Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [orbit-dev] Eclipse Orbit Log4j Vulnerability Info

Hi, 

Gunnar is right that Eclipse Orbit is a repository to consume artifacts. The question should be "does Eclipse Orbit contain the latest secure Log4j 2 version"?

According to the latest news on that topic the answer is actually no. The latest integration build contains 2.17.0. But that version still contains a vulnerability which is fixed via 2.17.1.

So another update of Orbit is necessary if you suffer from the vulnerability. Can't tell if this is already in process. 

Greez, 
Dirk 

Gunnar Wagenknecht <gunnar@xxxxxxxxxxxxxxx> schrieb am Di., 11. Jan. 2022, 10:26:
Hi Murugaiyan,

The Eclipse Orbit project should be treated like Maven Central. Hence, it is not secure. The old version will still be available for download in the archives. 

However, the Log4J version has been updated by volunteers to the latest available one. Thus, mitigation is available.

-Gunnar

-- 
Gunnar Wagenknecht
gunnar@xxxxxxxxxxxxxxx, http://guw.io/



On Jan 11, 2022, at 10:22, Deepthi Murugaiyan (MS/EMT5-XC) via orbit-dev <orbit-dev@xxxxxxxxxxx> wrote:

Hello Orbit Team,
 
I work for BOSCH Group and we mostly use the Eclipse Framework to construct applications.
 
In the recent times globally everyone knew about the Apache Log4j contains some Security Vulnerability issue and as a result all of the issues have a mitigation action.
 
We found that Eclipse has a vulnerability state list for most of the projects it has built. (https://wiki.eclipse.org/Eclipse_and_log4j2_vulnerability_(CVE-2021-44228))
 
However, I was unable to locate any information regarding the Eclipse Orbit Project.
 
Could you please help us out in clarifying whether Eclipse Orbit is secure ?
 
Thank you very much.
 
Mit freundlichen Grüßen / Best regards

Murugaiyan Deepthi
 

ES-CDG-Methods Tools (RBEI/EMT5)
Robert Bosch GmbH | Postfach 10 60 50 | 70049 Stuttgart | GERMANY | www.bosch.com
Tel. +91 422 619-1119 | Fax +91 422 663-4104 | Deepthi.Murugaiyan@xxxxxxxxxxxx


Registered Office: Stuttgart, Registration Court: Amtsgericht Stuttgart, HRB 14000;
Chairman of the Supervisory Board: Prof. Dr. Stefan Asenkerschbaumer; Managing Directors: Dr. Stefan Hartung, 
Dr. Christian Fischer, Filiz Albrecht, Dr. Markus Forschner, Dr. Markus Heyn, Rolf Najork 

_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/orbit-dev

_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/orbit-dev

Back to the top