Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?

[Mickael Istria <mistria@xxxxxxxxxx>]

On Fri, Dec 10, 2021 at 8:12 PM Denis Roy <denis.roy@xxxxxxxxxxxxxxxxxxxxxx> wrote:

I guess I'm trying to determine if there are any versions of Eclipse, Jetty, jGit, etc that are vulnerable.

Eclipse Platform, and its transitive deps (including some parts of Jetty), do not require nor ship log4j.

EGit does include log4j 1.2.15 as optional requirement; so it seems safe.

Wild Web Developer, and its transitive deps (including LSP4E, LSP4J, some parts of EGit...), do not require nor ship log4j.

m2e, and its transitive deps, do not require not ship log4j