I am trying to make sure my Jenkins instance is not exploitable with the latest log4j exploit.
I have a pipeline script that runs, I tried following this instruction :
https://community.jenkins.io/t/apache-log4j-2-vulnerability-cve-2021-44228/990
This is one of my stages of my pipeline script:
stage('Building image aaa') {
steps{
script {
sh "echo executing"
org.apache.logging.log4j.core.lookup.JndiLookup.class.protectionDomain.codeSource
sh "docker build --build-arg SCRIPT_ENVIRONMENT=staging -t $IMAGE_REPO_NAME:$IMAGE_TAG ."
}
}
}
But I get a different error than what's described here and I'm unsure if I'm checking this correctly. This is the error:
groovy.lang.MissingPropertyException: No such property: org for class: groovy.lang.Binding
at groovy.lang.Binding.getVariable(Binding.java:63)
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:271)
at org.kohsuke.groovy.sandbox.impl.Checker$7.call(Checker.java:353)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:357)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:333)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:333)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:333)
at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.getProperty(SandboxInvoker.java:29)
at com.cloudbees.groovy.cps.impl.PropertyAccessBlock.rawGet(PropertyAccessBlock.java:20)
at WorkflowScript.run(WorkflowScript:31)
at ___cps.transform___(Native Method)
at com.cloudbees.groovy.cps.impl.PropertyishBlock$ContinuationImpl.get(PropertyishBlock.java:74)
at com.cloudbees.groovy.cps.LValueBlock$GetAdapter.receive(LValueBlock.java:30)
....etc
CodePudding user response:
This is probably the easiest way to check if you Jenkins has the log4j vulnerability (through plugins or otherwise).
- Go to https://your-jenkins.domain/script
- Paste
org.apache.logging.log4j.core.lookup.JndiLookup.class.protectionDomain.codeSource
If the output is groovy.lang.MissingPropertyException: No such property: org for class: Script1 You're good then, otherwise you're not good.
This way you don't have to change your pipeline to test or go through the approval process like mentioned in the other answer, you can just paste and verify without needing to configure additionally.
CodePudding user response:
I don't think a class name would be directly interpreted as a groovy codeSource argument in a declarative pipeline (as opposed to a scripted one)
Try the approach of "How to import a file of classes in a Jenkins Pipeline?", with:
node{
def cl = load 'Classes.groovy'
def a = cl.getProperty("org.apache.logging.log4j.core.lookup.JndiLookup").protectionDomain.codeSource
...
}
Note that getCLassLoader() is by default disallowed, and should require from an Jenkins administrator In-process Script Approval.