Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-67353

log4j CVE-2021-44228 and CVE-2021-45046 in Jenkins

    • log4j CVE-2021-44228 and CVE-2021-45046

      Tracking the status of the critical severity log4j RCE vulnerability CVE-2021-44228 (fixed in 2.15.0), as well as the Low severity vulnerability CVE-2021-45046 (fixed in 2.16.0).

      The following plugins are known to include vulnerable releases of log4j 2.x as of Dec 10, or have included vulnerable releases of log4j 2.x in the past:

      Plugin CVE-2021-44228 CVE-2021-45046
      https://plugins.jenkins.io/audit-log JENKINS-67355 updated to 2.16.0 in 1.3 Same
      https://plugins.jenkins.io/bootstraped-multi-test-results-report updated to 2.17.0 in 2.2.1 Same
      https://plugins.jenkins.io/checkmarx JENKINS-67356 updated to 2.16.0 in 2021.4.3 Same
      https://plugins.jenkins.io/cmakebuilder log4j 2.x only present in 2.6.1 (obsolete since mid 2019) Same
      https://plugins.jenkins.io/cucumber-reports log4j 2.x only present in 1.1.0 through 3.16.0 (both inclusive), obsolete since mid 2018 Same
      https://plugins.jenkins.io/hp-application-automation-tools-plugin JENKINS-67357 updated to 2.17.0 in 7.2 Same
      https://plugins.jenkins.io/lambdatest-automation JENKINS-67358 Log4j fully removed in 1.20.0 Same
      https://plugins.jenkins.io/peass-ci #71 updated to 2.15.0 in 2.0.0-540.v244012ecda48 #73 updated to 2.17.0 in 2.0.0-576.vbc3d83ca3c4a
      https://plugins.jenkins.io/pipeline-huaweicloud-plugin JENKINS-67359 no fix as of 0.0.1 Also tracked in JENKINS-67359
      https://plugins.jenkins.io/reliza-integration updated to 2.15.0 in 0.1.14 Updated to 2.17.0 in 0.1.15
      https://plugins.jenkins.io/semantic-versioning-plugin log4j 2.x only present in 1.0 through 1.3 (both inclusive), obsolete since mid 2014 Same
      https://plugins.jenkins.io/talend JENKINS-67360 updated to 2.15.0 in 1.3-rc42.f3ec422d618b JENKINS-67369 log4j removed from 1.4-rc43.dbb2c0671f67
      https://plugins.jenkins.io/testdroid-run-in-cloud JENKINS-67361 Updated to 2.17.2 in 3.22.4 Same
      https://plugins.jenkins.io/thundra-foresight #5 fixed as of 13.v84a42ba15ff7 Same
      https://plugins.jenkins.io/venafi-vcert #9 no fix as of 2.0.0 Also tracked in #9
      https://plugins.jenkins.io/xray-connector #53 updated to 2.16.0 in 2.5.2.1 Same

      Some references:

      Summary of what we know so far:

      • The vulnerability CVE-2021-44228 affects log4j 2.x only. It was introduced in version 2.0-beta9 and fixed in 2.15.0-rc2. log4j 1.x is unaffected. For the vulnerability to be present, log4j-core-2.*.jar (or a shaded equivalent) needs to be bundled with the plugin, anything else (slf4j bridges, API jars, log4j 1.x) doesn't include the vulnerable class (see below).
      • Recent JREs prohibit the specific LDAP RCE exploit, but other exploits exist (e.g. capturing env vars).
      • Maven Shade Plugin may rename packages, so there may be matches in other packages (but a patched usage-in-plugins found none in latest plugin releases)
      • Further plugins may have included the library in older releases. We are working on a list.
      • log4j 2.16.0 includes a fix for another security vulnerability, see https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f It's low severity, and requires a nondefault configuration to be exploitable (or attackers able to configure logging). It affects 2.0-beta9 through 2.15.0 (inclusive) and is fixed in 2.16.0.
      • The specific affected classes are org.apache.logging.log4j.core.lookup.JndiLookup and org.apache.logging.log4j.core.net.JndiManager (previously org.apache.logging.log4j.core.appender.JndiManager). The former should be removed manually according to https://logging.apache.org/log4j/2.x/security.html when using affected versions. This applied to both vulnerabilities.

