On Tue, Dec 14, 2021 at 1:15 PM Mohammad Jameel Uddin < [email protected]> wrote:
> Yes, they(my organization) requested an update to autonomiq plugin, but it > is not on the list of affected plugins. > > https://issues.jenkins.io/browse/JENKINS-67353?jql=labels%20%3D%20CVE-2021-44228 > > Do I need to change the log4j version or not? > log4j 1.x does *not* have the CVE-2021-44228 vulnerability. There are other problems, specifically CVE-2019-17571 (if you haven't cared before last week there's no reason to care now), as well as – AFAIUI – a potential issue using the custom JMS appender only on old versions (2018 and older) of the Java runtime, if you let untrusted folks configure your logging system. Neither is even close to being as big of a problem as CVE-2021-44228. Whether *you* need to still update from 1.x to 2.5.0, we cannot answer. If your org wants you to update, you're probably going to have to. But I don't think anything substantial changed over the last week for log4j 1.x, which is why your plugin isn't listed in the Jenkins issue. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJU3k2RgqjOBnKn5tCuT9NJ9CW85%3D3_kNf8oSDGvhMRwA%40mail.gmail.com.
