Log4j Vulnerability and Third-party Plugins on JetBrains Marketplace
In the wake of the Remote Code Execution CVE-2021-44228 vulnerability in the popular Java logging library log4j, we have been checking third-party plugins distributed via JetBrains Marketplace.
Because of how many IntelliJ-based plugins there are, we initially used API Watcher to check what plugins and which of their exact versions used anything from log4j. We have temporarily hidden all plugin versions in which we detected any use of log4j.
We understand that such a check can produce some false positives. But we’d rather play it extra safe and draw the attention of many plugin authors to the potential risks, rather than miss some plugins that have repackaged log4j.
We performed an additional audit of flagged plugins and have re-listed every plugin version. If you have any issues, please contact us at firstname.lastname@example.org.
We will continue to scan plugins, both JetBrains and third-party ones, and take all the necessary actions to mitigate log4j vulnerabilities.