Log4j CVE-2021-44228

[eric....@gmail.com]

Hi all.  Getting popped by our security team for an old version of log4j.  I've checked and we don't have any of the plugins installed identified by the following issue:

https://issues.jenkins.io/browse/JENKINS-67353

Here's the info from the scan:

Plugin Output:
  Path              : /opt/jenkins/.m2/repository/org/apache/logging/log4j/log4j-core/2.14.1/log4j-core-2.14.1.pom.sha1
  Installed version : 2.14.1
  Fixed version     : 2.15.0

Anyone have a clue on how I go about upgrading this?

Thanks,
Eric

[eric....@gmail.com]

Hmmm, found this page:

https://www.jenkins.io/blog/2021/12/10/log4j2-rce-CVE-2021-44228/

So I ran the script in the script console and got the error indicating that log4j is not included in any installed and enabled plugin.  Anyone have a clue?

Thanks,

Eric

[Baptiste Mathus]

That's unrelated to Jenkins per se. This directory is the maven cache, also called 'local repository'.

My theory is that you have a job or more that uses maven with default values. I suspect you even run these on the controller itself...

Some of your job(s) build(s) a software of yours that depends on a vulnerable version of log4j.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/0e0194bf-3090-43e1-92d2-be3789365ae5n%40googlegroups.com.

[John Patrick]

I would exclude /opt/jenkins/.m2/repository from any scans, as already mentioned that is the local maven cache.

Also if you don't maintain that, it will grow and grow.

Personally I update build jobs so they each have their own maven cache using -Dmaven.repo.local=mvn-repo then delete that after your job completes. You might need to tweak some of your process if they depending upon one job installing and another job consuming. But the problem with that is if you do builds pre branch they could conflict if using the same version number.

Or, delete /opt/jenkins/.m2/repository/org/apache/logging/log4j/ and rebuild all your projects. As maven will download it again if it still needs it. If a pre 2.15.0/2.16.0 version appears, then it means one of your jobs still has an older version as a dependency.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CANWgJS7PpCx6a9J__vv7G-oYC0ssUbZbW%2Ba8_bWsS0_Na-6dyw%40mail.gmail.com.

[eric....@gmail.com]

Thanks a ton, great cud to chew on!  Now I think I know the culprit and it's been deprecated.  Guessing I can just delete that log4j directory and be done with it.

[Baptiste Mathus]

Yeah you can definitely wipe out this whole tree.

I wrote an eternity ago about this:

 https://batmat.net/2009/10/09/hudson-how-to-set-a-private-maven-repository-by-job-and-easily-be-able-to-delete-them/

Some of it is a bit old but the principles remain true today: you _should_ even do it on a regular basis. Ideally after and before each job (the modern way to do this kinda automatically is to use things like containers that will by definition start fresh [if some shared maven repository isn't mounted, don't do this]).

Cheers

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/6147a143-256b-4f71-9b42-081744fc6bb8n%40googlegroups.com.

[eric....@gmail.com]

Thanks, deleted it for short term solution and looking into the "Even Better" solution at your link.  Much appreciated!

[eric....@gmail.com]

OK, so this isn't going so hot.  There is no .m2/settings.xml file.  There are settings.xml for each of the Maven versions under ~/tools/hudson.tasks.Maven_MavenInstallation/Maven-X.X/conf.  This has the "localRepository" node but it's commented out.  Should I set the value "/var/lib/jenkins/.m2/repositories/${env.JOB_NAME}/repository" in there for each version? Alternative would be to create a settings.xml file in the .m2 directory. Sounds like it goes to that one first regardless of version... The concept seems simplest. Chron job or just clear the repo at the end of the build?

Thanks,

Eric

On Friday, December 17, 2021 at 4:12:50 AM UTC-7 bma...@gmail.com wrote: