Google Git
Sign in
eclipse / tracecompass / org.eclipse.tracecompass / refs/tags/v7.2.0^! / .
commit6ffc3d77597e56b163e0ecab01b6f89a7788ebb0[log] [tgz]
authorMatthew Khouzam <matthew.khouzam@ericsson.com>Fri Dec 10 11:37:14 2021 -0500
committerMatthew Khouzam <matthew.khouzam@ericsson.com>Mon Dec 13 12:37:44 2021 -0500
tree615a300e231981664eea50d3546c51c7602db6b2
parent06d51a5df25d975b99d02906d9b49adde906a254 [diff]
No longer allow arbitrary code to be executed from Log4j2

Trace Compass does not use Log4j2, but Log4j1, which is not
vulnerable. But this is a precaution to prevent other plugins
from other sources to be vulnerable.

Also fixes incubator

[Security] CVE-2021-44228

Change-Id: I0cd8f5860aaac25084424451e77b101dbca5b78b
Signed-off-by: Matthew Khouzam <matthew.khouzam@ericsson.com>
Reviewed-on: https://git.eclipse.org/r/c/tracecompass/org.eclipse.tracecompass/+/188336
Tested-by: Trace Compass Bot <tracecompass-bot@eclipse.org>
Tested-by: Bernd Hufmann <bernd.hufmann@ericsson.com>
Reviewed-by: Bernd Hufmann <bernd.hufmann@ericsson.com>

diff --git a/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/internal/tmf/core/Activator.java b/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/internal/tmf/core/Activator.java
index 41757a7..14cd9c0 100644
--- a/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/internal/tmf/core/Activator.java
+++ b/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/internal/tmf/core/Activator.java

@@ -91,6 +91,9 @@
     @Override
     public void start(BundleContext context) throws Exception {
         super.start(context);
+        // CVE-2021-44228
+        System.setProperty("log4j2.formatMsgNoLookups", "true"); //$NON-NLS-1$ //$NON-NLS-2$
+        System.setProperty("log4j.formatMsgNoLookups", "true"); //$NON-NLS-1$ //$NON-NLS-2$
         setDefault(this);
         TmfCoreTracer.init();
         /* Initialize the trace manager */