-
Task
-
Resolution: Not A Defect
-
Critical
-
PROD
Hi Team,
We are currently using the Jenkins version 2.19.1
We would like to get your opinion on this whether this version is actually infected on ongoing L0g4J issue ?
If yes, Please let us know which version of log4j jars (affected) are using in this Jenkis version and what is the Fix for this.
In this case ,If the fix is upgrading the Latest version jars means, Please advise us the stable/safe version for the replacement.
[JENKINS-67463] Log4J2 vulnerability CVE-2021-44228 - Jenkins ver. 2.19.1
Nanthakumar Ezhilmaran
created issue -
Nanthakumar Ezhilmaran
made changes -
| Priority | Original: Major [ 3 ] | New: Critical [ 2 ] |
Ian Williams
made changes -
| Resolution | New: Not A Defect [ 7 ] | |
| Status | Original: Open [ 1 ] | New: Resolved [ 5 ] |
| Status | Original: Resolved [ 5 ] | New: Closed [ 6 ] |
| Labels | Original: jenkins security | New: jcabot:001 jenkins security |
| Labels | Original: jcabot:001 jenkins security | New: jcabot:001 jcabot:002 jenkins security |
Please see the blog post Apache Log4j 2 vulnerability CVE-2021-44228 for how to check whether your Jenkins instance has log4j installed, and for links to related information.
However, Jenkins 2.19.1 is quite an old version and is vulnerable to other attacks. See Jenkins Security Advisory 2016-11-16, for example.