View source for Eclipse and log4j2 vulnerability (CVE-2021-44228)

{| class="wikitable"
!Project
!Version
!Status
!Comment
|-
|Passage
| >= 1.2.0 && <= 2.2.0
|Vulnerable
| The risk of exposure due to the tooling support in an IDE is negligible.  Tools can be updated to the 2.2.1 release and runtimes should be upgraded to the 2.2.1 release.  Older versions of Passage also work with log4j >= 2.15. See [https://projects.eclipse.org/projects/technology.passage/downloads Passage Downloads] for site details.
|-
|Eclipse Packaging Project (Eclipse IDE for ...)
|*.*.*
|Not Vulnerable / Vulnerable
|All packages available from [https://www.eclipse.org/downloads/packages/ Eclipse Downloads] are not vulnerable, except for the Eclipse IDE for RCP and RAP Developers which contain Passage.  Even for packages containing Passage, the risk of exposure due to the tooling support in an IDE is negligible.  Adding the site https://download.eclipse.org/passage/updates/release/2.2.1/ to ''Window &rarr; Preferences &rarr; Install/Update &rarr; Available Sites'' and using ''Help &rarr; Check for Updates'' can be used to upgrade the version of Passage and thereby replace the vulnerable version of log4j2.
|-
|Eclipse Installer
|*.*.*
|Not Vulnerable
|Does not use log4j. The catalogs used by the installer for installing the Eclipse Packaging Project's products are dynamically loaded and have been updated such that installing any version of the Eclipse IDE for RCP and RAP Developers will install Passage 2.2.1 with the repaired version of log4j2, i.e., >= 2.15.
|-
|Eclipse SDK
|*.*.*
|Not Vulnerable
|Eclipse SDK does not use log4j
|-
|JGit
|1.0-5.13.0,6.0.0
|Not Vulnerable
|org.eclipse.jgit.pgm uses log4j 1.2.15
|-
|EGit
|1.0-5.13.0,6.0.0
|Not Vulnerable
|EGit does not use log4j
|-
|Jetty
|*.*.*
|Not Vulnerable
|[https://webtide.com/jetty-log4j2-exploit-cve-2021-44228/ Blog: Jetty & Log4j2 exploit CVE-2021-44228]
|-
|StatET
|*.*.*
|Not Vulnerable
|
|-
|Web Tools Platform
|*.*.*
|Not Vulnerable
|log4j 1.2.15 is used in an unused dependency in a single test plug-in
|-
|Scout Runtime
|10.x - 22.x
|Not Vulnerable
|
|-
|Eclipse Hawk
|*.*.*
|Not Vulnerable
|
|-
|Eclipse Theia
|*.*.*
|Not Vulnerable
|-
|Eclipse Dash
|*.*.*
|Not Vulnerable
|
|-
|Linux Tools
|*.*.*
|Not Vulnerable
|
|-
|Eclipse JKube
|*.*.*
|Not Vulnerable
|Eclipse JKube does not use log4j
|-
|Eclipse Modeling Framework (EMF)
|*.*.*
|Not Vulnerable
| Uses log4j 1.x, but only in Xcore tools bundles, not in any runtime bundles deployed in applications.
|-
|XML Schema Definition (XSD)
|*.*.*
|Not Vulnerable
| Does not use log4j.
|-
|JustJ
|*.*.*
|Not Vulnerable
| Does not use log4j and log4j is not included in the JRE themselves.
|-
|Oomph
|*.*.*
|Not Vulnerable
| Does not use log4j.
|-
|CDO Model Repository
|*.*.*
|Not Vulnerable
| Does not use log4j.
|-
|EMF Teneo
|*.*.*
|Not Vulnerable
| Does not use log4j.
|-
|N4JS
|1.2.15
|Not Vulnerable
|-
|Eclipse Krazo
|*.*.*
|Not Vulnerable
| Does not use log4j.
|-
|Eclipse APP4MC IDE
|*.*.*
|Not Vulnerable
| Uses log4j 1.2.15
|-
|Eclipse APP4MC Cloud Service Manager
|*.*.*
|Not Vulnerable
| Contains log4j API 2.13 as transitive dependency introduced by Spring Boot. Actual logging done via Logback.
|-
|Eclipse APP4MC Cloud Services (Migration, Validation, Transformation)
|*.*.*
|Not Vulnerable
| Does not use log4j.
|-
|Eclipse GlassFish
|*.*.*
|Not Vulnerable
| Does not use log4j.
|-
|Eclipse RAP
|*.*.*
|Not Vulnerable
| Does not use log4j.
|-
|Eclipse SWTChart
|1.2.15
|Not Vulnerable
|
|-
|Eclipse ChemClipse
|1.2.15
|Not Vulnerable
|
|-
|VIATRA
|*.*.*
|Not Vulnerable
|VIATRA uses log4j 1.2.15 only
|-
|Sirius
|*.*.*
|Not Vulnerable
| Sirius Desktop uses log4j 1.x, but only in SWTBot-based tests, not in any runtime bundles deployed in applications. Sirius Web uses Spring Boot, which is not vulnerable in its default configuration (see https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot)
|-
|EMF Validation
|*.*.*
|Not Vulnerable
| Does not use Log4J
|-
|EMF Transaction
|*.*.*
|Not Vulnerable
| Does not use Log4J
|-
|GMF Runtime
|*.*.*
|Not Vulnerable
| Does not use Log4J
|-
|Ecore Tools
|*.*.*
|Not Vulnerable
| Does not use Log4J
|-
|EMF Compare
|*.*.*
|Not Vulnerable
| Does not use Log4J
|-
|Acceleo
|*.*.*
|Not Vulnerable
| Does not use Log4J
|-
|Graphiti
|*.*.*
|Not Vulnerable
| Does not use Log4J
|-
|Eclipse BaSyx
|*.*.*
|Not Vulnerable
| Does not use Log4J
|-
|Eclipse Lyo
|*.*.*
|Not Vulnerable
| Does not use Log4J, uses SLF4J to <nowiki><exclude></nowiki> downstream Log4J dependencies, older versions used Log4J 1.2.
|-
|Eclipse mdmbl
|*.*.*
|Not Vulnerable
| Does not use Log4J
|-
|Eclipse Capella
|*.*.*
|Not Vulnerable
| Uses log4j 1.2.15
|-
|Eclipse Kitalpha
|*.*.*
|Not Vulnerable
| Uses log4j 1.2.15
|-
|Eclipse Amalgam
|*.*.*
|Not Vulnerable
| Does not use Log4J
|-
|Eclipse Diffmerge
|*.*.*
|Not Vulnerable
| Uses log4j 1.2.15
|-
|Eclipse EGF
|*.*.*
|Not Vulnerable
| Does not use Log4J
|-
|Eclipse Memory Analyzer
|*.*.*
|Not Vulnerable
| Does not use Log4J
|-
|Eclipse Babel
|*.*.*
|Not Vulnerable
| Does not use Log4J
|-
|Eclipse Collections
|*.*.*
|Not Vulnerable
|-
|Cyclone DDS
|*.*.*
|Not Vulnerable
| Does not use log4j
|-
|Eclipse OneOFour
|*.*.*
|Not Vulnerable
| Does not use log4j.
|-
|Eclipse Titan
|*.*.*
|Not Vulnerable
| Does not use log4j.
|}