This service release of Eclipse Kura fixes the Log4J vulnerabilities CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105
by updating the Log4J dependencies to 2.17.0. Slf4J has been updated as well to 1.7.32.
Target Platform Updates
Eclipse Kura is released as pre-compiled binary installers for the following platforms:
Eclipse Kura 4.1.3 is a service release to address various CVEs in framework dependencies. In particular, the release addressed CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 by updating Log4J to version 2.17.0. Further platform updates are for Google Protobuf to 3.8.0 and Jetty to version 9.4.41.
MicroProfile Context Propagation 1.3 adds support for Jakarta EE 9. The specification API itself has no dependency on Jakarta EE or Java EE and is identical to MicroProfile Context Propagation 1.2. However, the TCK for MicroProfile Context Propagation 1.3 is updated to use jakarta package names from Jakarta EE 9.