Details
-
Epic
-
Status: Open (View Workflow)
-
Critical
-
Resolution: Unresolved
-
log4j CVE-2021-44228 and CVE-2021-45046
-
Description
Tracking the status of the critical severity log4j RCE vulnerability CVE-2021-44228 (fixed in 2.15.0), as well as the Low severity vulnerability CVE-2021-45046 (fixed in 2.16.0).
The following plugins are known to include vulnerable releases of log4j 2.x as of Dec 10, or have included vulnerable releases of log4j 2.x in the past:
| Plugin | CVE-2021-44228 | CVE-2021-45046 |
|---|---|---|
| https://plugins.jenkins.io/audit-log |  |
Same |
| https://plugins.jenkins.io/bootstraped-multi-test-results-report | updated to 2.17.0 in 2.2.1 |
Same |
| https://plugins.jenkins.io/checkmarx | |
Same |
| https://plugins.jenkins.io/cmakebuilder | log4j 2.x only present in 2.6.1 (obsolete since mid 2019) |
Same |
| https://plugins.jenkins.io/cucumber-reports | log4j 2.x only present in 1.1.0 through 3.16.0 (both inclusive), obsolete since mid 2018 |
Same |
| https://plugins.jenkins.io/hp-application-automation-tools-plugin | |
Same |
| https://plugins.jenkins.io/lambdatest-automation | |
Same |
| https://plugins.jenkins.io/peass-ci | #71 updated to 2.15.0 in 2.0.0-540.v244012ecda48 |
#73 updated to 2.17.0 in 2.0.0-576.vbc3d83ca3c4a |
| https://plugins.jenkins.io/pipeline-huaweicloud-plugin |  JENKINS-67359 no fix as of 0.0.1 |
 Also tracked in JENKINS-67359 |
| https://plugins.jenkins.io/reliza-integration | updated to 2.15.0 in 0.1.14 |
Updated to 2.17.0 in 0.1.15 |
| https://plugins.jenkins.io/semantic-versioning-plugin | log4j 2.x only present in 1.0 through 1.3 (both inclusive), obsolete since mid 2014 |
Same |
| https://plugins.jenkins.io/talend | |
|
| https://plugins.jenkins.io/testdroid-run-in-cloud | JENKINS-67361 no fix as of 2.116.0 |
Also tracked in JENKINS-67361 |
| https://plugins.jenkins.io/thundra-foresight | #3 no fix as of 11.vbc9483778bb3 |
Also tracked in #3 |
| https://plugins.jenkins.io/venafi-vcert | #9 no fix as of 2.0.0 |
Also tracked in #9 |
| https://plugins.jenkins.io/xray-connector | #53 updated to 2.16.0 in 2.5.2.1 |
Same |
Some references:
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://logging.apache.org/log4j/2.x/security.html
- https://github.com/apache/logging-log4j2/pull/608 has some useful discussion about scope and workarounds
- https://www.jenkins.io/blog/2021/12/10/log4j2-rce-CVE-2021-44228/ our blog post
- https://github.com/issues?q=org%3Ajenkinsci+CVE-2021-44228 related issues and PRs on GitHub
Summary of what we know so far:
- The vulnerability CVE-2021-44228 affects log4j 2.x only. It was introduced in version 2.0-beta9 and fixed in 2.15.0-rc2. log4j 1.x is unaffected. For the vulnerability to be present, log4j-core-2.*.jar (or a shaded equivalent) needs to be bundled with the plugin, anything else (slf4j bridges, API jars, log4j 1.x) doesn't include the vulnerable class (see below).
- Recent JREs prohibit the specific LDAP RCE exploit, but other exploits exist (e.g. capturing env vars).
- Maven Shade Plugin may rename packages, so there may be matches in other packages (but a patched usage-in-plugins found none in latest plugin releases)
- Further plugins may have included the library in older releases. We are working on a list.
- log4j 2.16.0 includes a fix for another security vulnerability, see https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f It's low severity, and requires a nondefault configuration to be exploitable (or attackers able to configure logging). It affects 2.0-beta9 through 2.15.0 (inclusive) and is fixed in 2.16.0.
- The specific affected classes are org.apache.logging.log4j.core.lookup.JndiLookup and org.apache.logging.log4j.core.net.JndiManager (previously org.apache.logging.log4j.core.appender.JndiManager). The former should be removed manually according to https://logging.apache.org/log4j/2.x/security.html when using affected versions. This applied to both vulnerabilities.
Attachments
Issue Links
- is related to
-
JENKINS-67424 Checkmarx Plugin contains vulnerability in log4j-core version 2.16
-
- Resolved
-
- links to
Activity
I've made a PR to bootstraped-multi-test-results-report - https://github.com/web-innovate/bootstraped-multi-test-results-report/pull/100
It hasn't been released in 3 years, so I'm not sure how soon we can get a patch release out for it.
It's a transitive dependency of the github-plugin which appears to be popular.
In my case it was the only plugin that used log4j >= 2.0 and < 1.15.
I was able to create a local build and deploy the patched version from https://github.com/rahulsom/bootstraped-multi-test-results-report/tree/v2.1.4-nflx.2
It includes that PR and a few more I've opened against that project.
Rahul Somasunderam
added a comment - - edited I've made a PR to bootstraped-multi-test-results-report - https://github.com/web-innovate/bootstraped-multi-test-results-report/pull/100
It hasn't been released in 3 years, so I'm not sure how soon we can get a patch release out for it.
It's a transitive dependency of the github-plugin which appears to be popular.
In my case it was the only plugin that used log4j >= 2.0 and < 1.15.
I was able to create a local build and deploy the patched version from https://github.com/rahulsom/bootstraped-multi-test-results-report/tree/v2.1.4-nflx.2
It includes that PR and a few more I've opened against that project. rahulsom I suspect you will need to adopt the plugin. Thanks for the pull requests. If you're interested in other ideas to modernize the plugin, refer to "Contributing to Open Source", the workshop from DevOps World 2021.
Applying the patch
$ git diff
diff --git a/src/main/java/org/jenkinsci/deprecatedusage/DeprecatedUsage.java b/src/main/java/org/jenkinsci/deprecatedusage/DeprecatedUsage.java
index f19b40e..ca0c103 100644
--- a/src/main/java/org/jenkinsci/deprecatedusage/DeprecatedUsage.java
+++ b/src/main/java/org/jenkinsci/deprecatedusage/DeprecatedUsage.java
@@ -164,6 +164,9 @@ public class DeprecatedUsage {
* @see Options
*/
private boolean shouldAnalyze(String className) {
+ if (className.endsWith("JndiLookup")) {
+ System.err.println("Found " + className + " in " + this.plugin.artifactId);
+ }
if (className.endsWith("DefaultTypeTransformation")) {
// various DefaultTypeTransformation#box signatures seem false positive in plugins written in Groovy
to https://github.com/jenkins-infra/usage-in-plugins to identify shaded dependencies.
I did not find any results not already identified previously:
Found org/apache/logging/log4j/core/lookup/JndiLookup in audit-log Found org/apache/logging/log4j/core/lookup/JndiLookup in bootstraped-multi-test-results-report Found org/apache/logging/log4j/core/lookup/JndiLookup in checkmarx Found org/apache/logging/log4j/core/lookup/JndiLookup in hp-application-automation-tools-plugin Found org/apache/logging/log4j/core/lookup/JndiLookup in lambdatest-automation Found org/apache/logging/log4j/core/lookup/JndiLookup in peass-ci Found org/apache/logging/log4j/core/lookup/JndiLookup in pipeline-huaweicloud-plugin Found org/apache/logging/log4j/core/lookup/JndiLookup in reliza-integration Found org/apache/logging/log4j/core/lookup/JndiLookup in talend Found org/apache/logging/log4j/core/lookup/JndiLookup in testdroid-run-in-cloud Found org/apache/logging/log4j/core/lookup/JndiLookup in thundra-foresight Found org/apache/logging/log4j/core/lookup/JndiLookup in venafi-vcert Found org/apache/logging/log4j/core/lookup/JndiLookup in xray-connector
https://plugins.jenkins.io/cucumber-reports/ included log4j 2.x from 1.1.0 to 3.16.0 (both inclusive). While long obsolete (3.17.0 released spring 2018), might still apply to some instances.
https://github.com/web-innovate/bootstraped-multi-test-results-report is the repo for that plugin. Update to log4j 2.15.0 has been merged but not released. PR is open for updating to 2.16.0.
SLF4J Comments on the CVE-2021-44228 vulnerability - http://slf4j.org/log4shell.html
The list in the issue description should now be complete (unless some plugins apply some very unusual repackaging to their dependencies).
Besides the top-level search for presence of log4j-core-xx.jar, I also looked for any (possibly shaded) JndiLookup.class in any other included jars, and only found thundra-agent-maven-test-instrumentation-0.0.6.jar which is part of thundra-foresight 11.vbc9483778bb3, which we've already identified through its bundled log4j-core-xx.jar.
Ian Williams
added a comment - Latest from Apache suggests there exists a possible edge case DOS via infinite recursion - CVE-2021-45105 and the fix in delivered in log4-2.17.0
Ian Williams
added a comment - Latest from Apache suggests there exists a possible edge case DOS via infinite recursion - CVE-2021-45105 and the fix in delivered in log4-2.17.0 ianw You're correct. Due to the more configuration requirements for the second and third vulnerabilities, I regret to have added 2.16 tracking here. I would bet that only 2.15 matters for our plugins.
Ian Williams
added a comment - wfollonier, it's just like Covid; you need the vaccine, first and second dose, plus a booster. Let's hope that the end of it after this!
Ian Williams
added a comment - wfollonier , it's just like Covid; you need the vaccine, first and second dose, plus a booster. Let's hope that the end of it after this! 
Livadariu Bogdan
added a comment - https://github.com/web-innovate/bootstraped-multi-test-results-report
I'm stuck with releasing it, as I can't access the account I was using to publish new versions 
I've submitted a permission change in: https://github.com/jenkins-infra/repository-permissions-updater/pull/2269
once this one lands in, and I can push something, 2.2.x will be released and will include the fixes for the log4j, along with some more stuff
Livadariu Bogdan
added a comment - https://github.com/web-innovate/bootstraped-multi-test-results-report
I'm stuck with releasing it, as I can't access the account I was using to publish new versions
I've submitted a permission change in: https://github.com/jenkins-infra/repository-permissions-updater/pull/2269
once this one lands in, and I can push something, 2.2.x will be released and will include the fixes for the log4j, along with some more stuff Bogdan Livadariu
added a comment - for https://github.com/web-innovate/bootstraped-multi-test-results-report 2.2.1 version has been released, it will become available shortly
thanks
Bogdan Livadariu
added a comment - for https://github.com/web-innovate/bootstraped-multi-test-results-report 2.2.1 version has been released, it will become available shortly
thanks 
Dave
added a comment - Just found that the plugin, analysis-model-api, uses the log4j library
https://github.com/jenkinsci/analysis-model-api-plugin
Thanks!
Dave
added a comment - Just found that the plugin, analysis-model-api, uses the log4j library
https://github.com/jenkinsci/analysis-model-api-plugin
Thanks! daveaugustus the use of log4j does not make the plugin vulnerable. Unless you have specific details that show that a vulnerable version of log4j is included in the plugin, then its use of log4j is not an issue. The most recent release of analysis model api plugin includes log4j 2.19.0 in its packaging. The log4j 2.19.0 release is not vulnerable.
At the moment, based on a quick search of bundled jars in their latest releases, the following plugins seem to be affected:
JENKINS-67355)JENKINS-67356)JENKINS-67357)JENKINS-67358)JENKINS-67360)