logback RCE CVE-2021-42550

[freedom1b2830]

I don't know where to write about these libraries

CVE-2021-42550

scanner args:[--scan-log4j1 --scan-logback --scan-zip]

[?] Found CVE-2021-42550 (logback 1.2.7) vulnerability in $ECLIPSE_DIR/plugins/ch.qos.logback.classic_1.2.3.v20200428-2012.jar, logback N/A [?] Found CVE-2021-42550 (logback 1.2.7) vulnerability in $HOME/.p2/pool/plugins/ch.qos.logback.classic_1.1.2.v20171220-1825.jar, logback N/A

[laeubi]

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

So if an attacker has access to your eclipse installation your are lost anyways and he can execute any code...

[freedom1b2830]

still need an update to 1.2.9+ to close the possible vector

[tjwatson]

First you need to determine what feature is installing these bundles. I assume it is not any of the features from the actual Eclipse IDE project (Equinox, PDE, JDT, Platform), because I don't see these bundles installed on my base installation.

[freedom1b2830]

Eclipse IDE for Enterprise Java and Web Developers (includes Incubating components) Version: 2022-03 (4.23.0) Build id: 20220310-1457

*** Plug-in Registry: ch.qos.logback.classic (1.2.3.v20200428-2012) "Logback Classic Module" [Resolved]

Id: ch.qos.logback.classic, Version: 1.2.3.v20200428-2012, Location: reference:file:plugins/ch.qos.logback.classic_1.2.3.v20200428-2012.jar

conf_info.txt

[bjhargrave]

I would venture the plugins are installed by m2e. So you should open an issue with m2e.

[bjhargrave]

I think we can close this issue here.

[merks]

Yes, m2e would be satisfied with higher versions but it's the only thing bound to these older versions:

@jonahgraham FYI.