Home > Enterprise >  Jenkins log4j vulnerability testing from pipeline job
Jenkins log4j vulnerability testing from pipeline job

Time:12-28

I am trying to make sure my Jenkins instance is not exploitable with the latest log4j exploit.

I have a pipeline script that runs, I tried following this instruction :

https://community.jenkins.io/t/apache-log4j-2-vulnerability-cve-2021-44228/990

This is one of my stages of my pipeline script:

stage('Building image aaa') {
      steps{
        script {
          sh "echo executing"
          org.apache.logging.log4j.core.lookup.JndiLookup.class.protectionDomain.codeSource
          sh "docker build --build-arg SCRIPT_ENVIRONMENT=staging -t $IMAGE_REPO_NAME:$IMAGE_TAG ."
        }
      }
    }

But I get a different error than what's described here and I'm unsure if I'm checking this correctly. This is the error:

groovy.lang.MissingPropertyException: No such property: org for class: groovy.lang.Binding
    at groovy.lang.Binding.getVariable(Binding.java:63)
    at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:271)
    at org.kohsuke.groovy.sandbox.impl.Checker$7.call(Checker.java:353)
    at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:357)
    at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:333)
    at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:333)
    at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:333)
    at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.getProperty(SandboxInvoker.java:29)
    at com.cloudbees.groovy.cps.impl.PropertyAccessBlock.rawGet(PropertyAccessBlock.java:20)
    at WorkflowScript.run(WorkflowScript:31)
    at ___cps.transform___(Native Method)
    at com.cloudbees.groovy.cps.impl.PropertyishBlock$ContinuationImpl.get(PropertyishBlock.java:74)
    at com.cloudbees.groovy.cps.LValueBlock$GetAdapter.receive(LValueBlock.java:30)
....etc

CodePudding user response:

This is probably the easiest way to check if you Jenkins has the log4j vulnerability (through plugins or otherwise).

  1. Go to https://your-jenkins.domain/script
  2. Paste org.apache.logging.log4j.core.lookup.JndiLookup.class.protectionDomain.codeSource

If the output is groovy.lang.MissingPropertyException: No such property: org for class: Script1 You're good then, otherwise you're not good.

This way you don't have to change your pipeline to test or go through the approval process like mentioned in the other answer, you can just paste and verify without needing to configure additionally.

CodePudding user response:

I don't think a class name would be directly interpreted as a groovy codeSource argument in a declarative pipeline (as opposed to a scripted one)

Try the approach of "How to import a file of classes in a Jenkins Pipeline?", with:

node{
    def cl = load 'Classes.groovy'
    def a = cl.getProperty("org.apache.logging.log4j.core.lookup.JndiLookup").protectionDomain.codeSource
    ...
}

Note that getCLassLoader() is by default disallowed, and should require from an Jenkins administrator In-process Script Approval.

  • Related