Jenkins log4j vulnerability testing from pipeline job

Question

I am trying to make sure my Jenkins instance is not exploitable with the latest log4j exploit.

I have a pipeline script that runs, I tried following this instruction :

https://community.jenkins.io/t/apache-log4j-2-vulnerability-cve-2021-44228/990

This is one of my stages of my pipeline script:

stage('Building image aaa') {
      steps{
        script {
          sh "echo executing"
          org.apache.logging.log4j.core.lookup.JndiLookup.class.protectionDomain.codeSource
          sh "docker build --build-arg SCRIPT_ENVIRONMENT=staging -t $IMAGE_REPO_NAME:$IMAGE_TAG ."
        }
      }
    }

But I get a different error than what's described here and I'm unsure if I'm checking this correctly. This is the error:

groovy.lang.MissingPropertyException: No such property: org for class: groovy.lang.Binding
    at groovy.lang.Binding.getVariable(Binding.java:63)
    at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:271)
    at org.kohsuke.groovy.sandbox.impl.Checker$7.call(Checker.java:353)
    at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:357)
    at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:333)
    at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:333)
    at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:333)
    at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.getProperty(SandboxInvoker.java:29)
    at com.cloudbees.groovy.cps.impl.PropertyAccessBlock.rawGet(PropertyAccessBlock.java:20)
    at WorkflowScript.run(WorkflowScript:31)
    at ___cps.transform___(Native Method)
    at com.cloudbees.groovy.cps.impl.PropertyishBlock$ContinuationImpl.get(PropertyishBlock.java:74)
    at com.cloudbees.groovy.cps.LValueBlock$GetAdapter.receive(LValueBlock.java:30)
....etc

score 2 · Accepted Answer · answered Dec 27 '21 at 17:00

This is probably the easiest way to check if you Jenkins has the log4j vulnerability (through plugins or otherwise).

Go to https://your-jenkins.domain/script
Paste org.apache.logging.log4j.core.lookup.JndiLookup.class.protectionDomain.codeSource

If the output is groovy.lang.MissingPropertyException: No such property: org for class: Script1 You're good then, otherwise you're not good.

This way you don't have to change your pipeline to test or go through the approval process like mentioned in the other answer, you can just paste and verify without needing to configure additionally.

VonC · Answer 2 · 2021-12-27T20:39:05.790

0

I don't think a class name would be directly interpreted as a groovy codeSource argument in a declarative pipeline (as opposed to a scripted one)

Try the approach of "How to import a file of classes in a Jenkins Pipeline?", with:

node{
    def cl = load 'Classes.groovy'
    def a = cl.getProperty("org.apache.logging.log4j.core.lookup.JndiLookup").protectionDomain.codeSource
    ...
}

Note that getCLassLoader() is by default disallowed, and should require from an Jenkins administrator In-process Script Approval.

edited Dec 27 '21 at 20:39

answered Dec 26 '21 at 22:02

VonC

1,262,500
529
4,410
5,250

thanks! Now I get a different issue (No such property: org for class: WorkflowScript) – Remember_me Dec 27 '21 at 15:59
@Remember_me Probably a missing quotes issue. I have edited the answer accordingly. – VonC Dec 27 '21 at 20:39

Jenkins log4j vulnerability testing from pipeline job

2 Answers2