Community
Participate
Working Groups
Was looking at the page history on Eclipse Foundation wiki for “Eclipse and log4j2 vulnerability (CVE-2021-44228” https://wiki.eclipse.org/Eclipse_and_log4j2_vulnerability_(CVE-2021-44228) Last update was January 2022. Are these packages still vulnerable? If so, will newer versions of Eclipse upgrade these package dependencies on log4j2.x “log4shell” vuln’s? Project Version Status Comment Passage >= 1.2.0 && <= 2.2.0 Vulnerable The risk of exposure due to the tooling support in an IDE is negligible. Tools can be updated to the 2.2.1 release and runtimes should be upgraded to the 2.2.1 release. Older versions of Passage also work with log4j >= 2.15. See Passage Downloads for site details. Eclipse Kura >= 4.0.0 && <= 5.0.0 Vulnerable Versions prior to 4.0.0 are not vulnerable due to the usage of log4j 1.x. Versions after 4.0.0 are vulnerable. A mitigation approach has been provided and the project is working in releasing an updated version for the last two major releases. See https://github.com/eclipse/kura/issues/3712 Eclipse Leshan < 1.0.0-M5 Vulnerable Leshan library does not use log4j2, but old servers demos use it and could be affected. See for more details. Eclipse AQAvit n/a Resolved No published releases from this project. Development stream of AQAvit System Test Framework (STF) updated to use secure version of log4j since Dec 15, 2021 via Github issue adoptium/STF#121[1].
AFAICT in all cases, the project teams have described mitigation. If you have questions, or have an issue with a specific release version of a specific product, follow up directly the corresponding project team. I'm marking his as WORKSFORME because FIXED doesn't feel like the correct resolution.