A critical security vulnerability has been identified in the popular "Apache Log4j 2" library. This vulnerability is identified as CVE-2021-44228.

Log4j in Jenkins

The Jenkins security team has confirmed that Log4j is not used in Jenkins core. Jenkins plugins may be using Log4j. You can identify whether Log4j is included with any plugin by running the following Groovy script in the Script Console:

org.apache.logging.log4j.core.lookup.JndiLookup.class.protectionDomain.codeSource

If this results in the following error, Log4j is not included in any installed and enabled plugin:

groovy.lang.MissingPropertyException: No such property: org for class: Script1

Otherwise, the script output will print one location where Log4j is found, which includes the plugin name in the path. That plugin should be disabled or uninstalled, followed by a Jenkins restart and another script execution until the "No such property" error appears.

Affected plugins and their mitigation status are listed in the Jenkins issue tracker. See this Jira Epic for components known to be affected.

Log4j in web application containers

If you are hosting your Jenkins in a separate web application container like Tomcat, Websphere, or Glassfish, check with the providers of those containers to assess if they are using a vulnerable version of Log4j.

When Jenkins runs from the Docker image, a native installer package (deb, rpm, msi), or is invoked with java -jar jenkins.war, it is not running inside a separate web application container. It is using the built-in Jetty web application container that is bundled inside Jenkins and does not include Log4j.

Log4j in Jenkins project infrastructure

The Jenkins infrastructure team is currently checking all Jenkins project infrastructure for the presence of vulnerable versions of the Log4j library. This work is ongoing. We may decide to disable some services temporarily out of an abundance of caution. You can see the status of services on the status page.

About the Authors
Wadeck Follonier

Wadeck is the Jenkins security officer, leading the security team in improving Jenkins security. He likes to provide solutions that are both useful and easy to use.

Daniel Beck

Daniel is a Jenkins core maintainer and member of the Jenkins security team. He was the inaugural Jenkins security officer from 2015 to 2021. He sometimes contributes to developer documentation and project infrastructure in his spare time.

Hervé Le Meur

Hervé is a site reliability engineer working on the Jenkins project infrastructure.

Mark Waite

Mark is the Jenkins Documentation Officer, a long-time Jenkins user and contributor, and maintains the git plugin and the git client plugin. He is active in Jenkins special interest groups including the Docs SIG, Platform SIG, and Advocacy SIG.

Discuss