Hi community,
a critical security vulnerability in Log4j (CVE-2021-4428) has been identified.
After checking the Cloudogu Ecosystem and our Dogus we identified the following Dogus which are using Log4j and are affected by this vulnerability:
- Sonar Qube
- CAS
- Nexus
- Jenkins*
For all affected Dogus a newer version is available. You can find a guide for upgrading Dogus here.
*Special case Jenkins: The Jenkins Security team has confirmed that Log4j is not used in Jenkins core but may be plugins using Log4j. For further information please visit the jenkins website.
Update 15.12.2021:
The Nexus Dogu was also affected from the CVE and has been updated to v3.34.1-4.
Update 20.12.2021
As with Jenkins, the core of the SCM-Manager is also not affected from CVE-2021-4428.
But also here it has to be checked if plugins are affected by the vulnerability.
Further information can be found here: