Skip to main content
Jump to: navigation, search

Difference between revisions of "Eclipse and log4j2 vulnerability (CVE-2021-44228)"

(Merge edit by Achim.kraus.bosch.io)
(Add OpenMQ)
 
(48 intermediate revisions by 25 users not shown)
Line 1: Line 1:
{| class="wikitable"
+
{| class="wikitable sortable"  
 
!Project
 
!Project
 
!Version
 
!Version
 
!Status
 
!Status
 
!Comment
 
!Comment
 +
|-
 +
|BIRT
 +
| *.*.*
 +
|Not Vulnerable
 +
|BIRT does not use log4j
 
|-
 
|-
 
|Passage
 
|Passage
Line 9: Line 14:
 
|Vulnerable
 
|Vulnerable
 
| The risk of exposure due to the tooling support in an IDE is negligible.  Tools can be updated to the 2.2.1 release and runtimes should be upgraded to the 2.2.1 release.  Older versions of Passage also work with log4j >= 2.15. See [https://projects.eclipse.org/projects/technology.passage/downloads Passage Downloads] for site details.
 
| The risk of exposure due to the tooling support in an IDE is negligible.  Tools can be updated to the 2.2.1 release and runtimes should be upgraded to the 2.2.1 release.  Older versions of Passage also work with log4j >= 2.15. See [https://projects.eclipse.org/projects/technology.passage/downloads Passage Downloads] for site details.
 +
|-
 +
|Eclipse Kura
 +
|>= 4.0.0 && <= 5.0.0
 +
|Vulnerable
 +
| Versions prior to 4.0.0 are not vulnerable due to the usage of log4j 1.x. Versions after 4.0.0 are vulnerable. A mitigation approach has been provided and the project is working in releasing an updated version for the last two major releases. See https://github.com/eclipse/kura/issues/3712
 +
|-
 +
|Eclipse Leshan
 +
|< 1.0.0-M5
 +
|Vulnerable
 +
| Leshan library does not use log4j2, but old servers demos use it and could be affected. See [https://github.com/eclipse/leshan/issues/1178#issuecomment-994855744 for more details].
 
|-
 
|-
 
|Eclipse Packaging Project (Eclipse IDE for ...)
 
|Eclipse Packaging Project (Eclipse IDE for ...)
Line 14: Line 29:
 
|Not Vulnerable / Vulnerable
 
|Not Vulnerable / Vulnerable
 
|All packages available from [https://www.eclipse.org/downloads/packages/ Eclipse Downloads] are not vulnerable, except for the Eclipse IDE for RCP and RAP Developers which contain Passage.  Even for packages containing Passage, the risk of exposure due to the tooling support in an IDE is negligible.  Adding the site https://download.eclipse.org/passage/updates/release/2.2.1/ to ''Window &rarr; Preferences &rarr; Install/Update &rarr; Available Sites'' and using ''Help &rarr; Check for Updates'' can be used to upgrade the version of Passage and thereby replace the vulnerable version of log4j2.
 
|All packages available from [https://www.eclipse.org/downloads/packages/ Eclipse Downloads] are not vulnerable, except for the Eclipse IDE for RCP and RAP Developers which contain Passage.  Even for packages containing Passage, the risk of exposure due to the tooling support in an IDE is negligible.  Adding the site https://download.eclipse.org/passage/updates/release/2.2.1/ to ''Window &rarr; Preferences &rarr; Install/Update &rarr; Available Sites'' and using ''Help &rarr; Check for Updates'' can be used to upgrade the version of Passage and thereby replace the vulnerable version of log4j2.
 +
|-
 +
|Eclipse Communication Framework (ECF)
 +
|*.*.*
 +
|Not Vulnerable
 +
|ECF does not use log4j2
 
|-
 
|-
 
|Eclipse Installer
 
|Eclipse Installer
Line 48: Line 68:
 
|*.*.*
 
|*.*.*
 
|Not Vulnerable
 
|Not Vulnerable
|log4j 1.2.15 is used in an unused dependency in a single test plug-in
+
|log4j 1.2.15 is a dependency for org.eclipse.jpt.jpadiagrameditor.swtbot.tests, which is typically never installed, and referenced by XSL and Web Services features
 
|-
 
|-
 
|Scout Runtime
 
|Scout Runtime
Line 134: Line 154:
 
|-
 
|-
 
|Eclipse GlassFish
 
|Eclipse GlassFish
 +
|*.*.*
 +
|Not Vulnerable
 +
| Does not use log4j.
 +
|-
 +
|Eclipse OpenMQ
 
|*.*.*
 
|*.*.*
 
|Not Vulnerable
 
|Not Vulnerable
Line 186: Line 211:
 
|*.*.*
 
|*.*.*
 
|Not Vulnerable
 
|Not Vulnerable
| Does not use Log4J
+
| uses log4j 1.2.15
 
|-
 
|-
 
|Acceleo
 
|Acceleo
Line 205: Line 230:
 
|Eclipse Lyo
 
|Eclipse Lyo
 
|*.*.*
 
|*.*.*
|Not Vulnerable
+
|Not Vulnerable*
| Does not use Log4J, uses SLF4J to <nowiki><exclude></nowiki> downstream Log4J dependencies, older versions used Log4J 1.2.
+
| Does not use Log4J, uses SLF4J to <nowiki><exclude></nowiki> downstream Log4J dependencies, older versions used Log4J 1.2. Update 2021-12-20: Lyo was using Log4j2 in lyo.rio, an abandoned prototype implementation of the next version of the standard (the draft of which was also abandoned). lyo.rio is not part of regular Lyo releases. The Log4j2 dependency was updated to 2.17.0, no artifacts on Maven Central need to be updated.
 
|-
 
|-
 
|Eclipse mdmbl
 
|Eclipse mdmbl
Line 271: Line 296:
 
|Not Vulnerable
 
|Not Vulnerable
 
| Does not use log4j. See https://github.com/eclipse/californium/issues/1848 for more details.
 
| Does not use log4j. See https://github.com/eclipse/californium/issues/1848 for more details.
 +
|-
 +
|Eclipse Hara
 +
|*.*.*
 +
|Not Vulnerable
 +
| Does not use log4j.
 +
|-
 +
|CHESS
 +
|*.*.*
 +
|Not Vulnerable
 +
| Uses log4j 1.2.15
 +
|-
 +
|Eclipse Hono
 +
|*.*.*
 +
|Not Vulnerable
 +
| Does not use log4j-core. For information regarding components used in connection with Hono, see [https://github.com/eclipse/hono/issues/3000 this Github issue].
 +
|-
 +
|Buildship
 +
|*.*.*
 +
|Not Vulnerable
 +
| Buildship itself does not use log4j. Regarding Gradle, see the [https://blog.gradle.org/log4j-vulnerability related blog post].
 +
|-
 +
|Eclipse Mosquitto
 +
|*.*.*
 +
|Not Vulnerable
 +
| Not written in Java
 +
|-
 +
|Eclipse Streamsheets
 +
|*.*.*
 +
|Not Vulnerable
 +
| Not written in Java
 +
|-
 +
|Eclipse Cloe
 +
|*.*.*
 +
|Not Vulnerable
 +
| Does not use log4j.
 +
|-
 +
|Trace Compass
 +
|*.*.*
 +
|Not Vulnerable.
 +
| Does not use log4j: Trace Compass features nor Trace Compass RCP. During build time, log4j 1.2.15 is a dependency for all SWTBot-based tests.
 +
|-
 +
|Trace Compass Incubator
 +
|*.*.*
 +
|Not Vulnerable.
 +
| Does not use log4j: Trace Compass Incubator features, Trace Compass Incubator RCP nor Trace Compass Server RCP. During build time, log4j 1.2.15 is a dependency for all SWTBot-based tests.
 +
|-
 +
|Eclipse CDT
 +
|*.*.*
 +
|Not Vulnerable
 +
| Uses log4j 1.2.15
 +
|-
 +
|Eclipse Embed CDT
 +
|*.*.*
 +
|Not Vulnerable
 +
| Does not use log4j.
 +
|-
 +
|Eclipse LSP4J
 +
|*.*.*
 +
|Not Vulnerable
 +
| Does not use log4j.
 +
|-
 +
|Eclipse LSP4E
 +
|*.*.*
 +
|Not Vulnerable
 +
| Does not use log4j.
 +
|-
 +
|Eclipse PTP
 +
|*.*.*
 +
|Not Vulnerable
 +
| Does not use log4j.
 +
|-
 +
|Eclipse SUMO
 +
|*.*.*
 +
|Not Vulnerable
 +
| The core applications are not in Java. There is the lisum-gui extension which is shipped with SUMO and uses an outdated log4j. See https://github.com/eclipse/sumo/issues/9789
 +
|-
 +
|Eclipse tinydtls
 +
|*.*.*
 +
|Not Vulnerable
 +
| Not written in Java.
 +
|-
 +
|Eclipse Che
 +
|*.*.*
 +
|Not Vulnerable
 +
| Does not use log4j.
 +
|-
 +
|Eclipse GLSP
 +
|*.*.*
 +
|Not Vulnerable
 +
| Uses log4j 1.x.
 +
|-
 +
|Eclipse ESCET
 +
|*.*.*
 +
|Not Vulnerable
 +
| See also [https://gitlab.eclipse.org/eclipse/escet/escet/-/issues/273 Eclipse ESCET issue #273].
 +
|-
 +
|EclipseLink
 +
|*.*.*
 +
|Not Vulnerable
 +
| Does not use log4j at runtime; log4j 2.3 used in tests only.
 +
|-
 +
|Eclipse Metro
 +
|*.*.*
 +
|Not Vulnerable
 +
| Does not use log4j.
 +
|-
 +
|Eclipse Angus
 +
|*.*.*
 +
|Not Vulnerable
 +
| Does not use log4j.
 +
|-
 +
|Eclipse Parsson
 +
|*.*.*
 +
|Not Vulnerable
 +
| Does not use log4j.
 +
|-
 +
|Eclipse Ditto
 +
|*.*.*
 +
|Not Vulnerable
 +
| Does not use log4j.
 +
|-
 +
|Eclipse Kapua
 +
|*.*.*
 +
|Not Vulnerable
 +
| Kapua components do not use log4j-core.
 +
|-
 +
|Eclipse wakaama
 +
|*.*.*
 +
|Not Vulnerable
 +
| Not written in Java.
 +
|-
 +
|OpenHW Group CORE-V Cores
 +
|*.*.*
 +
|Not Vulnerable
 +
|CORE-V Cores does not use log4j
 +
|-
 +
|Eclipse Kanto
 +
|*.*.*
 +
|Not Vulnerable
 +
| Not written in Java. Does not use Log4J.
 +
|-
 +
|Eclipse zenoh
 +
|*.*.*
 +
|Not Vulnerable
 +
| Not written in Java.
 +
|-
 +
|Eclipse fog05
 +
|*.*.*
 +
|Not Vulnerable
 +
| Not written in Java.
 +
|-
 +
|Eclipse Xtext
 +
|*.*.*
 +
|Not Vulnerable
 +
| Uses log4j 1.2.15.
 +
|-
 +
|Eclipse Epsilon
 +
|*.*.*
 +
|Not Vulnerable
 +
| Uses log4j 1.2.17.
 +
|-
 +
|Eclipse WindowBuilder
 +
|*.*.*
 +
|Not Vulnerable
 +
| Do not uses log4j
 +
|-
 +
|Eclipse Nebula
 +
|*.*.*
 +
|Not Vulnerable
 +
| Do not uses log4j
 +
|-
 +
|Eclipse ediTDor
 +
|*.*.*
 +
|Not Vulnerable
 +
| Does not use Log4J
 +
|-
 +
|Eclipse Hawkbit
 +
|*.*.*
 +
|Not Vulnerable
 +
| Does not use log4j-core
 +
|-
 +
|Eclipse Temurin
 +
|*.*.*
 +
|Not Vulnerable
 +
|Does not use log4j.
 +
|-
 +
|Eclipse Temurin Compliance
 +
|n/a
 +
|Not Vulnerable
 +
|No published releases from this project. Does not use log4j.
 +
|-
 +
|Eclipse AQAvit
 +
|n/a
 +
|Resolved
 +
|No published releases from this project. Development stream of AQAvit System Test Framework (STF) updated to use secure version of log4j since Dec 15, 2021 via Github issue adoptium/STF#121[https://github.com/adoptium/STF/issues/121].
 +
|-
 +
|Eclipse Adoptium Incubator
 +
|n/a
 +
|Not Vulnerable
 +
|No published releases from this project. Does not use log4j.
 +
|-
 +
|Eclipse SWTBot
 +
|*.*.*
 +
|Not Vulnerable
 +
|Does not use log4j2. Uses log4j 1.2.15.
 +
|-
 +
|Eclipse Capra
 +
|*.*.*
 +
|Not Vulnerable
 +
|Does not use log4j.
 +
|-
 +
|Jakarta EE Platform TCK
 +
|*.*.*
 +
|Not Vulnerable
 +
|Does not use log4j2.
 
|}
 
|}

Latest revision as of 10:52, 20 January 2022

Project Version Status Comment
BIRT *.*.* Not Vulnerable BIRT does not use log4j
Passage >= 1.2.0 && <= 2.2.0 Vulnerable The risk of exposure due to the tooling support in an IDE is negligible. Tools can be updated to the 2.2.1 release and runtimes should be upgraded to the 2.2.1 release. Older versions of Passage also work with log4j >= 2.15. See Passage Downloads for site details.
Eclipse Kura >= 4.0.0 && <= 5.0.0 Vulnerable Versions prior to 4.0.0 are not vulnerable due to the usage of log4j 1.x. Versions after 4.0.0 are vulnerable. A mitigation approach has been provided and the project is working in releasing an updated version for the last two major releases. See https://github.com/eclipse/kura/issues/3712
Eclipse Leshan < 1.0.0-M5 Vulnerable Leshan library does not use log4j2, but old servers demos use it and could be affected. See for more details.
Eclipse Packaging Project (Eclipse IDE for ...) *.*.* Not Vulnerable / Vulnerable All packages available from Eclipse Downloads are not vulnerable, except for the Eclipse IDE for RCP and RAP Developers which contain Passage. Even for packages containing Passage, the risk of exposure due to the tooling support in an IDE is negligible. Adding the site https://download.eclipse.org/passage/updates/release/2.2.1/ to Window → Preferences → Install/Update → Available Sites and using Help → Check for Updates can be used to upgrade the version of Passage and thereby replace the vulnerable version of log4j2.
Eclipse Communication Framework (ECF) *.*.* Not Vulnerable ECF does not use log4j2
Eclipse Installer *.*.* Not Vulnerable Does not use log4j. The catalogs used by the installer for installing the Eclipse Packaging Project's products are dynamically loaded and have been updated such that installing any version of the Eclipse IDE for RCP and RAP Developers will install Passage 2.2.1 with the repaired version of log4j2, i.e., >= 2.15.
Eclipse SDK *.*.* Not Vulnerable Eclipse SDK does not use log4j
JGit 1.0-5.13.0,6.0.0 Not Vulnerable org.eclipse.jgit.pgm uses log4j 1.2.15
EGit 1.0-5.13.0,6.0.0 Not Vulnerable EGit does not use log4j
Jetty *.*.* Not Vulnerable Blog: Jetty & Log4j2 exploit CVE-2021-44228
StatET *.*.* Not Vulnerable
Web Tools Platform *.*.* Not Vulnerable log4j 1.2.15 is a dependency for org.eclipse.jpt.jpadiagrameditor.swtbot.tests, which is typically never installed, and referenced by XSL and Web Services features
Scout Runtime 10.x - 22.x Not Vulnerable
Eclipse Hawk *.*.* Not Vulnerable
Eclipse Theia *.*.* Not Vulnerable
Eclipse Dash *.*.* Not Vulnerable
Linux Tools *.*.* Not Vulnerable
Eclipse JKube *.*.* Not Vulnerable Eclipse JKube does not use log4j
Eclipse Modeling Framework (EMF) *.*.* Not Vulnerable Uses log4j 1.x, but only in Xcore tools bundles, not in any runtime bundles deployed in applications.
XML Schema Definition (XSD) *.*.* Not Vulnerable Does not use log4j.
JustJ *.*.* Not Vulnerable Does not use log4j and log4j is not included in the JRE themselves.
Oomph *.*.* Not Vulnerable Does not use log4j.
CDO Model Repository *.*.* Not Vulnerable Does not use log4j.
EMF Teneo *.*.* Not Vulnerable Does not use log4j.
N4JS 1.2.15 Not Vulnerable
Eclipse Krazo *.*.* Not Vulnerable Does not use log4j.
Eclipse APP4MC IDE *.*.* Not Vulnerable Uses log4j 1.2.15
Eclipse APP4MC Cloud Service Manager *.*.* Not Vulnerable Contains log4j API 2.13 as transitive dependency introduced by Spring Boot. Actual logging done via Logback.
Eclipse APP4MC Cloud Services (Migration, Validation, Transformation) *.*.* Not Vulnerable Does not use log4j.
Eclipse GlassFish *.*.* Not Vulnerable Does not use log4j.
Eclipse OpenMQ *.*.* Not Vulnerable Does not use log4j.
Eclipse RAP *.*.* Not Vulnerable Does not use log4j.
Eclipse SWTChart 1.2.15 Not Vulnerable
Eclipse ChemClipse 1.2.15 Not Vulnerable
VIATRA *.*.* Not Vulnerable VIATRA uses log4j 1.2.15 only
Sirius *.*.* Not Vulnerable Sirius Desktop uses log4j 1.x, but only in SWTBot-based tests, not in any runtime bundles deployed in applications. Sirius Web uses Spring Boot, which is not vulnerable in its default configuration (see https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot)
EMF Validation *.*.* Not Vulnerable Does not use Log4J
EMF Transaction *.*.* Not Vulnerable Does not use Log4J
GMF Runtime *.*.* Not Vulnerable Does not use Log4J
Ecore Tools *.*.* Not Vulnerable Does not use Log4J
EMF Compare *.*.* Not Vulnerable uses log4j 1.2.15
Acceleo *.*.* Not Vulnerable Does not use Log4J
Graphiti *.*.* Not Vulnerable Does not use Log4J
Eclipse BaSyx *.*.* Not Vulnerable Does not use Log4J
