-
Bug
-
Resolution: Fixed
-
Minor
-
None
-
Jenkins version 2.319.2.7
Micro Focus Application Automation Tools Plugin version 7.2
We're on Jenkins cloudbees 2.319.2.7
And wanted to know if there's any eta by when we can get update for the plugin Micro Focus Application Automation Tools which uses org.apache.logging.log4j:log4j-core:2.17.1 or higher
- relates to
-
-
- Closed
-
[JENKINS-67932] Jenkins Plugin Micro Focus Application Automation tool - Need this plugin which uses org.apache.logging.log4j:log4j-core:2.17.1 or higher
Deepti Kumari
created issue -
Kalle Niemitalo
made changes -
| Link |
New:
This issue relates to |
Kalle Niemitalo
made changes -
| Component/s | New: hp-application-automation-tools-plugin [ 17322 ] | |
| Component/s | Original: core [ 15593 ] |
Bill Hopper
added a comment - log4j 2.17.2 is now the acceptable minimum. Bill Hopper
made changes -
| Issue Type | Original: New Feature [ 2 ] | New: Bug [ 1 ] |
mtnbill the vulnerability CVE-2021-44832 is described on the Apache Log4J web site as:
Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration
If the attacker controls the configuration of logging on your Jenkins controller, they are already an administrator on that Jenkins controller. They can perform many operations as an administrator. Altering the logging configuration is the least of your concerns if an attacker has become an administrator on your Jenkins controller.
You're certainly welcome to press MicroFocus to update the plugin to use a newer version of Apache Log4j2, but I suspect that the upgrade from 2.17.0 to 2.17.2 will not change the actual risk to your Jenkins controller. It may satisfy scanners that can only check for the presence of a library version, but won't provide much more than that.
Bill Hopper
added a comment - markewaite has an good point. I should have simply stated that I need log4j 2.17.2.
Bill Hopper
added a comment - markewaite has an good point. I should have simply stated that I need log4j 2.17.2. 
Nissim Shitrit
made changes -
| Assignee | New: Nissim Shitrit [ nissimshitrit ] |
Harry Singh
added a comment - nissimshitrit - Is there any update on this issue? Do we know when this plugin will be available with log4j v. 2.17.2?
Harry Singh
added a comment - nissimshitrit - Is there any update on this issue? Do we know when this plugin will be available with log4j v. 2.17.2? 
Micro Focus Application Automation Tools Plugin 7.2 fixed
JENKINS-67357by upgrading to log4j 2.17.0. https://logging.apache.org/log4j/2.x/security.html says log4j 2.17.1 fixes "CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration."