-
Bug
-
Resolution: Fixed
-
Minor
-
None
-
Jenkins version 2.319.2.7
Micro Focus Application Automation Tools Plugin version 7.2
We're on Jenkins cloudbees 2.319.2.7
And wanted to know if there's any eta by when we can get update for the plugin Micro Focus Application Automation Tools which uses org.apache.logging.log4j:log4j-core:2.17.1 or higher
- relates to
-
-
- Closed
-
[JENKINS-67932] Jenkins Plugin Micro Focus Application Automation tool - Need this plugin which uses org.apache.logging.log4j:log4j-core:2.17.1 or higher
Bill Hopper
added a comment - log4j 2.17.2 is now the acceptable minimum. mtnbill the vulnerability CVE-2021-44832 is described on the Apache Log4J web site as:
Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration
If the attacker controls the configuration of logging on your Jenkins controller, they are already an administrator on that Jenkins controller. They can perform many operations as an administrator. Altering the logging configuration is the least of your concerns if an attacker has become an administrator on your Jenkins controller.
You're certainly welcome to press MicroFocus to update the plugin to use a newer version of Apache Log4j2, but I suspect that the upgrade from 2.17.0 to 2.17.2 will not change the actual risk to your Jenkins controller. It may satisfy scanners that can only check for the presence of a library version, but won't provide much more than that.
Bill Hopper
added a comment - markewaite has an good point. I should have simply stated that I need log4j 2.17.2.
Bill Hopper
added a comment - markewaite has an good point. I should have simply stated that I need log4j 2.17.2. 
Harry Singh
added a comment - nissimshitrit - Is there any update on this issue? Do we know when this plugin will be available with log4j v. 2.17.2?
Harry Singh
added a comment - nissimshitrit - Is there any update on this issue? Do we know when this plugin will be available with log4j v. 2.17.2? 
Nissim Shitrit
added a comment - We have an official release of the plugin at 21/6 , new release will contain new log4j version
Nissim Shitrit
added a comment - We have an official release of the plugin at 21/6 , new release will contain new log4j version Nissim Shitrit
added a comment - Recent plugin release has been upgraded log4j version to 2.17.2 
Micro Focus Application Automation Tools Plugin 7.2 fixed
JENKINS-67357by upgrading to log4j 2.17.0. https://logging.apache.org/log4j/2.x/security.html says log4j 2.17.1 fixes "CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration."