CloudBees Security Advisory 2021-12-13

Apache Log4j Security Vulnerability (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105) in CloudBees CD

CloudBees has assessed our products in light of the CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 security vulnerabilities that are present in certain versions of the popular Apache Log4j logging library. We have determined that versions of CloudBees CD prior to v10.3.4 are vulnerable to the three vulnerabilities and v10.3.4 is only vulnerable to CVE-2021-45046. In all cases, this is introduced to the product via the Logstash stack included with the optional DevOps Insights service.

We have not identified any active exploitation of this vulnerability in any of the products and services that we host.

We have, however, already implemented additional layers of protection where possible and are working to communicate any potential exploit paths with specific customers that may be impacted.

Impacted products

Versions of CloudBees CD prior to v10.3.4 are vulnerable to CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105, while v10.3.4 is only vulnerable to CVE-2021-45105. In all cases this is introduced to the product via the Logstash stack included with the DevOps Insights service.  To remediate all of these issues, upgrade to v10.3.5. See the release announcement of v10.3.5 for instructions on downloading and installing it.

After you have upgraded CloudBees CD (including the Analytics component) to the v10.3.4 release, and if you previously disabled Analytics to mitigate this issue, start the services by following the instruction for Starting All CloudBees Analytics Services. If you are running CloudBees CD in Kubernetes, the command is:

kubectl scale statefulset -n YOUR_NAMESPACE flow-devopsinsight --replicas=1

Once the service has started, enable analytics under Administration -> Configurations -> Analytics Server, by checking the Enable Analytics checkbox. Select Save.

To mitigate these issues in versions prior to v10.3.4, stop the DevOps Insights related service by following the steps below:

  1. Open the Menu and click on Administration -> Configurations -> Analytics Server, then uncheck the Enable Analytics checkbox, and then select Save:

  2. Stop both the CommanderLogstash and CommanderElasticsearch services by following the instructions for Stopping All CloudBees Analytics Services. If you are running CloudBees CD in Kubernetes, the command is:

kubectl scale statefulset -n YOUR_NAMESPACE flow-devopsinsight --replicas=0

Non-impacted products

To the best of our knowledge, the following CloudBees products are not impacted by the vulnerability:

  • CloudBees CI / CloudBees Jenkins Platform

  • CloudBees Feature Management

  • Customer Success Services

  • Build Acceleration

  • CloudBees CodeShip

  • DevOptics

CloudBees CI plugins considerations

CloudBees CI CAP plugins are not affected by this vulnerability. Regarding other third-party plugins not maintained by CloudBees, there is a risk they may be affected. You can identify whether the Log4j library is included with any plugin by running the following Groovy script in the Script Console: 

org.apache.logging.log4j.core.lookup.JndiLookup.class.protectionDomain.codeSource

If this results in the following error, Log4j is not included in any installed and enabled plugin:

groovy.lang.MissingPropertyException: No such property: org for class: Script1

Otherwise, the script output will print one location where Log4j is found, which includes the plugin name in the path. That plugin should be disabled or uninstalled, followed by a Jenkins restart and another script execution until the No such property error appears.

Affected plugins and their mitigation status are listed in the Jenkins issue tracker. See this Jira Epic for components known to be affected.

CloudBees CD plugins considerations

Among the CloudBees CD community plugins, BigIP-iControl is the only one that is susceptible to the Log4j vulnerability. Versions prior to 1.0.1 are vulnerable. To remediate, upgrade to version 1.0.1 or later from the plugin catalog. If upgrading is not possible, we recommend disabling the plugin.

Please contact support@cloudbees.com if you have any questions.

Update history
2021-12-24 - Update: Announce availability of CloudBees CD v10.3.5
2021-12-22 - Update: Add details about upcoming release given impact of CVE-2021-45105 on CD
2021-12-20 - Update: Announce availability of BigIP-iControl plugin v1.0.1 for CD
2021-12-17 - Update #2: Announce availability of CD v10.3.4
2021-12-17 - Update #1: Document findings for CI and CD plugins and expand coverage to include CVE-2021-45046
2021-12-14 - Update: Add mitigation instructions for CD