Ticket Created
over 3 years ago

WERETECH-12042

LOG4J Issue

Log4J issue:

In the SDK-file:

IQ_IDE_4.1.0.beta1.jar!/libs/log4j-core-2.10.0.jar

is a vulnerable version of LOG4J. When, where and how will GARMIN provide an update?

Please act!

GruGru
Parents
  • over 3 years ago

    This is an issue that only affects the Eclipse Plugin. There are several ways that you can easily fix this.

    I'm fairly certain that we have created at least two more recent versions of that plugin. I'm not really involved in the release process, but I personally updated the builds to use log4j 2.17.1 or 2.17.2 recently.

    Another option is to not use the Eclipse Plugin. We've been providing the VSCode extension for a while now, and it is pretty good. You could also use the command-line scripts to build/run.

    If you can't get the updated plugin that I mentioned above, and you really need to use Eclipse, you should be able to use one of the mitigations suggested by Apache for the time being.

    https://logging.apache.org/log4j/2.x/security.html

Comment
  • over 3 years ago

    This is an issue that only affects the Eclipse Plugin. There are several ways that you can easily fix this.

    I'm fairly certain that we have created at least two more recent versions of that plugin. I'm not really involved in the release process, but I personally updated the builds to use log4j 2.17.1 or 2.17.2 recently.

    Another option is to not use the Eclipse Plugin. We've been providing the VSCode extension for a while now, and it is pretty good. You could also use the command-line scripts to build/run.

    If you can't get the updated plugin that I mentioned above, and you really need to use Eclipse, you should be able to use one of the mitigations suggested by Apache for the time being.

    https://logging.apache.org/log4j/2.x/security.html

Children