Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[wtp-dev] Security vulnerabilities found in Apache Log4j included in WTP
  • From: Kit Lo <kitlo@xxxxxxxxxx>
  • Date: Tue, 15 Feb 2022 00:21:44 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; 1; spf=none; dmarc=none; dkim=none; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tJdHhOckhkVEVZ5ra6B93DLSxQpeMyN9YGnlb9PnXiQ=; b=U7n8xJjMmEQuArgAdomJDVGDZeW1nWdz6d3GXn5ouemdq64C97NMPkEGRYWuJwIfJpMZ1CO70xH+csmMF7wIzwmumXOFcjK2Ue4XFwTohsCr6kH7TTZxGmCApMM08E2jPizd2Vj8Hs5vReXO9m5vhjWFCHSRPOKCR0MuC4hPdSy1FA2vXItPUvyYl+kd/071KZKnW9UtGg0hmhyPIKk44U7vljmiAwdoOfts857lFj39dng06bW2OA+VJ/FU4HgXQFXZySfrvrYmvKTBSG2R7LRfl9ld/uZy6z8jDrJKTEpGtbzd+fsg9E7jAcVKB8kzu4Hm25XIh1JBeVDqJ9XcXw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=Qm+qmO/Ys8ZB3kxrpja0KSwTP40QoBWVb9o1LzI3xGqqqjnwtyC0fAmB9cPAX3YO6869XzrRkNxYVl2F4+U5Fwdea69K9y+t1X3JzHOdLYreulYHpg5vxFVHxPNtvov4WbabtdgxcnWsP1gn4YWlO8bK9SechCmDNSyOfPY+3Y/t9GpW+ij96k242a94aJepu7FgVmlzKJeVlDJQufQmAbeczmoq6tekpx6F9ungi0Gv1AGtcIXeHJdBPQ/RfZYNxBmfFTevStr3TfvikMSRNGixGCaWuDZIU76W9oTWln3ZFGhZ/8JOyLcB/kC5q6dHVkv6G1riq+fZwFm9n2WZCQ==
  • Delivered-to: wtp-dev@xxxxxxxxxxx
  • List-archive: <>
  • List-help: <>
  • List-subscribe: <>, <>
  • List-unsubscribe: <>, <>
  • Suggested_attachment_session_id: 67dbad3d-1ae1-08f2-c6a6-d54a720875d2
  • Thread-index: AQHYIf8F9q5W6MFeDEWKfMREMin+SA==
  • Thread-topic: Security vulnerabilities found in Apache Log4j included in WTP

Dear WTP Committers,

You probably heard about the security vulnerabilities found in Apache Log4j at the end of last year. It's impacting many software projects in the industry, including Eclipse, and WTP specifically.


After investigation, we found that WTP is including Apache Log4j 1.2.15, all the way from the very old WTP 3.8 to the current WTP 3.25.


I opened Bug 577951 requesting WTP to upgrade to the latest Log4j 2.x or totally remove the dependency on Log4j 1.x.

Even though Web Services has confirmed that Web Services is not impacted by this Log4j 1.x security vulnerability, however the fact that Log4j 1.x has been out of support since August 2015 and is not receiving any security updates makes many Eclipse/WTP users worry.

A few contributors jumped in to help, did a detail analysis, and came up with a potential fix. Could any WTP committers help review and accept the change ASAP? That will greatly benefit the whole Eclipse community.

Thank you!

Kit Lo
Eclipse Babel Project Lead
IBM Eclipse SDK (IES) Technical Lead and Release Manager

Back to the top