Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Newcomers » Newcomers » Log4j vulnerability in Eclipse IDE tool
Log4j vulnerability in Eclipse IDE tool [message #1850767] Wed, 16 March 2022 13:20 Go to next message
prameel kumar is currently offline prameel kumarFriend
Messages: 3
Registered: March 2022
Junior Member
Hello All,

We want to use Eclipse IDE, but when we are trying to install the software in our systems, it is detecting log4j files in the directory of eclipse installed, so our IT team is asking if we have any evidence for false positive alerts for this to go further with the installation.

Can I know if installing eclipse IDE is having any log4j vulnerability issue ?
Re: Log4j vulnerability in Eclipse IDE tool [message #1850773 is a reply to message #1850767] Wed, 16 March 2022 15:00 Go to previous messageGo to next message
Ed Merks is currently offline Ed MerksFriend
Messages: 33113
Registered: July 2009
Senior Member
The 2022-03 release, just made available today, has only log4j versions that have fixed the CVEs that you appear to be concerned about.

Here's a report of the contents of the release:

https://download.eclipse.org/oomph/archive/reports/download.eclipse.org/releases/2022-03/202203161000/index.html

These two versions are the fixed version:
org.apache.log4j 1.2.19.v20220208-1728
org.apache.logging.log4j 2.17.1.v20220106-2156) 
Get it here:

https://www.eclipse.org/downloads/packages/


Ed Merks
Professional Support: https://www.macromodeling.com/
Re: Log4j vulnerability in Eclipse IDE tool [message #1851011 is a reply to message #1850773] Thu, 24 March 2022 13:20 Go to previous messageGo to next message
Manoj Kumar is currently offline Manoj KumarFriend
Messages: 6
Registered: March 2022
Junior Member
Hi Ed Merks,
As you suggested i have downloaded 2022-03 release Eclipse java developers IDE where i have noticed that still there are references to old version of log4j (i.e org.apache.log4j_1.X) . For example (org.apache.commons.logging -> META-INF->MANIFEST.MF) .
Also i see that some of the plugins has been removed as well .
As i have mentioned my project is completely dependent on Eclipse IDE plugins where we are providing modeling features to our users at runtime eclipse environment .

We are looking for the updated eclipse ide where complete org.apache.log4j (i.e 1.x) version references need to be removed.
Could you please help in this issue ?
Thanks & Regards
Manojkumar
Re: Log4j vulnerability in Eclipse IDE tool [message #1851012 is a reply to message #1851011] Thu, 24 March 2022 13:37 Go to previous message
Ed Merks is currently offline Ed MerksFriend
Messages: 33113
Registered: July 2009
Senior Member
The bundle org.apache.log4j 1.2.19.v20220208-1728 is a new version that is free of CVEs:

https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190574

It comes from here where you can see all the CVEs of older version that are fixed in this latest new version:

https://reload4j.qos.ch/

The 1.2.x version was never affected by CVE-2021-44228:

https://wiki.eclipse.org/Eclipse_and_log4j2_vulnerability_(CVE-2021-44228)

That "famous" CVE only affected 2.x versions...


Ed Merks
Professional Support: https://www.macromodeling.com/
Previous Topic:Oomph installer error: The catalog could not be loaded
Next Topic:Windows on Eclipse: "Error occurred during initialization of boot layer
Goto Forum:
  


Current Time: Fri Mar 29 09:40:10 GMT 2024

Powered by FUDForum. Page generated in 0.04650 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top