Upgrade Available?

[eric....@gmail.com]

Hi All,

Is there an upgrade available yet for the following vulnerability in the rundeck log4j library?

Plugin Name: Apache Log4j 2.0-beta9 < 2.25.3 MitM

Plugin ID: 282519

Plugin Output:
  Path              : /var/lib/rundeck/bootstrap/rundeck-5.12.0-20250512.war
  Installed version : 2.17.2
  Fixed version     : 2.25.3

I'm running rundeck 5.12.0.

Thanks,

Eric

[rac...@rundeck.com]

Hi Eric,

The engineering team is aware of that CVE, thanks for your feedback! Stay tuned to next releases.

Regards!

[eric....@gmail.com]

Was this fix contained in the 5.19.0 release?  I don't see it in the release notes.  Thanks!

[eric....@gmail.com]

Does anyone know the answer to this question?

[eric....@gmail.com]

To answer my own question, it is not upgraded in 5.19:

$ jar tvf rundeck-5.19.0-20260202.war | grep log4j
 24248 Mon May 12 16:40:32 CDT 2025 WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar
1811089 Mon May 12 16:40:32 CDT 2025 WEB-INF/lib/log4j-core-2.17.2.jar
 30948 Mon May 12 16:40:32 CDT 2025 WEB-INF/lib/log4j-jul-2.17.2.jar
302511 Mon May 12 16:40:34 CDT 2025 WEB-INF/lib/log4j-api-2.17.2.jar
 13046 Mon Feb 02 21:21:52 CST 2026 templates/config/log4j2.properties.template

Does anyone have an idea when this will be in the release?

Thanks,

Eric

On Monday, February 9, 2026 at 7:29:41 AM UTC-7 eric....@gmail.com wrote: