Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?

To my understanding... adding to the eclipse.ini a "-Dlog4j2.formatMsgNoLookups=true" would solve the issue. Any way to do it globally?

From: cross-project-issues-dev <cross-project-issues-dev-bounces@xxxxxxxxxxx> on behalf of Denis Roy <denis.roy@xxxxxxxxxxxxxxxxxxxxxx>
Sent: Friday, December 10, 2021 4:14 PM
To: cross-project-issues-dev@xxxxxxxxxxx <cross-project-issues-dev@xxxxxxxxxxx>
Subject: Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?
 

Ed,


Just want to say -- these tools you write are freekin' amazing.


Thanks





On 2021-12-10 16:11, Ed Merks wrote:

Denis,


I believe that only Passage depends on this older version:



The SimRel dependency analysis tool I'm currently developing will be able to give a more definitive answer...


Regards,
Ed


On 10.12.2021 20:49, Denis Roy wrote:

So, yes, Eclipse 2021-12 is vulnerable as 2.0.0 < 2.8.2 < 2.14.1




On 2021-12-10 14:39, Ed Merks wrote:

Denis,


You can see the versions of log4j in the 2021-12 release here:


https://www.eclipse.org/downloads/download.php?format=xml&file=/releases/2021-12/202112081000&countryCode=us&timeZone=1&format=xml


These I think:



On 10.12.2021 20:11, Denis Roy wrote:

I guess I'm trying to determine if there are any versions of Eclipse, Jetty, jGit, etc that are vulnerable.


For instance, we use Gerrit 3.2.7, which may contain a vulnerability.


Denis





On 2021-12-10 14:02, Matthew Khouzam via cross-project-issues-dev wrote:
It's for log4j2 between 2.0.0 and 2.14.1

From: cross-project-issues-dev <cross-project-issues-dev-bounces@xxxxxxxxxxx> on behalf of Denis Roy <denis.roy@xxxxxxxxxxxxxxxxxxxxxx>
Sent: Friday, December 10, 2021 1:46 PM
To: Cross project issues <cross-project-issues-dev@xxxxxxxxxxx>
Subject: [cross-project-issues-dev] log4j vulnerability in Eclipse?
 

Hi Folks,

As you may be aware, an important vulnerability has been discovered in log4j

If I recall, log4j is used in Eclipse components.  Does anyone have a feel for our current state?  Is 2021-12 affected?

https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/


Denis



Back to the top