Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-67353

log4j CVE-2021-44228 and CVE-2021-45046 in Jenkins

    • log4j CVE-2021-44228 and CVE-2021-45046

      Tracking the status of the critical severity log4j RCE vulnerability CVE-2021-44228 (fixed in 2.15.0), as well as the Low severity vulnerability CVE-2021-45046 (fixed in 2.16.0).

      The following plugins are known to include vulnerable releases of log4j 2.x as of Dec 10, or have included vulnerable releases of log4j 2.x in the past:

      Plugin CVE-2021-44228 CVE-2021-45046
      https://plugins.jenkins.io/audit-log JENKINS-67355 updated to 2.16.0 in 1.3 Same
      https://plugins.jenkins.io/bootstraped-multi-test-results-report updated to 2.17.0 in 2.2.1 Same
      https://plugins.jenkins.io/checkmarx JENKINS-67356 updated to 2.16.0 in 2021.4.3 Same
      https://plugins.jenkins.io/cmakebuilder log4j 2.x only present in 2.6.1 (obsolete since mid 2019) Same
      https://plugins.jenkins.io/cucumber-reports log4j 2.x only present in 1.1.0 through 3.16.0 (both inclusive), obsolete since mid 2018 Same
      https://plugins.jenkins.io/hp-application-automation-tools-plugin JENKINS-67357 updated to 2.17.0 in 7.2 Same
      https://plugins.jenkins.io/lambdatest-automation JENKINS-67358 Log4j fully removed in 1.20.0 Same
      https://plugins.jenkins.io/peass-ci #71 updated to 2.15.0 in 2.0.0-540.v244012ecda48 #73 updated to 2.17.0 in 2.0.0-576.vbc3d83ca3c4a
      https://plugins.jenkins.io/pipeline-huaweicloud-plugin JENKINS-67359 no fix as of 0.0.1 Also tracked in JENKINS-67359
      https://plugins.jenkins.io/reliza-integration updated to 2.15.0 in 0.1.14 Updated to 2.17.0 in 0.1.15
      https://plugins.jenkins.io/semantic-versioning-plugin log4j 2.x only present in 1.0 through 1.3 (both inclusive), obsolete since mid 2014 Same
      https://plugins.jenkins.io/talend JENKINS-67360 updated to 2.15.0 in 1.3-rc42.f3ec422d618b JENKINS-67369 log4j removed from 1.4-rc43.dbb2c0671f67
      https://plugins.jenkins.io/testdroid-run-in-cloud JENKINS-67361 Updated to 2.17.2 in 3.22.4 Same
      https://plugins.jenkins.io/thundra-foresight #5 fixed as of 13.v84a42ba15ff7 Same
      https://plugins.jenkins.io/venafi-vcert #9 no fix as of 2.0.0 Also tracked in #9
      https://plugins.jenkins.io/xray-connector #53 updated to 2.16.0 in 2.5.2.1 Same

      Some references:

      Summary of what we know so far:

      • The vulnerability CVE-2021-44228 affects log4j 2.x only. It was introduced in version 2.0-beta9 and fixed in 2.15.0-rc2. log4j 1.x is unaffected. For the vulnerability to be present, log4j-core-2.*.jar (or a shaded equivalent) needs to be bundled with the plugin, anything else (slf4j bridges, API jars, log4j 1.x) doesn't include the vulnerable class (see below).
      • Recent JREs prohibit the specific LDAP RCE exploit, but other exploits exist (e.g. capturing env vars).
      • Maven Shade Plugin may rename packages, so there may be matches in other packages (but a patched usage-in-plugins found none in latest plugin releases)
      • Further plugins may have included the library in older releases. We are working on a list.
      • log4j 2.16.0 includes a fix for another security vulnerability, see https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f It's low severity, and requires a nondefault configuration to be exploitable (or attackers able to configure logging). It affects 2.0-beta9 through 2.15.0 (inclusive) and is fixed in 2.16.0.
      • The specific affected classes are org.apache.logging.log4j.core.lookup.JndiLookup and org.apache.logging.log4j.core.net.JndiManager (previously org.apache.logging.log4j.core.appender.JndiManager). The former should be removed manually according to https://logging.apache.org/log4j/2.x/security.html when using affected versions. This applied to both vulnerabilities.

          [JENKINS-67353] log4j CVE-2021-44228 and CVE-2021-45046 in Jenkins

          SLF4J Comments on the CVE-2021-44228 vulnerability - http://slf4j.org/log4shell.html

          Conrad T. Pino added a comment - SLF4J Comments on the CVE-2021-44228 vulnerability - http://slf4j.org/log4shell.html

          Daniel Beck added a comment - - edited

          The list in the issue description should now be complete (unless some plugins apply some very unusual repackaging to their dependencies).

          Besides the top-level search for presence of log4j-core-xx.jar, I also looked for any (possibly shaded) JndiLookup.class in any other included jars, and only found thundra-agent-maven-test-instrumentation-0.0.6.jar which is part of thundra-foresight 11.vbc9483778bb3, which we've already identified through its bundled log4j-core-xx.jar.

          Daniel Beck added a comment - - edited The list in the issue description should now be complete (unless some plugins apply some very unusual repackaging to their dependencies). Besides the top-level search for presence of log4j-core-xx.jar , I also looked for any (possibly shaded) JndiLookup.class in any other included jars, and only found  thundra-agent-maven-test-instrumentation-0.0.6.jar which is part of thundra-foresight 11.vbc9483778bb3, which we've already identified through its bundled log4j-core-xx.jar .

          Ian Williams added a comment -

          Latest from Apache suggests there exists a possible edge case DOS via infinite recursion - CVE-2021-45105 and the fix in delivered in log4-2.17.0

          Ian Williams added a comment - Latest from Apache suggests there exists a possible edge case DOS via infinite recursion - CVE-2021-45105 and the fix in delivered in log4-2.17.0

          ianw You're correct. Due to the more configuration requirements for the second and third vulnerabilities, I regret to have added 2.16 tracking here. I would bet that only 2.15 matters for our plugins.

          Wadeck Follonier added a comment - ianw You're correct. Due to the more configuration requirements for the second and third vulnerabilities, I regret to have added 2.16 tracking here. I would bet that only 2.15 matters for our plugins.

          Ian Williams added a comment -

          wfollonier, it's just like Covid; you need the vaccine, first and second dose, plus a booster. Let's hope that the end of it after this!

          Ian Williams added a comment - wfollonier , it's just like Covid; you need the vaccine, first and second dose, plus a booster. Let's hope that the end of it after this!

          https://github.com/web-innovate/bootstraped-multi-test-results-report
          I'm stuck with releasing it, as I can't access the account I was using to publish new versions
          I've submitted a permission change in: https://github.com/jenkins-infra/repository-permissions-updater/pull/2269

          once this one lands in, and I can push something, 2.2.x will be released and will include the fixes for the log4j, along with some more stuff

          Livadariu Bogdan added a comment - https://github.com/web-innovate/bootstraped-multi-test-results-report I'm stuck with releasing it, as I can't access the account I was using to publish new versions I've submitted a permission change in: https://github.com/jenkins-infra/repository-permissions-updater/pull/2269 once this one lands in, and I can push something, 2.2.x will be released and will include the fixes for the log4j, along with some more stuff

          for https://github.com/web-innovate/bootstraped-multi-test-results-report 2.2.1 version has been released, it will become available shortly

          thanks

          Bogdan Livadariu added a comment - for https://github.com/web-innovate/bootstraped-multi-test-results-report 2.2.1 version has been released, it will become available shortly thanks

          bogdanlivadariu bobo_4r3al Thanks for the release, table updated

          Wadeck Follonier added a comment - bogdanlivadariu bobo_4r3al Thanks for the release, table updated

          Dave added a comment -

          Just found that the plugin, analysis-model-api, uses the log4j library

          https://github.com/jenkinsci/analysis-model-api-plugin

           

          Thanks!

          Dave added a comment - Just found that the plugin, analysis-model-api, uses the log4j library https://github.com/jenkinsci/analysis-model-api-plugin   Thanks!

          Mark Waite added a comment -

          daveaugustus the use of log4j does not make the plugin vulnerable. Unless you have specific details that show that a vulnerable version of log4j is included in the plugin, then its use of log4j is not an issue. The most recent release of analysis model api plugin includes log4j 2.19.0 in its packaging. The log4j 2.19.0 release is not vulnerable.

          Mark Waite added a comment - daveaugustus the use of log4j does not make the plugin vulnerable. Unless you have specific details that show that a vulnerable version of log4j is included in the plugin, then its use of log4j is not an issue. The most recent release of analysis model api plugin includes log4j 2.19.0 in its packaging. The log4j 2.19.0 release is not vulnerable.

            Unassigned Unassigned
            danielbeck Daniel Beck
            Votes:
            1 Vote for this issue
            Watchers:
            19 Start watching this issue

              Created:
              Updated: