[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?
|
So, yes, Eclipse 2021-12 is vulnerable
as 2.0.0 < 2.8.2 < 2.14.1
On 2021-12-10 14:39, Ed Merks wrote:
Denis,
You can see the versions of log4j in the 2021-12 release here:
https://www.eclipse.org/downloads/download.php?format=xml&file=/releases/2021-12/202112081000&countryCode=us&timeZone=1&format=xml
These I think:
On 10.12.2021 20:11, Denis Roy wrote:
I guess I'm trying to determine if
there are any versions of Eclipse, Jetty, jGit, etc that are
vulnerable.
For instance, we use Gerrit 3.2.7,
which may contain a vulnerability.
Denis
On 2021-12-10 14:02, Matthew
Khouzam via cross-project-issues-dev wrote:
|
Apache Log4j2
<=2.14.1 JNDI features used in configuration,
log messages, and parameters do not protect
against attacker controlled LDAP and other JNDI
related endpoints. An attacker who can control
log messages or log message parameters can
execute arbitrary code loaded from LDAP servers
when ...
nvd.nist.gov
|
It's for
log4j2 between 2.0.0 and 2.14.1