Audit of the Log4J Security Vulnerability - CVE-2021-44228

To our valued customers,

On the 10th December 2021 we received a security briefing regarding a vulnerability in a common Logging Framework called Log4J. Log4j is in use across a variety of source software solutions today. The link to the CVE is CVE-2021-44228.

We audited all services the same day and took corrective actions where necessary. All customers have been contacted independently with the result of the audit on their services and any corrective actions taken. If we did not contact you it was because we did not need to take any corrective action on your services.

Mitigations

The NCSC recommends following vendor best practice advice in the mitigation of vulnerabilities. In the case of this vulnerability CVE-2021-44228, the most important aspect is to install the latest updates as soon as practicable:

1. If you are using the Log4j 2 library as a dependency within an application you have developed, ensure you update to version 2.15.0 or later
2. If you are using an affected third-party application, ensure you keep the product updated to the latest version
3. The flaw can also be mitigated in previous releases (2.10 and later) by setting system property "log4j2.formatMsgNoLookups" to "true" or removing the JndiLookup class from the classpath

Jenkins

Jenkins Core does not have a dependency on Log4J however some plugins do. If your Jenkins Controller had a plugin affected by this critical vulnerability we have removed the plugin and contacted you. All the plugins that we removed fall in the category of value-added, nice-to-have but not essential. We understand this may still have an impact on your pipelines and jobs however given the critical severity of this CVE we made the decision that this was the best course of action.

Sonarqube

Sonar Core doesn’t have a dependency on Log4J however Elasticsearch a dependency of Sonar does. We took Mitigation point 3 above and set the system property log4j2.formatMsgNoLookups to true. A temporary measure while we wait for a new release of Sonar Community Edition.