# Log4Shell / Log4j Security

In December 2021 Rundeck Engineering team was made aware of the "Log4Shell" vulnerabilities related to Log4j. This page documents the fixes put in place by the team as vulnerabilities were identified.



  • Upgrade as soon as possible. Minimum versions for remediation are listed below.
  • If you are still using Rundeck 3.4.6/3.3.14 or earlier, be sure to apply the mitigation options below to protect against the RCE vulnerability.



Update May 10, 2022 The JIRA plugins bundled with Process Automation utilize the JIRA REST Java Client Library. This includes a Log4j version 1.2 that will flag security scanners. Atlassian states that "Some on-premises products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228 (opens new window)". More details at FAQ from Atlassian (opens new window). After upgrading to a minimum version listed above, if your installation is not using JIRA it is safe to remove the rundeckpro-jira-plugins-*.jar from the libext folder. (You must still update to a version above to mitigate all issues.)

Update December 20, 2021

We will be releasing 3.4.9 and 3.3.17 today, which use Log4j version 2.17 to address the latest Log4j CVE-2021-45105 (opens new window)

Update December 14, 2021, 3pm PST

We will be releasing 3.4.8 and 3.3.16 today, which use Log4j version 2.16 to address the latest Log4j CVE-2021-45046 (opens new window)

Update December 14, 2021 10am PST

Note that a new Log4j CVE-2021-40456 (opens new window) has been issued. Rundeck Engineering is currently testing impacts and will update docs accordingly as soon as we have more information. This CVE indicates a potential DOS attack is possible even with the mitigation of CVE-2021-44228 (opens new window) applied.

# Mitigation Options

Rundeck versions 3.4.6 and below can mitigate some risk with the actions below. Note the [CVE-2021-45056][] says a Denial-of-Service is still possible even with these mitigations.

  • Add this flag to the JVM options for starting rundeck: -Dlog4j2.formatMsgNoLookups=true
  • Modify the file $RDECK_BASE/server/config/log4j2.properties, replace the string %m with %m{nolookups}