On Fri, Dec 10, 2021 at 8:11 PM Denis Roy <denis....@eclipse-foundation.org> wrote:
> I guess I'm trying to determine if there are any versions of Eclipse, > Jetty, jGit, etc that are vulnerable. > JGit logs using slf4j API and org.eclipse.jgit.pgm bundles the old log4j 1.2.15 which is not affected by this vulnerability. Though we should move away from log4j 1.x since it's EOL. > For instance, we use Gerrit 3.2.7, which may contain a vulnerability. > Gerrit uses log4j 1.2.17 which is not affected by this vulnerability, see https://bugs.chromium.org/p/gerrit/issues/detail?id=15414 -Matthias > Denis > > > > > > On 2021-12-10 14:02, Matthew Khouzam via cross-project-issues-dev wrote: > > https://nvd.nist.gov/vuln/detail/CVE-2021-44228 > <https://nvd.nist.gov/vuln/detail/CVE-2021-44228> > NVD - CVE-2021-44228 <https://nvd.nist.gov/vuln/detail/CVE-2021-44228> > Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, > and parameters do not protect against attacker controlled LDAP and other > JNDI related endpoints. An attacker who can control log messages or log > message parameters can execute arbitrary code loaded from LDAP servers when > ... > nvd.nist.gov > It's for log4j2 between 2.0.0 and 2.14.1 > ------------------------------ > *From:* cross-project-issues-dev > <cross-project-issues-dev-boun...@eclipse.org> > <cross-project-issues-dev-boun...@eclipse.org> on behalf of Denis Roy > <denis....@eclipse-foundation.org> <denis....@eclipse-foundation.org> > *Sent:* Friday, December 10, 2021 1:46 PM > *To:* Cross project issues <cross-project-issues-dev@eclipse.org> > <cross-project-issues-dev@eclipse.org> > *Subject:* [cross-project-issues-dev] log4j vulnerability in Eclipse? > > > Hi Folks, > > As you may be aware, an important vulnerability has been discovered in > log4j > > If I recall, log4j is used in Eclipse components. Does anyone have a feel > for our current state? Is 2021-12 affected? > > > https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/ > <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-fe22d327-454445555731-5ab8d2f7886b7575&q=1&e=0-28d8aee3bfdc203e153efe8d079f2b56&u=https%3A%2F%2Farstechnica.com%2Finformation-technology%2F2021%2F12%2Fminecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug%2F> > > > Denis > > > _______________________________________________ > cross-project-issues-dev mailing list > cross-project-issues-dev@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
