[JENKINS-69476] log4j dependency has critical vulnerability CVE-2021-45046 in Octopus Deploy plugin

Type: Bug
Resolution: Fixed
Priority: Critical
Component/s: octopusdeploy-plugin
Labels:
- CVE-2021-44228
- security
Environment:

Hide
Jenkins: 2.346.3
OS: Linux - 4.14.35-2047.516.2.1.el7uek.x86_64
---
Office-365-Connector:4.17.0
Parameterized-Remote-Trigger:3.1.6.3
StashBranchParameter:0.3.0
ace-editor:1.1
active-directory:2.25.1
ant:475.vf34069fef73c
antisamy-markup-formatter:2.7
apache-httpcomponents-client-4-api:4.5.13-138.v4e7d9a_7b_a_e61
artifactdeployer:1.2
authentication-tokens:1.4
autonomiq:1.21
backup:1.6.1
basic-branch-build-strategies:1.3.2
blueocean:1.25.6
blueocean-autofavorite:1.2.5
blueocean-bitbucket-pipeline:1.25.6
blueocean-commons:1.25.6
blueocean-config:1.25.6
blueocean-core-js:1.25.6
blueocean-dashboard:1.25.6
blueocean-display-url:2.4.1
blueocean-events:1.25.6
blueocean-executor-info:1.25.6
blueocean-git-pipeline:1.25.6
blueocean-github-pipeline:1.25.6
blueocean-i18n:1.25.6
blueocean-jira:1.25.6
blueocean-jwt:1.25.6
blueocean-personalization:1.25.6
blueocean-pipeline-api-impl:1.25.6
blueocean-pipeline-editor:1.25.6
blueocean-pipeline-scm-api:1.25.6
blueocean-rest:1.25.6
blueocean-rest-impl:1.25.6
blueocean-web:1.25.6
bootstrap4-api:4.6.0-5
bootstrap5-api:5.2.0-1
bouncycastle-api:2.26
branch-api:2.1046.v0ca_37783ecc5
browserstack-integration:1.2.5
build-pipeline-plugin:1.5.8
build-timeout:1.21
caffeine-api:2.9.3-65.v6a_47d0f4d1fe
checks-api:1.7.5
cloudbees-bitbucket-branch-source:785.ve724eb_44e286
cloudbees-credentials:3.3
cloudbees-folder:6.740.ve4f4ffa_dea_54
command-launcher:84.v4a_97f2027398
conditional-buildstep:1.4.2
config-file-provider:3.11.1
configurationslicing:430.v966357576543
copyartifact:1.47
credentials:1139.veb_9579fca_33b_
credentials-binding:523.vd859a_4b_122e6
crx-content-package-deployer:1.9
cucumber-reports:5.7.3
delivery-pipeline-plugin:1.4.2
display-url-api:2.3.6
docker-commons:1.19
docker-workflow:521.v1a_a_dd2073b_2e
dropdown-viewstabbar-plugin:1.7
durable-task:500.v8927d9fd99d8
dynamic_extended_choice_parameter:1.0.1
echarts-api:5.3.3-1
email-ext:2.91
envfile:1.2
envinject:2.875.v9b_9e962da_a_ec
envinject-api:1.199.v3ce31253ed13
extended-choice-parameter:346.vd87693c5a_86c
extended-read-permission:3.2
extensible-choice-parameter:1.8.0
external-monitor-job:192.ve979ca_8b_3ccd
favorite:2.4.1
flaky-test-handler:1.2.2
font-awesome-api:6.1.2-1
git:4.11.4
git-client:3.11.2
git-parameter:0.9.17
git-server:1.11
github:1.34.5
github-api:1.303-400.v35c2d8258028
github-branch-source:1677.v731f745ea_0cf
github-organization-folder:1.6
gradle:1.39.4
h2-api:1.4.199
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953
hidden-parameter:0.0.5
hp-application-automation-tools-plugin:7.2
hp-quality-center:1.6
htmlpublisher:1.30
http_request:1.15
icon-shim:3.0.0
jackson2-api:2.13.3-285.vc03c0256d517
jakarta-activation-api:2.0.1-1
jakarta-mail-api:2.0.1-1
javadoc:226.v71211feb_e7e9
javax-activation-api:1.2.0-4
javax-mail-api:1.6.2-7
jaxb:2.3.6-1
jdk-tool:55.v1b_32b_6ca_f9ca
jenkins-design-language:1.25.6
jersey2-api:2.36-2
jira:3.7.1
jjwt-api:0.11.5-77.v646c772fddb_0
jnr-posix-api:3.1.15-1
jobConfigHistory:1165.v8cc9fd1f4597
jquery:1.12.4-1
jquery-detached:1.2.1
jquery-ui:1.0.2
jquery3-api:3.6.0-4
jsch:0.1.55.61.va_e9ee26616e7
junit:1119.1121.vc43d0fc45561
ldap:2.12
list-git-branches-parameter:0.0.11
lockable-resources:2.16
mailer:435.v79ef3972b_5c7
mapdb-api:1.0.9-28.vf251ce40855d
mask-passwords:3.3
matrix-auth:2.6.11
matrix-project:772.v494f19991984
maven-artifact-choicelistprovider:1.11.0
maven-plugin:3.19
mercurial:2.16.2
metrics:4.2.10-389.v93143621b_050
mina-sshd-api-common:2.8.0-36.v8e25ce90d4b_1
mina-sshd-api-core:2.8.0-36.v8e25ce90d4b_1
momentjs:1.1.1
multiple-scms:0.8
nexus-artifact-uploader:2.13
nexus-jenkins-plugin:3.14.431.v37ca_dc788b_b_1
nodelabelparameter:1.11.0
octopusdeploy:3.1.8
okhttp-api:4.9.3-108.v0feda04578cf
pam-auth:1.10
parameterized-trigger:2.45
performance:3.20
pipeline-build-step:2.18
pipeline-github-lib:38.v445716ea_edda_
pipeline-graph-analysis:195.v5812d95a_a_2f9
pipeline-groovy-lib:612.v84da_9c54906d
pipeline-input-step:449.v77f0e8b_845c4
pipeline-maven:1161.v89a_7dcec5d31
pipeline-milestone-step:101.vd572fef9d926
pipeline-model-api:2.2114.v2654ca_721309
pipeline-model-declarative-agent:1.1.1
pipeline-model-definition:2.2114.v2654ca_721309
pipeline-model-extensions:2.2114.v2654ca_721309
pipeline-rest-api:2.24
pipeline-stage-step:293.v200037eefcd5
pipeline-stage-tags-metadata:2.2114.v2654ca_721309
pipeline-stage-view:2.24
pipeline-utility-steps:2.13.0
plain-credentials:139.ved2b_9cf7587b
plugin-usage-plugin:3.0
plugin-util-api:2.17.0
popper-api:1.16.1-3
popper2-api:2.11.5-2
powershell:1.7
publish-over:0.22
publish-over-ssh:1.24
pubsub-light:1.16
qc:1.2.1
rapid7-insightvm-container-assessment:1.0.21
release:2.14
repository-connector:2.2.0
resource-disposer:0.19
role-strategy:561.v9846c7351a_41
run-condition:1.5
sauce-ondemand:1.207
scm-api:621.vda_a_b_055e58f7
script-security:1175.v4b_d517d6db_f0
slack:616.v03b_1e98d13dd
snakeyaml-api:1.30.2-76.vc104f7ce9870
sonar:2.14
sse-gateway:1.25
ssh-agent:295.v9ca_a_1c7cc3a_a_
ssh-credentials:295.vced876c18eb_4
ssh-slaves:1.834.v622da_57f702c
sshd:3.242.va_db_9da_b_26a_c3
stash-pullrequest-builder:1.17
stashNotifier:1.28
structs:324.va_f5d6774f3a_d
subversion:2.16.0
test-results-analyzer:0.3.5
timestamper:1.18
token-macro:308.v4f2b_ed62b_b_16
trilead-api:1.67.vc3938a_35172f
uno-choice:2.6.3
urltrigger:1.02
variant:59.vf075fe829ccb
versioncolumn:2.2
windows-slaves:1.8.1
workflow-aggregator:590.v6a_d052e5a_a_b_5
workflow-api:1192.v2d0deb_19d212
workflow-basic-steps:991.v43d80fea_ff66
workflow-cps:2759.v87459c4eea_ca_
workflow-cps-global-lib:588.v576c103a_ff86
workflow-durable-task-step:1199.v02b_9244f8064
workflow-job:1207.ve6191ff089f8
workflow-multibranch:716.vc692a_e52371b_
workflow-scm-step:400.v6b_89a_1317c9a_
workflow-step-api:639.v6eca_cd8c04a_a_
workflow-support:838.va_3a_087b_4055b
ws-cleanup:0.42
xtrigger-api:0.4
zentimestamp:4.2

Show
Jenkins: 2.346.3 OS: Linux - 4.14.35-2047.516.2.1.el7uek.x86_64 --- Office-365-Connector:4.17.0 Parameterized-Remote-Trigger:3.1.6.3 StashBranchParameter:0.3.0 ace-editor:1.1 active-directory:2.25.1 ant:475.vf34069fef73c antisamy-markup-formatter:2.7 apache-httpcomponents-client-4-api:4.5.13-138.v4e7d9a_7b_a_e61 artifactdeployer:1.2 authentication-tokens:1.4 autonomiq:1.21 backup:1.6.1 basic-branch-build-strategies:1.3.2 blueocean:1.25.6 blueocean-autofavorite:1.2.5 blueocean-bitbucket-pipeline:1.25.6 blueocean-commons:1.25.6 blueocean-config:1.25.6 blueocean-core-js:1.25.6 blueocean-dashboard:1.25.6 blueocean-display-url:2.4.1 blueocean-events:1.25.6 blueocean-executor-info:1.25.6 blueocean-git-pipeline:1.25.6 blueocean-github-pipeline:1.25.6 blueocean-i18n:1.25.6 blueocean-jira:1.25.6 blueocean-jwt:1.25.6 blueocean-personalization:1.25.6 blueocean-pipeline-api-impl:1.25.6 blueocean-pipeline-editor:1.25.6 blueocean-pipeline-scm-api:1.25.6 blueocean-rest:1.25.6 blueocean-rest-impl:1.25.6 blueocean-web:1.25.6 bootstrap4-api:4.6.0-5 bootstrap5-api:5.2.0-1 bouncycastle-api:2.26 branch-api:2.1046.v0ca_37783ecc5 browserstack-integration:1.2.5 build-pipeline-plugin:1.5.8 build-timeout:1.21 caffeine-api:2.9.3-65.v6a_47d0f4d1fe checks-api:1.7.5 cloudbees-bitbucket-branch-source:785.ve724eb_44e286 cloudbees-credentials:3.3 cloudbees-folder:6.740.ve4f4ffa_dea_54 command-launcher:84.v4a_97f2027398 conditional-buildstep:1.4.2 config-file-provider:3.11.1 configurationslicing:430.v966357576543 copyartifact:1.47 credentials:1139.veb_9579fca_33b_ credentials-binding:523.vd859a_4b_122e6 crx-content-package-deployer:1.9 cucumber-reports:5.7.3 delivery-pipeline-plugin:1.4.2 display-url-api:2.3.6 docker-commons:1.19 docker-workflow:521.v1a_a_dd2073b_2e dropdown-viewstabbar-plugin:1.7 durable-task:500.v8927d9fd99d8 dynamic_extended_choice_parameter:1.0.1 echarts-api:5.3.3-1 email-ext:2.91 envfile:1.2 envinject:2.875.v9b_9e962da_a_ec envinject-api:1.199.v3ce31253ed13 extended-choice-parameter:346.vd87693c5a_86c extended-read-permission:3.2 extensible-choice-parameter:1.8.0 external-monitor-job:192.ve979ca_8b_3ccd favorite:2.4.1 flaky-test-handler:1.2.2 font-awesome-api:6.1.2-1 git:4.11.4 git-client:3.11.2 git-parameter:0.9.17 git-server:1.11 github:1.34.5 github-api:1.303-400.v35c2d8258028 github-branch-source:1677.v731f745ea_0cf github-organization-folder:1.6 gradle:1.39.4 h2-api:1.4.199 handlebars:3.0.8 handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953 hidden-parameter:0.0.5 hp-application-automation-tools-plugin:7.2 hp-quality-center:1.6 htmlpublisher:1.30 http_request:1.15 icon-shim:3.0.0 jackson2-api:2.13.3-285.vc03c0256d517 jakarta-activation-api:2.0.1-1 jakarta-mail-api:2.0.1-1 javadoc:226.v71211feb_e7e9 javax-activation-api:1.2.0-4 javax-mail-api:1.6.2-7 jaxb:2.3.6-1 jdk-tool:55.v1b_32b_6ca_f9ca jenkins-design-language:1.25.6 jersey2-api:2.36-2 jira:3.7.1 jjwt-api:0.11.5-77.v646c772fddb_0 jnr-posix-api:3.1.15-1 jobConfigHistory:1165.v8cc9fd1f4597 jquery:1.12.4-1 jquery-detached:1.2.1 jquery-ui:1.0.2 jquery3-api:3.6.0-4 jsch:0.1.55.61.va_e9ee26616e7 junit:1119.1121.vc43d0fc45561 ldap:2.12 list-git-branches-parameter:0.0.11 lockable-resources:2.16 mailer:435.v79ef3972b_5c7 mapdb-api:1.0.9-28.vf251ce40855d mask-passwords:3.3 matrix-auth:2.6.11 matrix-project:772.v494f19991984 maven-artifact-choicelistprovider:1.11.0 maven-plugin:3.19 mercurial:2.16.2 metrics:4.2.10-389.v93143621b_050 mina-sshd-api-common:2.8.0-36.v8e25ce90d4b_1 mina-sshd-api-core:2.8.0-36.v8e25ce90d4b_1 momentjs:1.1.1 multiple-scms:0.8 nexus-artifact-uploader:2.13 nexus-jenkins-plugin:3.14.431.v37ca_dc788b_b_1 nodelabelparameter:1.11.0 octopusdeploy:3.1.8 okhttp-api:4.9.3-108.v0feda04578cf pam-auth:1.10 parameterized-trigger:2.45 performance:3.20 pipeline-build-step:2.18 pipeline-github-lib:38.v445716ea_edda_ pipeline-graph-analysis:195.v5812d95a_a_2f9 pipeline-groovy-lib:612.v84da_9c54906d pipeline-input-step:449.v77f0e8b_845c4 pipeline-maven:1161.v89a_7dcec5d31 pipeline-milestone-step:101.vd572fef9d926 pipeline-model-api:2.2114.v2654ca_721309 pipeline-model-declarative-agent:1.1.1 pipeline-model-definition:2.2114.v2654ca_721309 pipeline-model-extensions:2.2114.v2654ca_721309 pipeline-rest-api:2.24 pipeline-stage-step:293.v200037eefcd5 pipeline-stage-tags-metadata:2.2114.v2654ca_721309 pipeline-stage-view:2.24 pipeline-utility-steps:2.13.0 plain-credentials:139.ved2b_9cf7587b plugin-usage-plugin:3.0 plugin-util-api:2.17.0 popper-api:1.16.1-3 popper2-api:2.11.5-2 powershell:1.7 publish-over:0.22 publish-over-ssh:1.24 pubsub-light:1.16 qc:1.2.1 rapid7-insightvm-container-assessment:1.0.21 release:2.14 repository-connector:2.2.0 resource-disposer:0.19 role-strategy:561.v9846c7351a_41 run-condition:1.5 sauce-ondemand:1.207 scm-api:621.vda_a_b_055e58f7 script-security:1175.v4b_d517d6db_f0 slack:616.v03b_1e98d13dd snakeyaml-api:1.30.2-76.vc104f7ce9870 sonar:2.14 sse-gateway:1.25 ssh-agent:295.v9ca_a_1c7cc3a_a_ ssh-credentials:295.vced876c18eb_4 ssh-slaves:1.834.v622da_57f702c sshd:3.242.va_db_9da_b_26a_c3 stash-pullrequest-builder:1.17 stashNotifier:1.28 structs:324.va_f5d6774f3a_d subversion:2.16.0 test-results-analyzer:0.3.5 timestamper:1.18 token-macro:308.v4f2b_ed62b_b_16 trilead-api:1.67.vc3938a_35172f uno-choice:2.6.3 urltrigger:1.02 variant:59.vf075fe829ccb versioncolumn:2.2 windows-slaves:1.8.1 workflow-aggregator:590.v6a_d052e5a_a_b_5 workflow-api:1192.v2d0deb_19d212 workflow-basic-steps:991.v43d80fea_ff66 workflow-cps:2759.v87459c4eea_ca_ workflow-cps-global-lib:588.v576c103a_ff86 workflow-durable-task-step:1199.v02b_9244f8064 workflow-job:1207.ve6191ff089f8 workflow-multibranch:716.vc692a_e52371b_ workflow-scm-step:400.v6b_89a_1317c9a_ workflow-step-api:639.v6eca_cd8c04a_a_ workflow-support:838.va_3a_087b_4055b ws-cleanup:0.42 xtrigger-api:0.4 zentimestamp:4.2

Similar Issues:
Powered by SuggestiMate

Show
Epic Link:
log4j CVE-2021-44228 and CVE-2021-45046
Released As:
3.1.9

Our enterprise security scanning solution has flagged the Octopus Deploy plugin is using a Log4j version which has critical vulnerability CVE-2021-45046. Log4j needs to be updated to at least v2.16.0. Current version of the plugin, v3.1.8, is using v2.15.0.

See JENKINS-67353

Jonathan Whitby created issue - 2022-08-30 11:55

Jonathan Whitby made changes - 2022-08-30 11:56

Link

New: This issue relates to SECURITY-2862 [ SECURITY-2862 ]

Octopus Deploy made changes - 2022-08-31 10:40

Assignee

Original: Brian Adriance [ badriance ]

New: Octopus Deploy [ octopusdeploy ]

Octopus Deploy made changes - 2022-08-31 10:46

Status

Original: Open [ 1 ]

New: In Progress [ 3 ]

Octopus Deploy made changes - 2022-08-31 10:46

Status

Original: In Progress [ 3 ]

New: In Review [ 10005 ]

Octopus Deploy made changes - 2022-08-31 11:33

Released As		New: 3.1.9
Resolution		New: Fixed [ 1 ]
Status	Original: In Review [ 10005 ]	New: Resolved [ 5 ]

Assignee:: Octopus Deploy

Reporter:: Jonathan Whitby

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2022-08-30 11:55

Updated:: 2022-08-31 11:33

Resolved:: 2022-08-31 11:33

Jenkins

Details

Description

Attachments

Activity

People

Dates