Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Eclipse Scout » Eclipse Scout and log4j2 vulnerability (CVE-2021-44228)
Eclipse Scout and log4j2 vulnerability (CVE-2021-44228) [message #1848915] Thu, 23 December 2021 10:47
Matthias Villiger is currently offline Matthias VilligerFriend
Messages: 232
Registered: September 2011
Senior Member
Eclipse Scout Runtime

Eclipse Scout Runtime versions 10 or newer are not affected by the CVE-2021-44228 (log4shell) as Scout uses Logback by default.
Older releases are not supported anymore and do not get any security updates. Customers still running such version are encouraged to update to a supported version.

Although Scout itself is not affected, an application built with Scout might be in case (list makes no claim to be complete):
- Additional libraries are added which themselves bring a vulnerable log4j dependency.
- The Scout application is hosted in an environment (e.g. servlet container or Java application server) which brings a vulnerable log4j version.
- The application developer explicitly exchanged the default logger of Scout (Logback) to a vulnerable version of log4j.
In any case it is recommended to scan applications (including containers) using a vulnerability scanner (e.g. Simple local log4j vulnerability scanner).

You can find more information on how to detect and respond in the following documents:
- Apache Log4j Security Vulnerabilities & available Updates
- Mitre
- National Vulnerability Database (NIST)
- Guidance from Microsoft
- Eclipse and log4j2 vulnerability
- JetBrains and log4j2 vulnerability
- Bundesamt für Sicherheit in der Informationstechnik (in German)
- Security Advisories linked to Log4Shell



Eclipse Scout SDK

Eclipse Scout SDK is not affected by the CVE-2021-44228 (log4shell). This is valid for:
- The official Eclipse Scout Package (EPP) from the Eclipse download site.
- The Scout Plugin for Eclipse on the Scout P2 update site.
- The Scout Plugin for IntelliJ in the JetBrains plugin store.

[Updated on: Fri, 08 April 2022 09:54]

Report message to a moderator

Previous Topic:Eclipse Scout with MySQL or Maria DB
Next Topic:unable to create signature
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Thu Apr 25 10:06:28 GMT 2024

Powered by FUDForum. Page generated in 0.02393 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top

Sign up to our Newsletter

A fresh new issue delivered monthly