-
Epic
-
Resolution: Unresolved
-
Critical
-
log4j CVE-2021-44228 and CVE-2021-45046
-
Tracking the status of the critical severity log4j RCE vulnerability CVE-2021-44228 (fixed in 2.15.0), as well as the Low severity vulnerability CVE-2021-45046 (fixed in 2.16.0).
The following plugins are known to include vulnerable releases of log4j 2.x as of Dec 10, or have included vulnerable releases of log4j 2.x in the past:
Plugin | CVE-2021-44228 | CVE-2021-45046 |
---|---|---|
https://plugins.jenkins.io/audit-log | ![]() |
![]() |
https://plugins.jenkins.io/bootstraped-multi-test-results-report | ![]() |
![]() |
https://plugins.jenkins.io/checkmarx | ![]() |
![]() |
https://plugins.jenkins.io/cmakebuilder | ![]() |
![]() |
https://plugins.jenkins.io/cucumber-reports | ![]() |
![]() |
https://plugins.jenkins.io/hp-application-automation-tools-plugin | ![]() |
![]() |
https://plugins.jenkins.io/lambdatest-automation | ![]() |
![]() |
https://plugins.jenkins.io/peass-ci | ![]() |
![]() |
https://plugins.jenkins.io/pipeline-huaweicloud-plugin | ![]() |
![]() |
https://plugins.jenkins.io/reliza-integration | ![]() |
![]() |
https://plugins.jenkins.io/semantic-versioning-plugin | ![]() |
![]() |
https://plugins.jenkins.io/talend | ![]() |
![]() |
https://plugins.jenkins.io/testdroid-run-in-cloud | ![]() |
![]() |
https://plugins.jenkins.io/thundra-foresight | ![]() |
![]() |
https://plugins.jenkins.io/venafi-vcert | ![]() |
![]() |
https://plugins.jenkins.io/xray-connector | ![]() |
![]() |
Some references:
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://logging.apache.org/log4j/2.x/security.html
- https://github.com/apache/logging-log4j2/pull/608 has some useful discussion about scope and workarounds
- https://www.jenkins.io/blog/2021/12/10/log4j2-rce-CVE-2021-44228/ our blog post
- https://github.com/issues?q=org%3Ajenkinsci+CVE-2021-44228 related issues and PRs on GitHub
Summary of what we know so far:
- The vulnerability CVE-2021-44228 affects log4j 2.x only. It was introduced in version 2.0-beta9 and fixed in 2.15.0-rc2. log4j 1.x is unaffected. For the vulnerability to be present, log4j-core-2.*.jar (or a shaded equivalent) needs to be bundled with the plugin, anything else (slf4j bridges, API jars, log4j 1.x) doesn't include the vulnerable class (see below).
- Recent JREs prohibit the specific LDAP RCE exploit, but other exploits exist (e.g. capturing env vars).
- Maven Shade Plugin may rename packages, so there may be matches in other packages (but a patched usage-in-plugins found none in latest plugin releases)
- Further plugins may have included the library in older releases. We are working on a list.
- log4j 2.16.0 includes a fix for another security vulnerability, see https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f It's low severity, and requires a nondefault configuration to be exploitable (or attackers able to configure logging). It affects 2.0-beta9 through 2.15.0 (inclusive) and is fixed in 2.16.0.
- The specific affected classes are org.apache.logging.log4j.core.lookup.JndiLookup and org.apache.logging.log4j.core.net.JndiManager (previously org.apache.logging.log4j.core.appender.JndiManager). The former should be removed manually according to https://logging.apache.org/log4j/2.x/security.html when using affected versions. This applied to both vulnerabilities.
- is related to
-
JENKINS-67424 Checkmarx Plugin contains vulnerability in log4j-core version 2.16
-
- Resolved
-
- links to
(3 links to)
[JENKINS-67353] log4j CVE-2021-44228 and CVE-2021-45046 in Jenkins
Description | Original: Tracking the status of the critical log4j RCE vulnerability. | New: Tracking the status of the critical log4j RCE vulnerability [CVE-2021-44228|https://nvd.nist.gov/vuln/detail/CVE-2021-44228]. |
Link | New: This issue relates to SECURITY-2569 [ SECURITY-2569 ] |
Remote Link | New: This issue links to "jenkinsci/plugin-pom#465 (Web Link)" [ 27279 ] |
Remote Link | New: This issue links to "jenkinsci/pom#205 (Web Link)" [ 27280 ] |
Description | Original: Tracking the status of the critical log4j RCE vulnerability [CVE-2021-44228|https://nvd.nist.gov/vuln/detail/CVE-2021-44228]. |
New:
Tracking the status of the critical log4j RCE vulnerability [CVE-2021-44228|https://nvd.nist.gov/vuln/detail/CVE-2021-44228].
Summary of what we know so far: * The vulnerability affects log4j 2.x only. It was introduced in version *2.0-beta9* and fixed in *2.15.0-rc2*. log4j 1.x is unaffected. * The specific affected classes are *{{org.apache.logging.log4j.core.lookup.JndiLookup}}* and {{org.apache.logging.log4j.core.net.JndiManager}} (previously {{org.apache.logging.log4j.core.appender.JndiManager}}). The former should be removed manually according to [https://logging.apache.org/log4j/2.x/security.html] when using affected versions. * Maven Shade Plugin may rename packages, so there may be inexact matches. |
Description |
Original:
Tracking the status of the critical log4j RCE vulnerability [CVE-2021-44228|https://nvd.nist.gov/vuln/detail/CVE-2021-44228].
Summary of what we know so far: * The vulnerability affects log4j 2.x only. It was introduced in version *2.0-beta9* and fixed in *2.15.0-rc2*. log4j 1.x is unaffected. * The specific affected classes are *{{org.apache.logging.log4j.core.lookup.JndiLookup}}* and {{org.apache.logging.log4j.core.net.JndiManager}} (previously {{org.apache.logging.log4j.core.appender.JndiManager}}). The former should be removed manually according to [https://logging.apache.org/log4j/2.x/security.html] when using affected versions. * Maven Shade Plugin may rename packages, so there may be inexact matches. |
New:
Tracking the status of the critical log4j RCE vulnerability [CVE-2021-44228|https://nvd.nist.gov/vuln/detail/CVE-2021-44228].
Summary of what we know so far: * The vulnerability affects log4j 2.x only. It was introduced in version *2.0-beta9* and fixed in *2.15.0-rc2*. log4j 1.x is unaffected. * The specific affected classes are *{{org.apache.logging.log4j.core.lookup.JndiLookup}}* and {{org.apache.logging.log4j.core.net.JndiManager}} (previously {{org.apache.logging.log4j.core.appender.JndiManager}}). The former should be removed manually according to [https://logging.apache.org/log4j/2.x/security.html] when using affected versions. * Maven Shade Plugin may rename packages, so there may be inexact matches (but a patched usage-in-plugins found none in latest plugin releases) |
Description |
Original:
Tracking the status of the critical log4j RCE vulnerability [CVE-2021-44228|https://nvd.nist.gov/vuln/detail/CVE-2021-44228].
Summary of what we know so far: * The vulnerability affects log4j 2.x only. It was introduced in version *2.0-beta9* and fixed in *2.15.0-rc2*. log4j 1.x is unaffected. * The specific affected classes are *{{org.apache.logging.log4j.core.lookup.JndiLookup}}* and {{org.apache.logging.log4j.core.net.JndiManager}} (previously {{org.apache.logging.log4j.core.appender.JndiManager}}). The former should be removed manually according to [https://logging.apache.org/log4j/2.x/security.html] when using affected versions. * Maven Shade Plugin may rename packages, so there may be inexact matches (but a patched usage-in-plugins found none in latest plugin releases) |
New:
Tracking the status of the critical log4j RCE vulnerability [CVE-2021-44228|https://nvd.nist.gov/vuln/detail/CVE-2021-44228].
Summary of what we know so far: * The vulnerability affects log4j 2.x only. It was introduced in version *2.0-beta9* and fixed in *2.15.0-rc2*. log4j 1.x is unaffected. * The specific affected classes are *{{org.apache.logging.log4j.core.lookup.JndiLookup}}* and {{org.apache.logging.log4j.core.net.JndiManager}} (previously {{org.apache.logging.log4j.core.appender.JndiManager}}). The former should be removed manually according to [https://logging.apache.org/log4j/2.x/security.html] when using affected versions. * Maven Shade Plugin may rename packages, so there may be matches in other packages (but a patched usage-in-plugins found none in latest plugin releases) |
Description |
Original:
Tracking the status of the critical log4j RCE vulnerability [CVE-2021-44228|https://nvd.nist.gov/vuln/detail/CVE-2021-44228].
Summary of what we know so far: * The vulnerability affects log4j 2.x only. It was introduced in version *2.0-beta9* and fixed in *2.15.0-rc2*. log4j 1.x is unaffected. * The specific affected classes are *{{org.apache.logging.log4j.core.lookup.JndiLookup}}* and {{org.apache.logging.log4j.core.net.JndiManager}} (previously {{org.apache.logging.log4j.core.appender.JndiManager}}). The former should be removed manually according to [https://logging.apache.org/log4j/2.x/security.html] when using affected versions. * Maven Shade Plugin may rename packages, so there may be matches in other packages (but a patched usage-in-plugins found none in latest plugin releases) |
New:
Tracking the status of the critical log4j RCE vulnerability [CVE-2021-44228|https://nvd.nist.gov/vuln/detail/CVE-2021-44228].
Some references: * [https://www.lunasec.io/docs/blog/log4j-zero-day/] * [https://logging.apache.org/log4j/2.x/security.html] * [https://github.com/apache/logging-log4j2/pull/608] Summary of what we know so far: * The vulnerability affects log4j 2.x only. It was introduced in version *2.0-beta9* and fixed in *2.15.0-rc2*. log4j 1.x is unaffected. * Recent JREs prohibit the specific LDAP RCE exploit, but other exploits exist (e.g. capturing env vars). * The specific affected classes are *{{org.apache.logging.log4j.core.lookup.JndiLookup}}* and {{org.apache.logging.log4j.core.net.JndiManager}} (previously {{org.apache.logging.log4j.core.appender.JndiManager}}). The former should be removed manually according to [https://logging.apache.org/log4j/2.x/security.html] when using affected versions. * Maven Shade Plugin may rename packages, so there may be matches in other packages (but a patched usage-in-plugins found none in latest plugin releases) |
Epic Child |
New:
|
Epic Child |
New:
|