Issue
I am trying to make sure my Jenkins instance is not exploitable with the latest log4j exploit.
I have a pipeline script that runs, I tried following this instruction :
rel="noreferrer">https://community.jenkins.io/t/apache-log4j-2-vulnerability-cve-2021-44228/990
This is one of my stages of my pipeline script:
stage('Building image aaa') {
steps{
script {
sh "echo executing"
org.apache.logging.log4j.core.lookup.JndiLookup.class.protectionDomain.codeSource
sh "docker build --build-arg SCRIPT_ENVIRONMENT=staging -t $IMAGE_REPO_NAME:$IMAGE_TAG ."
}
}
}
But I get a different error than what's described here and I'm unsure if I'm checking this correctly. This is the error:
groovy.lang.MissingPropertyException: No such property: org for class: groovy.lang.Binding
at groovy.lang.Binding.getVariable(Binding.java:63)
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:271)
at org.kohsuke.groovy.sandbox.impl.Checker$7.call(Checker.java:353)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:357)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:333)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:333)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:333)
at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.getProperty(SandboxInvoker.java:29)
at com.cloudbees.groovy.cps.impl.PropertyAccessBlock.rawGet(PropertyAccessBlock.java:20)
at WorkflowScript.run(WorkflowScript:31)
at ___cps.transform___(Native Method)
at com.cloudbees.groovy.cps.impl.PropertyishBlock$ContinuationImpl.get(PropertyishBlock.java:74)
at com.cloudbees.groovy.cps.LValueBlock$GetAdapter.receive(LValueBlock.java:30)
....etc
Solution
This is probably the easiest way to check if you Jenkins has the log4j vulnerability (through plugins or otherwise).
- Go to https://your-jenkins.domain/script
- Paste
org.apache.logging.log4j.core.lookup.JndiLookup.class.protectionDomain.codeSource
If the output is groovy.lang.MissingPropertyException: No such property: org for class: Script1
You're good then, otherwise you're not good.
This way you don't have to change your pipeline to test or go through the approval process like mentioned in the other answer, you can just paste and verify without needing to configure additionally.
Answered By - ant
Answer Checked By - Cary Denson (JavaFixing Admin)