Upgrade Available?

42 views
Skip to first unread message

eric....@gmail.com

unread,
Jan 27, 2026, 3:47:09 PMJan 27
to rundeck-discuss
Hi All,

Is there an upgrade available yet for the following vulnerability in the rundeck log4j library?

Plugin Name: Apache Log4j 2.0-beta9 < 2.25.3 MitM

Plugin ID: 282519

Plugin Output:
  Path              : /var/lib/rundeck/bootstrap/rundeck-5.12.0-20250512.war
  Installed version : 2.17.2
  Fixed version     : 2.25.3

I'm running rundeck 5.12.0.

Thanks,
Eric

rac...@rundeck.com

unread,
Jan 30, 2026, 10:19:03 AMJan 30
to rundeck-discuss
Hi Eric,

The engineering team is aware of that CVE, thanks for your feedback! Stay tuned to next releases.

Regards!

eric....@gmail.com

unread,
Feb 9, 2026, 9:29:41 AMFeb 9
to rundeck-discuss
Was this fix contained in the 5.19.0 release?  I don't see it in the release notes.  Thanks!

eric....@gmail.com

unread,
Feb 13, 2026, 12:01:50 PM (12 days ago) Feb 13
to rundeck-discuss
Does anyone know the answer to this question?

eric....@gmail.com

unread,
Feb 13, 2026, 12:10:08 PM (12 days ago) Feb 13
to rundeck-discuss
To answer my own question, it is not upgraded in 5.19:

$ jar tvf rundeck-5.19.0-20260202.war | grep log4j
 24248 Mon May 12 16:40:32 CDT 2025 WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar
1811089 Mon May 12 16:40:32 CDT 2025 WEB-INF/lib/log4j-core-2.17.2.jar
 30948 Mon May 12 16:40:32 CDT 2025 WEB-INF/lib/log4j-jul-2.17.2.jar
302511 Mon May 12 16:40:34 CDT 2025 WEB-INF/lib/log4j-api-2.17.2.jar
 13046 Mon Feb 02 21:21:52 CST 2026 templates/config/log4j2.properties.template

Does anyone have an idea when this will be in the release?

Thanks,
Eric

On Monday, February 9, 2026 at 7:29:41 AM UTC-7 eric....@gmail.com wrote:
Reply all
Reply to author
Forward
0 new messages