Apache Log4J

[Tuncer89]

Hi Community,

I'm new here and hope to get some help

I am responsible for Eclipse IDE in my company. In the last version we supported, 2025-03, there were major problems with "Apache Log4j". This led, according to our security department, to a big attacking threat.
Questions:

1. We now released Eclipse IDE 2025-09. Is this vulnerability still the case?
2. Do I need to download the newest version of Apache Log4J? or
3. How can I solve this?
4. Should I retire the 2025-03 version? Or is it only about the plugin?

(Internal detection summary as example:
"Summary: Multiple vulnerabilities have been identified in Apache Log4j 1.x, including unsafe deserialization in JMSSink (CVE-2022-23302), SQL injection in JDBCAppender (CVE-2022-23305), and unsafe deserialization in Chainsaw (CVE-2022-23307). These issues can lead to remote code execution or unauthorized database manipulation when the affected components are configured and exploited by attackers. Impact: Exploitation of these vulnerabilities can result in remote code execution, unauthorized database manipulation, and compromise of system confidentiality, integrity, and availability. AdditionalInformation: These vulnerabilities affect Apache Log4j 1.x, which has reached end-of-life as of August 2015. Users are advised to consider upgrading to Log4j 2.x to address these and other issues. Remediation: Apply the latest patches and updates provided by the respective vendors.")

Thank you very much in advance!

Best wishes
Tuncer

[akurtakov]

The project is not shipping any part of Log4J in neither 4.38 https://download.eclipse.org/eclipse/updates/4.38/R-4.38-202512010920/plugins/ nor in 4.37 https://download.eclipse.org/eclipse/updates/4.37/R-4.37-202509050730/plugins/ .

My guess is that you might be using some of the packages (https://www.eclipse.org/downloads/packages/) that include a number of other plugins too and some of them might ship Log4J - in this case open an issue at https://github.com/eclipse-packaging/packages with clear statement which package your IDE is based on .
Alternatively, if you start with Eclipse SDK (as produced by this project) you must be installing additional plugins and one of them is bringing Log4J, in this case it's up to you to identify the plugin doing it and report to the guilty one accordingly.
Closing as Github doesn't allow moving issues between organizations and there is nothing that can be done in this project.

[Tuncer89]

Thank you!

[merks]

Use a 2025-12 download. There are no log4j issues as I understand it.

https://www.eclipse.org/downloads/packages/

[laeubi]

There are no log4j issues as I understand it.

An there are likely none in the 2025-03 anyways, all these

This led, according to our security department, to a big attacking threat

are often simply generic highly theoretically "attacking threat" without any actual investigation of the software and the usage of the library.

Just from the provided "critical" vulnerabilities provided here

including unsafe deserialization in JMSSink
SQL injection in JDBCAppender
unsafe deserialization in Chainsaw

So if your IDE uses a log appender that writes to JMS and JDBC and uses RMI and you have malicious plugins installed in your IDE that can emit bad log messages... your system is probably already wrecked considerably enough to not care about this "critical" CVEs. And this is independent of the used EPP anyways.

[ovavadim]

Hello, @akurtakov, @laeubi, @merks everyone
In order to clafify the situation, as I'm also a bit familiar with Tuncer's case.
The vulnerability mentioned by @Tuncer89 is found precisely here:
c:\program files\eclipse ide\2025-03\plugins\org.springframework.tooling.boot.ls_1.64.0.202509050658\server\spring-boot-language-server\lib\rewrite-logging-frameworks-2.17.1.jar
which seems to be Spring Boot Language Server, rewrite-logging-frameworks-2.17.1.jar

Is it possible, that this thing was installed as a part of Eclipse IDE 2023-03? If yes, that could it be also a part of Eclipse IDE 2025-09?

[laeubi]

Hi @Tuncer89,

Thank you for bringing this security concern to our attention. I understand how important it is to address vulnerabilities in your organization.

Important Context:

Eclipse IDE is a highly extensible platform, and the core Eclipse IDE packages we release (2025-03, 2025-09, etc.) do not ship Apache Log4j 1.x by default. The Eclipse RCP Platform, which Eclipse IDE is based on, also does not include Log4j 1.x.

However, Eclipse's extensibility means that third-party plugins, additional tools, or customized distributions can add their own dependencies. This is likely what's happening in your case.

To answer your questions:

1. **Is the vulnerability still present in 2025-09? ** - Not in the default Eclipse IDE distribution. If Log4j 1.x is present, it's coming from an installed plugin or extension.

2. Do you need to download the newest version of Apache Log4j? - First, you need to identify which plugin is bringing in Log4j 1.x (see below).

3. How to solve this:

   • Identify the source: Check your installed plugins (Help → About Eclipse IDE → Installation Details → Plugins)
   • Search for "log4j" in the plugin list
   • Common culprits are third-party tools or enterprise plugins (e.g., Spring Tools, database tools, custom company plugins)
   • Once identified, check if there's an updated version of that plugin, or consider removing it if not essential

4. Should you retire 2025-03? - The issue is not with the Eclipse version itself, but with the specific plugin. Focus on identifying and updating/removing the problematic plugin rather than the Eclipse version.

Analogy:
Think of Eclipse IDE as a base operating system - we provide the core platform, but applications (plugins) installed on top can bring their own dependencies. The security scan is detecting a component from an installed application, not from the base Eclipse IDE itself.

Recommended Next Steps:

1. Identify which plugin contains Log4j 1.x
2. Check for updates to that plugin
3. If no updates are available, consider removing the plugin or contacting its maintainer
4. Share your findings here if you need further guidance

[akurtakov]

@ovavadim You have to contact Spring Tools project https://github.com/spring-projects/spring-tools and continue the conversation there if the vulnerability comes from there.