a critical security vulnerability in Log4j (CVE-2021-4428) has been identified.
After checking the Cloudogu Ecosystem and our Dogus we identified the following Dogus which are using Log4j and are affected by this vulnerability:
- Sonar Qube
For all affected Dogus a newer version is available. You can find a guide for upgrading Dogus here.
*Special case Jenkins: The Jenkins Security team has confirmed that Log4j is not used in Jenkins core but may be plugins using Log4j. For further information please visit the jenkins website.
The Nexus Dogu was also affected from the CVE and has been updated to v3.34.1-4.
As with Jenkins, the core of the SCM-Manager is also not affected from CVE-2021-4428.
But also here it has to be checked if plugins are affected by the vulnerability.
Further information can be found here: