• Type: Bug
• Resolution: Fixed
• Priority: Critical
• Component/s: checkmarx-plugin
• Labels:

  • CVE-2021-44228
  • jcabot:001
  • jcabot:002
  • security

[JENKINS-67356] log4j dependency has critical vulnerability CVE-2021-44228 in Checkmarx Plugin

Daniel Beck created issue - 2021-12-11 09:30

Daniel Beck made changes - 2021-12-11 21:51

Priority

Original: Minor [ 4 ]

New: Critical [ 2 ]

Mark Waite made changes - 2021-12-12 23:49

Remote Link

New: This issue links to "PR 83 with proposed dependency update to Apache Log4j 2 2.15.0 (Web Link)" [ 27287 ]

Wadeck Follonier made changes - 2021-12-15 08:40

Description

Original: See JENKINS-67353

New: See JENKINS-67353 (!) Update to 2.15 is not sufficient due to https://nvd.nist.gov/vuln/detail/CVE-2021-45046, it requires 2.16. This one is less important but will still be detected by scanners and alert all users.

Mark Waite made changes - 2021-12-16 11:39

Remote Link

New: This issue links to "PR-81 updates to Apache Log4j 2 release 2.16.0 (Web Link)" [ 27294 ]

Mark Waite made changes - 2021-12-16 11:39

Remote Link

Original: This issue links to "PR 83 with proposed dependency update to Apache Log4j 2 2.15.0 (Web Link)" [ 27287 ]

Mark Waite made changes - 2021-12-16 11:40

Resolution		New: Fixed [ 1 ]
Status	Original: Open [ 1 ]	New: Fixed but Unreleased [ 10203 ]

Daniel Beck made changes - 2021-12-16 12:01

Released As

New: 2021.4.3

Daniel Beck made changes - 2021-12-16 16:41

Status

Original: Fixed but Unreleased [ 10203 ]

New: Closed [ 6 ]

Jenkins CERT Bot made changes - 2022-01-30 16:02

Labels

Original: CVE-2021-44228 security

New: CVE-2021-44228 jcabot:001 jcabot:002 security