Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?

Just to avoid any confusion such as that which Ed Willink mentioned, the https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 issue is specifically about the class org.apache.logging.log4j.core/lookup.JndiLookup.which is not in a package provided by org.apache.log4j but rather in a package provided by org.apache.logging.log4j as illustrated here in a CBI p2 aggregator repo view:

Based on the analysis tool I've been developing for better managing SimRel, e.g., to provide traceability and dependency analysis, it's definitely the case that only Passage depends on this bundle:


Specifically via bundle requirements (as opposed to package requirements):


Those requirements have no upper bound, only an inclusive lower bound, such that they will resolve and use any higher version of org.apache.logging.log4j.  As such, installing Passage with https://download.eclipse.org/tools/orbit/downloads/drops2/I20211211225428/repository in the available sites and enabling to use those, does install the newer version:


The bad news is that the RCP/RAP package contains Passage and hence the bad version of the org.apache.logging.log4j bundle.

What's not clear is whether Passage actually logs messages whose content can be externally subverted/exploited via contact to the web and whether such actions are activity is actually enabled by default, e.g., in the RCP/RAP package...

Regards,
Ed


On 11.12.2021 20:48, Gunnar Wagenknecht wrote:
Thanks Matthias!

According to Wayne, 2.15 has already been vetted and is good for use:
https://www.eclipse.org/lists/eclipse.org-committers/msg01333.html

-Gunnar

-- 
Gunnar Wagenknecht
gunnar@xxxxxxxxxxxxxxx, http://guw.io/



On Dec 11, 2021, at 20:36, Matthias Sohn <matthias.sohn@xxxxxxxxx> wrote:

On Sat, Dec 11, 2021 at 11:35 AM Gunnar Wagenknecht <gunnar@xxxxxxxxxxxxxxx> wrote:
Alexander,

On Dec 11, 2021, at 10:16, Alexander Fedorov <alexander.fedorov@xxxxxxxxxx> wrote:
It would be great to learn vulnerability clean-up process with Eclipse Orbit team to then apply it to Eclipse Passage.


There is no Orbit team. Orbit is driven by project committers using/needing libraries in Orbit.
I encourage the Eclipse Passage project to submit a Gerrit review for a newer version.

considering the buzz around this vulnerability I went ahead and pushed an update to log4j 2.15 for orbit
note that the required clearlydefined score isn't reached yet, if this doesn't change soon
maybe someone can contribute the missing information to clearlydefined or
we file CQs to get the license approval for the new version
 
You can also try a new way as described by Mickael here:

-Gunnar
_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/orbit-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev


_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

Back to the top