[ee4j-build] [CVE-2021-4428] JakartaEE-TCK Jenkins instance

[Mikael Barbero <mikael.barbero@xxxxxxxxxxxxxxxxxxxxxx>]

Hi,

The recently announced 0day vulnerability in Log4j [1] (aka  CVE-2021-44228 [2]) is extremely serious. 

While reviewing the various services the Eclipse Foundation provides, we've identified that the JakartaEE-TCK Jenkins instance was vulnerable because of the plugin bootstraped-multi-test-results-report. We uninstalled the plugin and the instance is safe. We won't re-install the plugin until it has been fixed upstream. We've already reported the issue [3]. 

Thanks for you understanding.

[1] https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug 

[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 

[3] https://github.com/web-innovate/bootstraped-multi-test-results-report/issues/101 

Mikaël Barbero 

Manager — Release Engineering and Technology | Eclipse Foundation

🐦 @mikbarbero

Eclipse Foundation: The Platform for Open Innovation and Collaboration

Attachment: signature.asc
Description: Message signed with OpenPGP