Hi,

Recently customer flagged a vulnerability for org.eclipse.osgi, is there a way to resolve this vulnerability?

I am using AAOD 8.1.2 and the full path scanned is as below:
E:\Program Files\Eclipse 8.1.2\configuration\org.eclipse.osgi\1015\0\.cp\lib\log4j-1.2.14.jar

Hi.

According to the information on this page

https://support.avaya.com/helpcenter/getGenericDetails?detailId=1399839287609

Orchestration Designer does not utilize log4j in a way that is vulnerable.

Googling a bit, i did not find any new vulnerability concerning the OSGI console. Do you have additional details ?

This is something i noticed when i was fiddling around with plugins and projects import.

Not sure if the old log4j comes from the plugin itself (oceana pdc plugin) but when the plugin was first installed, a folder was created with the old log4j inside. [Path: E:\Program Files\Eclipse 8.1.2\configuration\org.eclipse.osgi\1015\0\.cp\lib\log4j-1.2.14.jar]

Now, if i remove the 1015 folder and perform a project import that already uses the plugin, the folder 1015 is not created. And if i configure another project to use the plugin, the folder 1015 is new created but i do not locate the old log4j.

I have decided to remove the folder containing the old log4j and check each time the plugin is being newly utilized.

Following the same path, I don't see the folder '1015' on my installation. Did you install the AOD on a fresh Eclipse ? The AOD 8.1.2 should come with Log4j 2.17.1.