Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Eclipse and log4j2 vulnerability (CVE-2021-44228)
Revision as of 01:13, 14 December 2021 by Unnamed Poltroon (Talk)
Project | Version | Status | Comment |
---|---|---|---|
Passage | <= 2.2.0 | Vulnerable | The risk of exposure due to the the tooling support in an IDE is negligible. Tools can be updated to the 2.2.1 release and runtimes should be upgraded to the 2.2.1 release. Older versions of Passage also work with log4j >= 2.15. See Passage Downloads for site details. |
Eclipse SDK | *.*.* | Not Vulnerable | Eclipse SDK does not use log4j |
JGit | 1.0-5.13.0,6.0.0 | Not Vulnerable | org.eclipse.jgit.pgm uses log4j 1.2.15 |
EGit | 1.0-5.13.0,6.0.0 | Not Vulnerable | EGit does not use log4j |
Jetty | *.*.* | Not Vulnerable | Blog: Jetty & Log4j2 exploit CVE-2021-44228 |
StatET | *.*.* | Not Vulnerable | |
Web Tools Platform | *.*.* | Not Vulnerable | log4j 1.2.15 is used in an unused dependency in a single test plug-in |
Scout Runtime | 10.x - 22.x | Not Vulnerable | |
Eclipse Hawk | *.*.* | Not Vulnerable | |
Eclipse Theia | *.*.* | Not Vulnerable | |
Eclipse Dash | *.*.* | Not Vulnerable | |
Linux Tools | *.*.* | Not Vulnerable | |
Eclipse JKube | *.*.* | Not Vulnerable | Eclipse JKube does not use log4j |
Eclipse Modeling Framework (EMF) | *.*.* | Not Vulnerable | Uses log4j 1.x, but only in Xcore tools bundles, not in any runtime bundles deployed in applications. |
XML Schema Definition (XSD) | *.*.* | Not Vulnerable | Does not use log4j. |
JustJ | *.*.* | Not Vulnerable | Does not use log4j and log4j is not included in the JRE themselves. |
Oomph | *.*.* | Not Vulnerable | Does not use log4j. |