Security Vulnerability - Log4Shell - CVE-2021-44228

Hi community,

a critical security vulnerability in Log4j (CVE-2021-4428) has been identified.

After checking the Cloudogu Ecosystem and our Dogus we identified the following Dogus which are using Log4j and are affected by this vulnerability:

  • Sonar Qube
  • CAS
  • Nexus
  • Jenkins*

For all affected Dogus a newer version is available. You can find a guide for upgrading Dogus here.

*Special case Jenkins: The Jenkins Security team has confirmed that Log4j is not used in Jenkins core but may be plugins using Log4j. For further information please visit the jenkins website.

Update 15.12.2021:
The Nexus Dogu was also affected from the CVE and has been updated to v3.34.1-4.

Update 20.12.2021

As with Jenkins, the core of the SCM-Manager is also not affected from CVE-2021-4428.
But also here it has to be checked if plugins are affected by the vulnerability.

Further information can be found here: