log4j dependency has critical vulnerability CVE-2021-44228

[daniel-beck]

See https://issues.jenkins.io/browse/JENKINS-67353

[cniweb]

@daniel-beck until when can we expect a fix?

I think, this is the dependency:

[ERROR]     * [CVE-2021-44228] Remote Code Execution (9.0); https://ossindex.sonatype.org/vulnerability/9e818913-69a3-41c8-9bcc-6293b378c53a?component-type=maven&component-name=org.apache.logging.log4j.log4j-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
[ERROR]   org.eclipse.jetty:jetty-http:jar:9.4.5.v20170502:test; https://ossindex.sonatype.org/component/pkg:maven/org.eclipse.jetty/jetty-http@9.4.5.v20170502?utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1

https://ossindex.sonatype.org/vulnerability/9e818913-69a3-41c8-9bcc-6293b378c53a?component-type=maven&component-name=org.apache.logging.log4j.log4j-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1

[daniel-beck]

until when can we expect a fix?

I'm not a maintainer, you're going to have to ask them.

[maikheene]

jfyi: I wrote a Support-Ticket (SUPPORT-45549) for this issue. Maybe that's speed up the fix.

[Russell616]

Hi everyone!

I'm one of the maintainers of this repository. We are aware of this issue and working on a fix. The pull request and the release will happen in the next few days, before the end of this week.

We will update this thread as soon as we have any updates.

[Russell616]

Hi everyone,

We are ready to deploy the new version as soon as the accounts.jenkins.io is back online in order for us to reset our credentials. Around 2 months ago all passwords in the Jenkins ecosystem were revoked something that I, unfortunately, didn't notice at the time.

According to this thread of some other developers with the same problem, the Jenkins' security team is still investigating the impact of the log4j vulnerability.

Maybe @daniel-beck may have more information regarding when they expect to have the accounts.jenkins.io operational.

Meanwhile, in case you don't want to wait for the official release, you are free to manually download and install the release candidate (2.5.2) from the official Jenkins build

I'm going to keep this thread open and up-to-date with the most recent information.

[daniel-beck]

@Russell616 I'll check with the infra team.

[rhutchison]

@Russell616 https://www.zdnet.com/article/second-log4j-vulnerability-found-apache-log4j-2-16-0-released/

[Wadeck]

As mentioned by @rhutchison ⚠️ Update to 2.15 is not sufficient due to https://nvd.nist.gov/vuln/detail/CVE-2021-45046, it requires 2.16. This one is less important but will still be detected by scanners and alert all users.

[Russell616]

I will update again the log4j dependency, I will let you all know when the new release candidate is available to be downloaded

[Russell616]

You can download the latest build (2.5.2.1) using log4j 2.16.0 from the Jenkins build

[rhutchison]

You can download the latest build (2.5.2.1) using log4j 2.16.0 from the Jenkins build

Thank you for the support and quick remediation

Result: (file:/C:/Program%20Files%20(x86)/Jenkins/plugins/xray-connector/WEB-INF/lib/log4j-core-2.16.0.jar )

[trydydd]

@Russell616 it looks like https://accounts.jenkins.io/ is once again available. Could we get an ETA for this release?

Thanks!

[daniel-beck]

(Looks like the error page gets cached so might need a reload. That's annoying. I poked infra folks about it for the future.)

[Russell616]

Could we get an ETA for this release?

The ETA is now 😄

We just released the version 2.5.2.1 in the Jenkins maven repo.

For all of you, who want to install manually the plugin, you can use the release git tag.

In a few hours, the new release will be available to download in the plugins page in your own Jenkins instances (there is a delay between the time of the release and the and the time when ths version is avaible to download via UI)

I will keep this issue open until we make sure that the plugin is displayed in the Jenkins index page

[trydydd]

Already installed in our dev environment. Thank you!

[daniel-beck]

there is a delay between the time of the release and the and the time when ths version is avaible to download via UI

Usually less than 5 minutes, just remember to query for updates. plugins.jenkins.io is a lot slower.

[joaocfernandes]

Thanks @Russell616 !