Skip to main content

Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Eclipse Scout » Eclipse Scout and log4j2 vulnerability (CVE-2021-44228)
Eclipse Scout and log4j2 vulnerability (CVE-2021-44228) [message #1848915] Thu, 23 December 2021 10:47
Matthias Villiger is currently offline Matthias VilligerFriend
Messages: 232
Registered: September 2011
Senior Member
Eclipse Scout Runtime

Eclipse Scout Runtime versions 10 or newer are not affected by the CVE-2021-44228 (log4shell) as Scout uses Logback by default.
Older releases are not supported anymore and do not get any security updates. Customers still running such version are encouraged to update to a supported version.

Although Scout itself is not affected, an application built with Scout might be in case (list makes no claim to be complete):
- Additional libraries are added which themselves bring a vulnerable log4j dependency.
- The Scout application is hosted in an environment (e.g. servlet container or Java application server) which brings a vulnerable log4j version.
- The application developer explicitly exchanged the default logger of Scout (Logback) to a vulnerable version of log4j.
In any case it is recommended to scan applications (including containers) using a vulnerability scanner (e.g. Simple local log4j vulnerability scanner).

You can find more information on how to detect and respond in the following documents:
- Apache Log4j Security Vulnerabilities & available Updates
- Mitre
- National Vulnerability Database (NIST)
- Guidance from Microsoft
- Eclipse and log4j2 vulnerability
- JetBrains and log4j2 vulnerability
- Bundesamt für Sicherheit in der Informationstechnik (in German)
- Security Advisories linked to Log4Shell

Eclipse Scout SDK

Eclipse Scout SDK is not affected by the CVE-2021-44228 (log4shell). This is valid for:
- The official Eclipse Scout Package (EPP) from the Eclipse download site.
- The Scout Plugin for Eclipse on the Scout P2 update site.
- The Scout Plugin for IntelliJ in the JetBrains plugin store.

[Updated on: Fri, 08 April 2022 09:54]

Report message to a moderator

Previous Topic:Eclipse Scout with MySQL or Maria DB
Next Topic:unable to create signature
Goto Forum:

Current Time: Fri Jun 21 12:09:33 GMT 2024

Powered by FUDForum. Page generated in 0.03231 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top