Affected code wrt log4j component vulnerability CVE-2021-44228 exits in
log4j core libraries: log4j-core-*.jar.

I am not sure why your org wanted you to update/remove
log4j-over-slf4j-1.7.31
Thanks
M.Madhu


On Tue, Dec 14, 2021 at 7:26 AM 'Daniel Beck' via Jenkins Developers <
[email protected]> wrote:

>
>
> On Tue, Dec 14, 2021 at 1:15 PM Mohammad Jameel Uddin <
> [email protected]> wrote:
>
>> Yes, they(my organization) requested an update to autonomiq plugin, but
>> it is not on the list of affected plugins.
>>
>> https://issues.jenkins.io/browse/JENKINS-67353?jql=labels%20%3D%20CVE-2021-44228
>>
>> Do I need to change the log4j version or not?
>>
>
> log4j 1.x does *not* have the CVE-2021-44228 vulnerability. There are
> other problems, specifically CVE-2019-17571 (if you haven't cared before
> last week there's no reason to care now), as well as – AFAIUI – a potential
> issue using the custom JMS appender only on old versions (2018 and older)
> of the Java runtime, if you let untrusted folks configure your logging
> system. Neither is even close to being as big of a problem as
> CVE-2021-44228.
>
> Whether *you* need to still update from 1.x to 2.5.0, we cannot answer.
> If your org wants you to update, you're probably going to have to. But I
> don't think anything substantial changed over the last week for log4j 1.x,
> which is why your plugin isn't listed in the Jenkins issue.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJU3k2RgqjOBnKn5tCuT9NJ9CW85%3D3_kNf8oSDGvhMRwA%40mail.gmail.com
> <https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJU3k2RgqjOBnKn5tCuT9NJ9CW85%3D3_kNf8oSDGvhMRwA%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAN%2BS7Noh6xcxD_4UNOs-56gJmqr%3DqzLHSfrc%3D0%3DZB1Jnc2cZCg%40mail.gmail.com.

Reply via email to