          [JENKINS-67353] log4j CVE-2021-44228 and CVE-2021-45046 in Jenkins

          Daniel Beck created issue -
          Mark Waite made changes -
          Description Original: Tracking the status of the critical log4j RCE vulnerability. New: Tracking the status of the critical log4j RCE vulnerability [CVE-2021-44228|https://nvd.nist.gov/vuln/detail/CVE-2021-44228].
          Daniel Beck made changes -
          Link New: This issue relates to SECURITY-2569 [ SECURITY-2569 ]

          Daniel Beck added a comment - - edited At the moment, based on a quick search of bundled jars in their latest releases, the following plugins seem to be affected: https://plugins.jenkins.io/audit-log 1.2 ( JENKINS-67355 ) https://plugins.jenkins.io/bootstraped-multi-test-results-report 2.1.3 https://plugins.jenkins.io/checkmarx 2021.4.2 ( JENKINS-67356 ) https://plugins.jenkins.io/hp-application-automation-tools-plugin 7.1 ( JENKINS-67357 ) https://plugins.jenkins.io/lambdatest-automation 1.19.4 ( JENKINS-67358 ) https://plugins.jenkins.io/peass-ci 2.0.0-531.vbd2ffb53e017 ( #71 ) https://plugins.jenkins.io/pipeline-huaweicloud-plugin 0.0.1 ( JENKINS-67359 ) https://plugins.jenkins.io/reliza-integration 0.1.13 ( #1 ) https://plugins.jenkins.io/talend 1.2-rc40.961f08b398b6 ( JENKINS-67360 ) https://plugins.jenkins.io/testdroid-run-in-cloud 2.116.0 ( JENKINS-67361 ) https://plugins.jenkins.io/thundra-foresight 11.vbc9483778bb3 ( #3 ) https://plugins.jenkins.io/venafi-vcert 2.0.0 ( #9 ) https://plugins.jenkins.io/xray-connector 2.5.1 ( #53 )
          Basil Crow made changes -
          Remote Link New: This issue links to "jenkinsci/plugin-pom#465 (Web Link)" [ 27279 ]
          Basil Crow made changes -
          Remote Link New: This issue links to "jenkinsci/pom#205 (Web Link)" [ 27280 ]

          Rahul Somasunderam added a comment - - edited

          I've made a PR to bootstraped-multi-test-results-report - https://github.com/web-innovate/bootstraped-multi-test-results-report/pull/100
          It hasn't been released in 3 years, so I'm not sure how soon we can get a patch release out for it.
          It's a transitive dependency of the github-plugin which appears to be popular.
          In my case it was the only plugin that used log4j >= 2.0 and < 1.15.
          I was able to create a local build and deploy the patched version from https://github.com/rahulsom/bootstraped-multi-test-results-report/tree/v2.1.4-nflx.2
          It includes that PR and a few more I've opened against that project.

          Rahul Somasunderam added a comment - - edited I've made a PR to bootstraped-multi-test-results-report - https://github.com/web-innovate/bootstraped-multi-test-results-report/pull/100 It hasn't been released in 3 years, so I'm not sure how soon we can get a patch release out for it. It's a transitive dependency of the github-plugin which appears to be popular. In my case it was the only plugin that used log4j >= 2.0 and < 1.15. I was able to create a local build and deploy the patched version from https://github.com/rahulsom/bootstraped-multi-test-results-report/tree/v2.1.4-nflx.2 It includes that PR and a few more I've opened against that project.

          Mark Waite added a comment - - edited

          rahulsom I suspect you will need to adopt the plugin. Thanks for the pull requests. If you're interested in other ideas to modernize the plugin, refer to "Contributing to Open Source", the workshop from DevOps World 2021.

          Mark Waite added a comment - - edited rahulsom I suspect you will need to adopt the plugin . Thanks for the pull requests. If you're interested in other ideas to modernize the plugin, refer to "Contributing to Open Source" , the workshop from DevOps World 2021.
          Daniel Beck made changes -
          Description Original: Tracking the status of the critical log4j RCE vulnerability [CVE-2021-44228|https://nvd.nist.gov/vuln/detail/CVE-2021-44228]. New: Tracking the status of the critical log4j RCE vulnerability [CVE-2021-44228|https://nvd.nist.gov/vuln/detail/CVE-2021-44228].

          Summary of what we know so far:
           * The vulnerability affects log4j 2.x only. It was introduced in version *2.0-beta9* and fixed in *2.15.0-rc2*. log4j 1.x is unaffected.
           * The specific affected classes are *{{org.apache.logging.log4j.core.lookup.JndiLookup}}* and {{org.apache.logging.log4j.core.net.JndiManager}} (previously {{org.apache.logging.log4j.core.appender.JndiManager}}). The former should be removed manually according to [https://logging.apache.org/log4j/2.x/security.html] when using affected versions.
           * Maven Shade Plugin may rename packages, so there may be inexact matches.

