Re: [eclipse-dev] Eclipse-Dev Jars: Apache Log4j Tool : Zero Day in Ubiq

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [eclipse-dev] Eclipse-Dev Jars: Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)

From: Karsten Thoms <karsten.thoms@xxxxxxxxxxx>
Date: Thu, 16 Dec 2021 07:55:57 +0000
Accept-language: de-DE, en-US
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=karakun.com; dmarc=pass action=none header.from=karakun.com; dkim=pass header.d=karakun.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LNwTNhBZEqqyXiLySKizc8aQAH8ePwKhUkLukzci4yw=; b=geVnTWST4DZs3ylZ6qbTGKMN8zGS6PIfy3QFVmX90HT3IR8nJbLf/tddJSKtAcxHh0ovrh8qKveJf7XDsNStKlOSxfMqpWGxplRCpQumiy1lO0LMTf2oHLV7L5xZhGY+MqcKuwVGyN1lfoDn9qjkfyd6S+0ibyxWbRzbMxFndOQML4USrcQ131aRyyHCHkIeq5zhDGMkbR7kjZ+C/pwpqBenXAdOkoD+KEgBJMN2ASbyP0na2Vp+1HTJLLgVNzG8O2z9rjmJOerMS15o2jJKWwzo2QQe1gv9TqRVI/S4YooxfFpgrejFQMgnfREoDAanzEXWN+LQgAD0sUgYmfS+HA==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Zo62DncMWRLD+pvFo67FvYc6lUZSYj5ctl+xIPjTMgRrFJ2/XOYLfSdaQ8GJpLzSgkX07jvXyNy2wdOYlH9PrmzZRs5HSh8uGN/ZFJKlsob2fgMNbSe6GxRX5F5IIVlCP5jWis2uWzDmENnXMcqH0QP+L5394hOQNeclTFMbdFBdDRpuaZ1LiRvoY3CLWSjyW3iNwmW4p6WLv85lf/ylbuhhVNjzWPnAb41Ad9xIOZtoOPUSjXg450A6PKaGmCncl/LWYY+PAllqg2nwEL3mbQ/ik3CblbFvr4Ol48AIzmFv7ahNu7jf3Sg6zi7BvJU75tVvRT+puxqarcUeLCffIQ==
Delivered-to: eclipse-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/eclipse-dev/>
List-help: <mailto:eclipse-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/eclipse-dev>, <mailto:eclipse-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/eclipse-dev>, <mailto:eclipse-dev-request@eclipse.org?subject=unsubscribe>
Thread-index: AdfyS1ASj7sKvt9kRiK3kTS70DNfdAABwsAA
Thread-topic: [eclipse-dev] Eclipse-Dev Jars: Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)

Dear Amit,

The mentioned jars are not affected. The main projects that you are referring to are

- EMF

- BIRT

- Eclipselink

The 3rd party bundles (imxc, org.w3c*, com.ibm.icu) don’t have a dependency on log4j2.

Best regards,

~Karsten

[1] https://wiki.eclipse.org/Eclipse_and_log4j2_vulnerability_(CVE-2021-44228)

[2] https://github.com/eclipse-ee4j/eclipselink/blob/master/moxy/org.eclipse.persistence.moxy/pom.xml

[3] https://github.com/eclipse/birt/blob/master/chart/org.eclipse.birt.chart.engine/META-INF/MANIFEST.MF

Am 16.12.2021 um 08:05 schrieb Kumar, Amit (Noida) via eclipse-dev <eclipse-dev@xxxxxxxxxxx>:

Hi Team,

We are using Below jar provided by you. We want to ensure and know if it is impacted by “Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)”. If it’s impacted please let us know about the security recommendation. To know we are looking for following answer

Jars:

jmxc

org.eclipse.emf.common_2.4.0.v200902171115 2.4.0

org.eclipse.emf.ecore.xmi_2.4.1.v200902171115 2.4.1

org.eclipse.emf.ecore_2.4.2.v200902171115 2.4.2

org.eclipse.persistence.moxy-2.4.2 2.4.2

org.w3c.css.sac_1.3.0.v200805290154 1.3.0

chartengineapi chartengineapi

com.ibm.icu_3.8.1.v20080530 com.ibm.icu_3.8.1.v20080530

Are you using log4J?

If you are using log4j 1.x version, are you using JMSAppender class

if you are using log4j 2.x are , what is your security recommendation to fix the issue

Thanks and regards,

Amit Kumar

Tech Lead, Software Development Engineering

Financial & Risk Management Solutions

Mobile: +91-9990094588

Upcoming R&R:

Fiserv

Helping Small Businesses Get Back2Business
Fiserv | Join Our Team | Twitter | LinkedIn | Facebook
FORTUNE World's Most Admired Companies®
2014 | 2015 | 2016 | 2017 | 2018 | 2019 | 2020 | 2021

© 2021 Fiserv Inc. or its affiliates. Fiserv is a registered trademark of Fiserv Inc. Privacy Notice
© 2021 Fortune Media IP Limited. Used under license.

_______________________________________________
eclipse-dev mailing list
eclipse-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/eclipse-dev

References:
- [eclipse-dev] Eclipse-Dev Jars: Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)
  - From: Kumar, Amit (Noida)

Prev by Date: [eclipse-dev] Eclipse-Dev Jars: Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)
Next by Date: [eclipse-dev] Eclipse and Equinox 4.23 (2022-03) M1 reminders
Previous by thread: [eclipse-dev] Eclipse-Dev Jars: Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)
Next by thread: [eclipse-dev] Eclipse and Equinox 4.23 (2022-03) M1 reminders
Index(es):
- Date
- Thread

Breadcrumbs