Jenkins log4j vulnerability testing from pipeline job

Question

I am trying to make sure my Jenkins instance is not exploitable with the latest log4j exploit.

I have a pipeline script that runs, I tried following this instruction :

https://community.jenkins.io/t/apache-log4j-2-vulnerability-cve-2021-44228/990

This is one of my stages of my pipeline script:

stage('Building image aaa') {
      steps{
        script {
          sh "echo executing"
          org.apache.logging.log4j.core.lookup.JndiLookup.class.protectionDomain.codeSource
          sh "docker build --build-arg SCRIPT_ENVIRONMENT=staging -t $IMAGE_REPO_NAME:$IMAGE_TAG ."
        }
      }
    }

But I get a different error than what's described here and I'm unsure if I'm checking this correctly. This is the error:

groovy.lang.MissingPropertyException: No such property: org for class: groovy.lang.Binding
    at groovy.lang.Binding.getVariable(Binding.java:63)
    at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:271)
    at org.kohsuke.groovy.sandbox.impl.Checker$7.call(Checker.java:353)
    at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:357)
    at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:333)
    at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:333)
    at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:333)
    at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.getProperty(SandboxInvoker.java:29)
    at com.cloudbees.groovy.cps.impl.PropertyAccessBlock.rawGet(PropertyAccessBlock.java:20)
    at WorkflowScript.run(WorkflowScript:31)
    at ___cps.transform___(Native Method)
    at com.cloudbees.groovy.cps.impl.PropertyishBlock$ContinuationImpl.get(PropertyishBlock.java:74)
    at com.cloudbees.groovy.cps.LValueBlock$GetAdapter.receive(LValueBlock.java:30)
....etc

Answer 1

This is probably the easiest way to check if you Jenkins has the log4j vulnerability (through plugins or otherwise).

1. Go to https://your-jenkins.domain/script
2. Paste org.apache.logging.log4j.core.lookup.JndiLookup.class.protectionDomain.codeSource

If the output is groovy.lang.MissingPropertyException: No such property: org for class: Script1 You're good then, otherwise you're not good.

This way you don't have to change your pipeline to test or go through the approval process like mentioned in the other answer, you can just paste and verify without needing to configure additionally.