          Daniel Beck added a comment -

          Applying the patch

          $ git diff
          diff --git a/src/main/java/org/jenkinsci/deprecatedusage/DeprecatedUsage.java b/src/main/java/org/jenkinsci/deprecatedusage/DeprecatedUsage.java
          index f19b40e..ca0c103 100644
          --- a/src/main/java/org/jenkinsci/deprecatedusage/DeprecatedUsage.java
          +++ b/src/main/java/org/jenkinsci/deprecatedusage/DeprecatedUsage.java
          @@ -164,6 +164,9 @@ public class DeprecatedUsage {
                * @see Options
                */
               private boolean shouldAnalyze(String className)  {
          +        if (className.endsWith("JndiLookup")) {
          +            System.err.println("Found " + className + " in " + this.plugin.artifactId);
          +        }
           
                   if (className.endsWith("DefaultTypeTransformation")) {
                       // various DefaultTypeTransformation#box signatures seem false positive in plugins written in Groovy
          

          to https://github.com/jenkins-infra/usage-in-plugins to identify shaded dependencies.

          I did not find any results not already identified previously:

          Found org/apache/logging/log4j/core/lookup/JndiLookup in audit-log
          Found org/apache/logging/log4j/core/lookup/JndiLookup in bootstraped-multi-test-results-report
          Found org/apache/logging/log4j/core/lookup/JndiLookup in checkmarx
          Found org/apache/logging/log4j/core/lookup/JndiLookup in hp-application-automation-tools-plugin
          Found org/apache/logging/log4j/core/lookup/JndiLookup in lambdatest-automation
          Found org/apache/logging/log4j/core/lookup/JndiLookup in peass-ci
          Found org/apache/logging/log4j/core/lookup/JndiLookup in pipeline-huaweicloud-plugin
          Found org/apache/logging/log4j/core/lookup/JndiLookup in reliza-integration
          Found org/apache/logging/log4j/core/lookup/JndiLookup in talend
          Found org/apache/logging/log4j/core/lookup/JndiLookup in testdroid-run-in-cloud
          Found org/apache/logging/log4j/core/lookup/JndiLookup in thundra-foresight
          Found org/apache/logging/log4j/core/lookup/JndiLookup in venafi-vcert
          Found org/apache/logging/log4j/core/lookup/JndiLookup in xray-connector
          

          Daniel Beck added a comment - Applying the patch $ git diff diff --git a/src/main/java/org/jenkinsci/deprecatedusage/DeprecatedUsage.java b/src/main/java/org/jenkinsci/deprecatedusage/DeprecatedUsage.java index f19b40e..ca0c103 100644 --- a/src/main/java/org/jenkinsci/deprecatedusage/DeprecatedUsage.java +++ b/src/main/java/org/jenkinsci/deprecatedusage/DeprecatedUsage.java @@ -164,6 +164,9 @@ public class DeprecatedUsage { * @see Options */ private boolean shouldAnalyze(String className) { + if (className.endsWith("JndiLookup")) { + System.err.println("Found " + className + " in " + this.plugin.artifactId); + } if (className.endsWith("DefaultTypeTransformation")) { // various DefaultTypeTransformation#box signatures seem false positive in plugins written in Groovy to https://github.com/jenkins-infra/usage-in-plugins to identify shaded dependencies. I did not find any results not already identified previously: Found org/apache/logging/log4j/core/lookup/JndiLookup in audit-log Found org/apache/logging/log4j/core/lookup/JndiLookup in bootstraped-multi-test-results-report Found org/apache/logging/log4j/core/lookup/JndiLookup in checkmarx Found org/apache/logging/log4j/core/lookup/JndiLookup in hp-application-automation-tools-plugin Found org/apache/logging/log4j/core/lookup/JndiLookup in lambdatest-automation Found org/apache/logging/log4j/core/lookup/JndiLookup in peass-ci Found org/apache/logging/log4j/core/lookup/JndiLookup in pipeline-huaweicloud-plugin Found org/apache/logging/log4j/core/lookup/JndiLookup in reliza-integration Found org/apache/logging/log4j/core/lookup/JndiLookup in talend Found org/apache/logging/log4j/core/lookup/JndiLookup in testdroid-run-in-cloud Found org/apache/logging/log4j/core/lookup/JndiLookup in thundra-foresight Found org/apache/logging/log4j/core/lookup/JndiLookup in venafi-vcert Found org/apache/logging/log4j/core/lookup/JndiLookup in xray-connector

            Unassigned Unassigned
            danielbeck Daniel Beck
            Votes:
            1 Vote for this issue
            Watchers:
            19 Start watching this issue

              Created:
              Updated: