15 impacted by critical CVE-2021-44228 [message #1849775 is a reply to message #1848858] Wed, 02 February 2022 11:04 Go to previous messageGo to next message
philipp huebner is currently offline philipp huebnerFriend
Messages: 65
Registered: July 2009
Member
It is a fact. I this single case, big OEMs what to get rid of this library. Big OEMs which are member of the eclipse consortium.

What does matter?
Does it matter that this affects years of work of single developers who builded whole software stacks based on eclipse rcp are fucked up because they use eclipse rcp? That's the point here. It's not a matter of funding, but of trust into a whole ecosystem.

This is that urget that it should be easy to get money for that. Nobody asks for money. I have the feeling that the urgency of the problem is not understood at all.

[Updated on: Wed, 02 February 2022 11:57]

Report message to a moderator

Re: Is org.apache.log4j_1.2.15 impacted by critical CVE-2021-44228 [message #1849778 is a reply to message #1849775] Wed, 02 February 2022 13:18 Go to previous message
Ed Merks is currently offline Ed MerksFriend
Messages: 33113
Registered: July 2009
Senior Member
I would encourage these large OEMs that feel the problem is urgent to come and invest in a solution either by joining the Eclipse IDE working group:

https://ide-wg.eclipse.org/

Or by helping directly the developers and the projects on which the OEMs depend.

You'll see there's quite a bit of discussion about the log4j topic and many actions have been and are being taken:

https://www.eclipse.org/lists/cross-project-issues-dev/2022/Jan/index.html

I think it's the best we can do with the resources available. I would encourage anyone who feels the problem is urgent and that more should be done more quickly, to come and help.


Ed Merks
Professional Support: https://www.macromodeling.com/
Previous Topic:Paho_MQTTSN
Next Topic:Problem with Papyrus Installer
Goto Forum:
  


Current Time: Fri Mar 29 00:57:50 GMT 2024

Powered by FUDForum. Page generated in 0.04679 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top