Hi all,
On the previous forum, I posted:
Hi All,
Is there an upgrade available yet for the following vulnerability in the rundeck log4j library?
Plugin Name: Apache Log4j 2.0-beta9 < 2.25.3 MitM
Plugin ID: 282519
Plugin Output:
Path : /var/lib/rundeck/bootstrap/rundeck-5.12.0-20250512.war
Installed version : 2.17.2
Fixed version : 2.25.3
I'm running rundeck 5.12.0.
Thanks,
Eric
Racuna responded:
Hi Eric,
The engineering team is aware of that CVE, thanks for your feedback! Stay tuned to next releases.
Regards!
I checked in both 5.19.0 and 5.20.0 but it’s still not there. Does anyone know when this is coming?
jar tvf rundeck-5.20.0-20260402.war | grep log4j
24248 Mon May 12 16:40:32 CDT 2025 WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar
1811089 Mon May 12 16:40:32 CDT 2025 WEB-INF/lib/log4j-core-2.17.2.jar
30948 Mon May 12 16:40:32 CDT 2025 WEB-INF/lib/log4j-jul-2.17.2.jar
302511 Mon May 12 16:40:34 CDT 2025 WEB-INF/lib/log4j-api-2.17.2.jar
Thanks,
Eric