Hi all,
On the previous forum, I posted:
Hi All,
Â
Is there an upgrade available yet for the following vulnerability in the rundeck log4j library?
Â
Plugin Name: Apache Log4j 2.0-beta9 < 2.25.3 MitM
Plugin ID: 282519
Plugin Output:
  Path             : /var/lib/rundeck/bootstrap/rundeck-5.12.0-20250512.war
 Installed version : 2.17.2
 Fixed version    : 2.25.3Â
I'm running rundeck 5.12.0.
Â
Thanks,
Eric
Â
Racuna responded:
Â
Hi Eric,
Â
The engineering team is aware of that CVE, thanks for your feedback! Stay tuned to next releases.
Â
Regards!
Â
I checked in both 5.19.0 and 5.20.0 but it’s still not there. Does anyone know when this is coming?
Â
jar tvf rundeck-5.20.0-20260402.war | grep log4j
 24248 Mon May 12 16:40:32 CDT 2025 WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar
1811089 Mon May 12 16:40:32 CDT 2025 WEB-INF/lib/log4j-core-2.17.2.jar
 30948 Mon May 12 16:40:32 CDT 2025 WEB-INF/lib/log4j-jul-2.17.2.jar
302511 Mon May 12 16:40:34 CDT 2025 WEB-INF/lib/log4j-api-2.17.2.jar
Â
Thanks,
Eric
