[JENKINS-67357] log4j dependency has critical vulnerability CVE-2021-44228 in Micro Focus Application Automation Tools Plugin

Type: Bug
Resolution: Fixed
Priority: Critical
Component/s: hp-application-automation-tools-plugin
Labels:

Similar Issues:
Powered by SuggestiMate

Show
Epic Link:
log4j CVE-2021-44228 and CVE-2021-45046
Released As:
7.2

Update to 2.15 is not sufficient due to https://nvd.nist.gov/vuln/detail/CVE-2021-45046, it requires 2.16.
This one is less important but will still be detected by scanners and alert all users.

relates to

JENKINS-67932 Jenkins Plugin Micro Focus Application Automation tool - Need this plugin which uses org.apache.logging.log4j:log4j-core:2.17.1 or higher

Resolved

Daniel Beck created issue - 2021-12-11 09:31

José María Palma made changes - 2021-12-11 16:25

Priority

Original: Minor [ 4 ]

New: Critical [ 2 ]

Mark Waite added a comment - 2021-12-13 00:19

Requires an updated library that provides the Apache Log4j 2 dependency. Once the updated library pull request is merged and released, then the plugin dependency will need to be updated and released.

Mark Waite added a comment - 2021-12-13 00:19 Requires an updated library that provides the Apache Log4j 2 dependency. Once the updated library pull request is merged and released, then the plugin dependency will need to be updated and released.

Zhipeng made changes - 2021-12-13 08:20

Assignee

Original: Paul-Adrian Tofan [ ptofan ]

New: Zhipeng [ zhipengwa ]

Zhipeng made changes - 2021-12-15 04:57

Status

Original: Open [ 1 ]

New: In Progress [ 3 ]

Wadeck Follonier made changes - 2021-12-15 08:41

Description

Original: See JENKINS-67353

New: See JENKINS-67353

(!) Update to 2.15 is not sufficient due to https://nvd.nist.gov/vuln/detail/CVE-2021-45046, it requires 2.16.
This one is less important but will still be detected by scanners and alert all users.

Wadeck Follonier made changes - 2021-12-15 08:51

Labels

Original: CVE-2021-44228 security

New: CVE-2021-44228 CVE-2021-45046 security

Hilda added a comment - 2021-12-15 09:53

Hello,

A new official version of the plugin will be released soon with the fix for log4j 2.16.

Hilda added a comment - 2021-12-15 09:53 Hello, A new official version of the plugin will be released soon with the fix for log4j 2.16.

Wadeck Follonier added a comment - 2021-12-17 08:35

FTR 7.1.2-beta contains log4j 2.15.

Wadeck Follonier added a comment - 2021-12-17 08:35 FTR 7.1.2-beta contains log4j 2.15.

Bill Hopper added a comment - 2021-12-19 19:17 - edited

Ummm... now 2.17.0 is the recommendation.

Bill Hopper added a comment - 2021-12-19 19:17 - edited Ummm... now 2.17.0 is the recommendation.

Assignee:: Zhipeng

Reporter:: Daniel Beck

Votes:: 3 Vote for this issue

Watchers:: 11 Start watching this issue

Created:: 2021-12-11 09:31

Updated:: 2022-05-05 15:32

Resolved:: 2021-12-20 06:26

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Mark Waite added a comment - 2021-12-13 00:19

Expand comment: Mark Waite added a comment - 2021-12-13 00:19

Collapse comment: Hilda added a comment - 2021-12-15 09:53

Expand comment: Hilda added a comment - 2021-12-15 09:53

Collapse comment: Wadeck Follonier added a comment - 2021-12-17 08:35

Expand comment: Wadeck Follonier added a comment - 2021-12-17 08:35

Collapse comment: Bill Hopper added a comment - 2021-12-19 19:17, Edited by Bill Hopper - 2021-12-19 19:18

Expand comment: Bill Hopper added a comment - 2021-12-19 19:17, Edited by Bill Hopper - 2021-12-19 19:18

People

Dates