Re: how to change log4j-over-slf4j-1.7.31 to 2.15 version
113 views
Skip to first unread message
Message has been deleted
Jean-Marc Meessen
Dec 14, 2021, 6:14:17 AM12/14/21
to Jenkins Developers
Hello Mohammad,
Could you tell us if they requested an update to a particular plugin ? Or is it more in general ?
Did you see the Log4j CVE related blog post : https://www.jenkins.io/blog/2021/12/10/log4j2-rce-CVE-2021-44228/
Could you tell us if they requested an update to a particular plugin ? Or is it more in general ?
Did you see the Log4j CVE related blog post : https://www.jenkins.io/blog/2021/12/10/log4j2-rce-CVE-2021-44228/
/- Jmm
Le mar. 14 déc. 2021 à 10:53, Mohammad Jameel Uddin <mohammad.j...@saucelabs.com> a écrit :
Hi All,In my organistaion, they are asking me to change log4j 1.7.31 to 2.15 version in jenkins plugin, can someone tell me how to do it?Thanks & Regards,Md Jameel Uddin--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/1cd82741-f2b5-4464-b047-f73f1777e63en%40googlegroups.com.
Message has been deleted
Daniel Beck
Dec 14, 2021, 8:26:47 AM12/14/21
to jenkin...@googlegroups.com
On Tue, Dec 14, 2021 at 1:15 PM Mohammad Jameel Uddin <mohammad.j...@saucelabs.com> wrote:
Yes, they(my organization) requested an update to autonomiq plugin, but it is not on the list of affected plugins.Do I need to change the log4j version or not?
log4j 1.x does not have the CVE-2021-44228 vulnerability. There are other problems, specifically CVE-2019-17571 (if you haven't cared before last week there's no reason to care now), as well as – AFAIUI – a potential issue using the custom JMS appender only on old versions (2018 and older) of the Java runtime, if you let untrusted folks configure your logging system. Neither is even close to being as big of a problem as CVE-2021-44228.
Whether you need to still update from 1.x to 2.5.0, we cannot answer. If your org wants you to update, you're probably going to have to. But I don't think anything substantial changed over the last week for log4j 1.x, which is why your plugin isn't listed in the Jenkins issue.
M.Madhusudana Reddy
Dec 14, 2021, 10:37:48 AM12/14/21
to jenkin...@googlegroups.com
Affected code wrt log4j component vulnerability CVE-2021-44228 exits in log4j core libraries: log4j-core-*.jar.
I am not sure why your org wanted you to update/remove
log4j-over-slf4j-1.7.31
Thanks
Thanks
M.Madhu
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJU3k2RgqjOBnKn5tCuT9NJ9CW85%3D3_kNf8oSDGvhMRwA%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages