The following plugins are known to include vulnerable releases of log4j 2.x as of Dec 10, or have included vulnerable releases of log4j 2.x in the past:
|https://plugins.jenkins.io/bootstraped-multi-test-results-report||updated to 2.17.0 in 2.2.1||Same|
|https://plugins.jenkins.io/cmakebuilder||log4j 2.x only present in 2.6.1 (obsolete since mid 2019)||Same|
|https://plugins.jenkins.io/cucumber-reports||log4j 2.x only present in 1.1.0 through 3.16.0 (both inclusive), obsolete since mid 2018||Same|
|https://plugins.jenkins.io/peass-ci||#71 updated to 2.15.0 in 2.0.0-540.v244012ecda48||#73 updated to 2.17.0 in 2.0.0-576.vbc3d83ca3c4a|
|https://plugins.jenkins.io/pipeline-huaweicloud-plugin||JENKINS-67359 no fix as of 0.0.1||Also tracked in JENKINS-67359|
|https://plugins.jenkins.io/reliza-integration||updated to 2.15.0 in 0.1.14||Updated to 2.17.0 in 0.1.15|
|https://plugins.jenkins.io/semantic-versioning-plugin||log4j 2.x only present in 1.0 through 1.3 (both inclusive), obsolete since mid 2014||Same|
|https://plugins.jenkins.io/testdroid-run-in-cloud||JENKINS-67361 no fix as of 2.116.0||Also tracked in JENKINS-67361|
|https://plugins.jenkins.io/thundra-foresight||#3 no fix as of 11.vbc9483778bb3||Also tracked in #3|
|https://plugins.jenkins.io/venafi-vcert||#9 no fix as of 2.0.0||Also tracked in #9|
|https://plugins.jenkins.io/xray-connector||#53 updated to 2.16.0 in 184.108.40.206||Same|
- https://github.com/apache/logging-log4j2/pull/608 has some useful discussion about scope and workarounds
- https://www.jenkins.io/blog/2021/12/10/log4j2-rce-CVE-2021-44228/ our blog post
- https://github.com/issues?q=org%3Ajenkinsci+CVE-2021-44228 related issues and PRs on GitHub
Summary of what we know so far:
- The vulnerability CVE-2021-44228 affects log4j 2.x only. It was introduced in version 2.0-beta9 and fixed in 2.15.0-rc2. log4j 1.x is unaffected. For the vulnerability to be present, log4j-core-2.*.jar (or a shaded equivalent) needs to be bundled with the plugin, anything else (slf4j bridges, API jars, log4j 1.x) doesn't include the vulnerable class (see below).
- Recent JREs prohibit the specific LDAP RCE exploit, but other exploits exist (e.g. capturing env vars).
- Maven Shade Plugin may rename packages, so there may be matches in other packages (but a patched usage-in-plugins found none in latest plugin releases)
- Further plugins may have included the library in older releases. We are working on a list.
- log4j 2.16.0 includes a fix for another security vulnerability, see https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f It's low severity, and requires a nondefault configuration to be exploitable (or attackers able to configure logging). It affects 2.0-beta9 through 2.15.0 (inclusive) and is fixed in 2.16.0.
- The specific affected classes are org.apache.logging.log4j.core.lookup.JndiLookup and org.apache.logging.log4j.core.net.JndiManager (previously org.apache.logging.log4j.core.appender.JndiManager). The former should be removed manually according to https://logging.apache.org/log4j/2.x/security.html when using affected versions. This applied to both vulnerabilities.