Affected code wrt log4j component vulnerability CVE-2021-44228 exits in log4j core libraries: log4j-core-*.jar.
I am not sure why your org wanted you to update/remove log4j-over-slf4j-1.7.31 Thanks M.Madhu On Tue, Dec 14, 2021 at 7:26 AM 'Daniel Beck' via Jenkins Developers < [email protected]> wrote: > > > On Tue, Dec 14, 2021 at 1:15 PM Mohammad Jameel Uddin < > [email protected]> wrote: > >> Yes, they(my organization) requested an update to autonomiq plugin, but >> it is not on the list of affected plugins. >> >> https://issues.jenkins.io/browse/JENKINS-67353?jql=labels%20%3D%20CVE-2021-44228 >> >> Do I need to change the log4j version or not? >> > > log4j 1.x does *not* have the CVE-2021-44228 vulnerability. There are > other problems, specifically CVE-2019-17571 (if you haven't cared before > last week there's no reason to care now), as well as – AFAIUI – a potential > issue using the custom JMS appender only on old versions (2018 and older) > of the Java runtime, if you let untrusted folks configure your logging > system. Neither is even close to being as big of a problem as > CVE-2021-44228. > > Whether *you* need to still update from 1.x to 2.5.0, we cannot answer. > If your org wants you to update, you're probably going to have to. But I > don't think anything substantial changed over the last week for log4j 1.x, > which is why your plugin isn't listed in the Jenkins issue. > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJU3k2RgqjOBnKn5tCuT9NJ9CW85%3D3_kNf8oSDGvhMRwA%40mail.gmail.com > <https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJU3k2RgqjOBnKn5tCuT9NJ9CW85%3D3_kNf8oSDGvhMRwA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAN%2BS7Noh6xcxD_4UNOs-56gJmqr%3DqzLHSfrc%3D0%3DZB1Jnc2cZCg%40mail.gmail.com.
