search

jenkinsci / xray-connector-plugin

Xray Test Management Connector for Jenkins
https://plugins.jenkins.io/xray-connector/
MIT License
16 stars 13 forks source link

Log4J 2.17.1 #59

Closed steigr closed 2 years ago

steigr commented 2 years ago

Jenkins and plugins versions report

Environment ```text Jenkins: 2.328 OS: Linux - 4.18.0-240.22.1.el8_3.x86_64 --- ... xray-connector:2.5.3 ... ```

What Operating System are you using (both controller, and any agents involved in the problem)?

RHEL 8

Reproduction steps

  1. Install X-Ray-Connector Plugin (Version: 2.5.3 aka latest)
  2. Verify Log4j is up to date: 
    $ cd $JENKINS_HOME
$ find | grep log4j-core
./plugins/xray-connector/WEB-INF/lib/log4j-core-2.17.0.jar

Expected Results

Log4J is provided in Version 2.17.1 (which addresses CVE-2021-44832, see https://logging.apache.org/log4j/2.x/security.html)

Actual Results

Log4J is provided in Version 2.17.0 which is vulnerable to CVE-2021-44832

Anything else?

It basically the same like in https://github.com/jenkinsci/xray-connector-plugin/issues/57 and https://github.com/jenkinsci/xray-connector-plugin/issues/53

milror00 commented 2 years ago

we have removed the plugin because of the advertised security vulnerability. Can someone provide a timeline when this will be fixed?

Russell616 commented 2 years ago

Hi everyone!

Sorry for not getting back to you sooner.

I have been busy with other tasks, but I will try to fix this issue and release the plugin in a week or two.

Russell616 commented 2 years ago

Hi everyone!

I just wanted to let you know that we just release Xray-connector 2.6.0 with this issue is fixed.