During analysis, there is a single presence of log4j2 in an embedded plugin in MyEclipse, specifically used as part of a client to OpenShift. This client is brought in as part of a transitive dependency, though it does not specifically use log4j2 in MyEclipse normal usage. This log4shell instance is only used if you explicitly turn on tracing options for the org.jboss.tools.openshift.client plugin and are also using the OpenShift client. In addition, as it is not logging data from untrusted sources, there appears no detected vulnerability at this time, even if you had explicitly turned on logging.
If you are concerned, we suggest running the following tool which can remove the offending JndiLookup class without impacting any functionality.
java -jar logpresso-log4j2-scan-2.1.2.jar --fix "[me-install-dir]"
CodeTogether Container for On-Premises Installations
Log4j2 is present in jvb.jar, which is part of the Jitsi Videobridge – it is not used at runtime.
A write-up regarding Jitsi and CVE_2021-44228 can be found here:
Specifically, we do not enable callstats for various reasons, one being as it would expose behavior of A/V calls outside of your network.
To avoid confusion from false positive scans, we will be upgrading the component of JVB officially in our next CodeTogether 5.1 release, expected at the start of January.