Eclipse Jetty has no hard dependency on log4j2. It's an optional feature that can be used via slf4j-api.
On Fri, Dec 10, 2021 at 1:11 PM Denis Roy <denis....@eclipse-foundation.org> wrote: > I guess I'm trying to determine if there are any versions of Eclipse, > Jetty, jGit, etc that are vulnerable. > > > For instance, we use Gerrit 3.2.7, which may contain a vulnerability. > > > Denis > > > > > > On 2021-12-10 14:02, Matthew Khouzam via cross-project-issues-dev wrote: > > https://nvd.nist.gov/vuln/detail/CVE-2021-44228 > <https://nvd.nist.gov/vuln/detail/CVE-2021-44228> > NVD - CVE-2021-44228 <https://nvd.nist.gov/vuln/detail/CVE-2021-44228> > Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, > and parameters do not protect against attacker controlled LDAP and other > JNDI related endpoints. An attacker who can control log messages or log > message parameters can execute arbitrary code loaded from LDAP servers when > ... > nvd.nist.gov > It's for log4j2 between 2.0.0 and 2.14.1 > ------------------------------ > *From:* cross-project-issues-dev > <cross-project-issues-dev-boun...@eclipse.org> > <cross-project-issues-dev-boun...@eclipse.org> on behalf of Denis Roy > <denis....@eclipse-foundation.org> <denis....@eclipse-foundation.org> > *Sent:* Friday, December 10, 2021 1:46 PM > *To:* Cross project issues <cross-project-issues-dev@eclipse.org> > <cross-project-issues-dev@eclipse.org> > *Subject:* [cross-project-issues-dev] log4j vulnerability in Eclipse? > > > Hi Folks, > > As you may be aware, an important vulnerability has been discovered in > log4j > > If I recall, log4j is used in Eclipse components. Does anyone have a feel > for our current state? Is 2021-12 affected? > > > https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/ > <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-fe22d327-454445555731-5ab8d2f7886b7575&q=1&e=0-28d8aee3bfdc203e153efe8d079f2b56&u=https%3A%2F%2Farstechnica.com%2Finformation-technology%2F2021%2F12%2Fminecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug%2F> > > > Denis > > > _______________________________________________ > cross-project-issues-dev mailing list > cross-project-issues-dev@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