Eclipse Lyo *.*.* Not Vulnerable* Does not use Log4J, uses SLF4J to <exclude> downstream Log4J dependencies, older versions used Log4J 1.2. Update 2021-12-20: Lyo was using Log4j2 in lyo.rio, an abandoned prototype implementation of the next version of the standard (the draft of which was also abandoned). lyo.rio is not part of regular Lyo releases. The Log4j2 dependency was updated to 2.17.0, no artifacts on Maven Central need to be updated.
Eclipse mdmbl *.*.* Not Vulnerable Does not use Log4J
Eclipse Capella *.*.* Not Vulnerable Uses log4j 1.2.15
Eclipse Kitalpha *.*.* Not Vulnerable Uses log4j 1.2.15
Eclipse Amalgam *.*.* Not Vulnerable Does not use Log4J
Eclipse Diffmerge *.*.* Not Vulnerable Uses log4j 1.2.15
Eclipse EGF *.*.* Not Vulnerable Does not use Log4J
Eclipse Memory Analyzer *.*.* Not Vulnerable Does not use Log4J
Eclipse Babel *.*.* Not Vulnerable Does not use Log4J
Eclipse Collections *.*.* Not Vulnerable
Cyclone DDS *.*.* Not Vulnerable Does not use log4j
Eclipse OneOFour *.*.* Not Vulnerable Does not use log4j.
Eclipse Titan *.*.* Not Vulnerable Does not use log4j.
Eclipse Californium *.*.* Not Vulnerable Does not use log4j. See https://github.com/eclipse/californium/issues/1848 for more details.
Eclipse Hara *.*.* Not Vulnerable Does not use log4j.
CHESS *.*.* Not Vulnerable Uses log4j 1.2.15
Eclipse Hono *.*.* Not Vulnerable Does not use log4j-core. For information regarding components used in connection with Hono, see this Github issue.
Buildship *.*.* Not Vulnerable Buildship itself does not use log4j. Regarding Gradle, see the related blog post.
Eclipse Mosquitto *.*.* Not Vulnerable Not written in Java
Eclipse Streamsheets *.*.* Not Vulnerable Not written in Java
Eclipse Cloe *.*.* Not Vulnerable Does not use log4j.
Trace Compass *.*.* Not Vulnerable. Does not use log4j: Trace Compass features nor Trace Compass RCP. During build time, log4j 1.2.15 is a dependency for all SWTBot-based tests.
Trace Compass Incubator *.*.* Not Vulnerable. Does not use log4j: Trace Compass Incubator features, Trace Compass Incubator RCP nor Trace Compass Server RCP. During build time, log4j 1.2.15 is a dependency for all SWTBot-based tests.
Eclipse CDT *.*.* Not Vulnerable Uses log4j 1.2.15
Eclipse Embed CDT *.*.* Not Vulnerable Does not use log4j.
Eclipse LSP4J *.*.* Not Vulnerable Does not use log4j.
Eclipse LSP4E *.*.* Not Vulnerable Does not use log4j.
Eclipse PTP *.*.* Not Vulnerable Does not use log4j.
Eclipse SUMO *.*.* Not Vulnerable The core applications are not in Java. There is the lisum-gui extension which is shipped with SUMO and uses an outdated log4j. See https://github.com/eclipse/sumo/issues/9789
Eclipse tinydtls *.*.* Not Vulnerable Not written in Java.
Eclipse Che *.*.* Not Vulnerable Does not use log4j.
Eclipse GLSP *.*.* Not Vulnerable Uses log4j 1.x.
Eclipse ESCET *.*.* Not Vulnerable See also Eclipse ESCET issue #273.
EclipseLink *.*.* Not Vulnerable Does not use log4j at runtime; log4j 2.3 used in tests only.
Eclipse Metro *.*.* Not Vulnerable Does not use log4j.
Eclipse Angus *.*.* Not Vulnerable Does not use log4j.
Eclipse Parsson *.*.* Not Vulnerable Does not use log4j.
Eclipse Ditto *.*.* Not Vulnerable Does not use log4j.
Eclipse Kapua *.*.* Not Vulnerable Kapua components do not use log4j-core.
Eclipse wakaama *.*.* Not Vulnerable Not written in Java.
OpenHW Group CORE-V Cores *.*.* Not Vulnerable CORE-V Cores does not use log4j
Eclipse Kanto *.*.* Not Vulnerable Not written in Java. Does not use Log4J.
Eclipse zenoh *.*.* Not Vulnerable Not written in Java.
Eclipse fog05 *.*.* Not Vulnerable Not written in Java.
Eclipse Xtext *.*.* Not Vulnerable Uses log4j 1.2.15.
Eclipse Epsilon *.*.* Not Vulnerable Uses log4j 1.2.17.
Eclipse WindowBuilder *.*.* Not Vulnerable Do not uses log4j
Eclipse Nebula *.*.* Not Vulnerable Do not uses log4j
Eclipse ediTDor *.*.* Not Vulnerable Does not use Log4J
Eclipse Hawkbit *.*.* Not Vulnerable Does not use log4j-core
Eclipse Temurin *.*.* Not Vulnerable Does not use log4j.
Eclipse Temurin Compliance n/a Not Vulnerable No published releases from this project. Does not use log4j.
Eclipse AQAvit n/a Resolved No published releases from this project. Development stream of AQAvit System Test Framework (STF) updated to use secure version of log4j since Dec 15, 2021 via Github issue adoptium/STF#121[1].
Eclipse Adoptium Incubator n/a Not Vulnerable No published releases from this project. Does not use log4j.
Eclipse SWTBot *.*.* Not Vulnerable Does not use log4j2. Uses log4j 1.2.15.
Eclipse Capra *.*.* Not Vulnerable Does not use log4j.
Jakarta EE Platform TCK *.*.* Not Vulnerable Does not use log4j2.

Copyright © Eclipse Foundation, Inc. All Rights Reserved.