[FAQ] CODECOMPOSER: Is CCS Open to Log4j Vulnerability

Martin Currie

Part Number: CODECOMPOSER

Is Code Composer Studio open to exploitation from the Log4J vulnerability since it includes the log4j JAR files within the Eclipse plugins directory (v9.3)?

I could not find CCS or Eclipse mentioned on the GitHub site: GitHub - cisagov/log4j-affected-db

It would be good to get an official response in this. I have not seen any official response on this topic from TI.

over 2 years ago

+1 JohnS over 2 years ago

TI__Guru**** 159715 points

Martin,

Code Composer Studio is not impacted by the vulnerability that has been identified in log4j. Code Composer Studio includes Eclipse CDT which does include log4j. However, the version that is included is 1.2.15. This version is not impacted by the vulnerability.

For more information please see these references:

https://wiki.eclipse.org/Eclipse_and_log4j2_vulnerability_(CVE-2021-44228) This site summarizes various Eclipse projects and their log4j status. The relevant entry is Eclipse CDT.
https://logging.apache.org/log4j/2.x/security.html Under the mitigation section it shows that log4j 1.x is not impacted by the vulnerability.

Regards,

John

0 Takehiro Sato over 2 years ago in reply to JohnS

TI__Intellectual 2235 points

Hello John,

Is it correct my understanding that all CCS versions are not affected by the log4J vulnerability because the CCS is used Log4j 1.x?

Regards,

Sato

0 JohnS over 2 years ago in reply to Takehiro Sato

TI__Guru**** 159715 points

Sato,

Yes this is correct. All versions of CCS are not impacted by the vulnerability.

Regards,

John

0 Jan D over 2 years ago in reply to JohnS

Guru 73205 points

Hi,

But theoretically may to be affected by many CVEs related to Log4j 1.x (e.g one nice is CVE-2019-17571). Log4j 1.x is 6 years EoL.

Jan

0 Takehiro Sato over 2 years ago in reply to Jan D

TI__Intellectual 2235 points

John, Jan,

Thank you for answering my question.

Sato

Code Composer Studio™︎

Code Composer Studio forum

[FAQ] CODECOMPOSER: Is CCS Open to Log4j Vulnerability