CircleCI Images & the log4j CVEs (December 2021)

Hey everyone. I just wanted to provide a quick updates on the log4j CVEs and what this means (and doesn’t mean) for the images provided by CircleCI.

Let me start by saying, there is no immediate thread with these CVEs and CircleCI. Not to our infrastructure and services, and not to customers running a pipeline due to the nature of the CVEs. These are production focused CVEs. More information on CircleCI’s thoughts of the CVEs and whether there’s a danger can be found in this post here.

Now with that being said, just to be overly cautious, we did go through images and make a few updates here and there to get some older versions of log4j replaced. This does not mean you are vulnerable with the previous images in a CI environment, we just wanted to provided log4j updates in case they’re needed for any reason, including research.

For the most part, it was instances of Gradle or SBT that pulled in log4j into an image. There’s a small use of it in the Xcode dynamic installer as well. Maven includes an affected log4j version with no new release at this time.

Here’s the state across images:



The last patch release images for supported versions were updated with newer releases of SBT and Gradle. This includes the following images:

  • cimg/openjdk:8.0.312
  • cimg/openjdk:11.0.13
  • cimg/openjdk:16.0.2
  • cimg/openjdk:17.01

This also includes the related alias tags, Browsers variant, and Node variant. An unfortunate side effect of this release means the version of Node.js in those variants did jump from v14.x to v16.x.

Linux Standard Image (amd64 and arm64)

The standard Linux machine image from Q4 was updated. The new image is:

  • ubuntu-2004:202111-02


Both the Android Convenience Image (Docker) and the machine image (VM) were updated. Here are the two new images:

  • cimg/android:2021.12.2 (docker)
  • android:2021.12.1 (machine)


The main reference to log4j we found was with Xcode itself. Xcode 11.7 and lower are not affected at all. Newer versions are. The app uploader portion of Xcode is affected however to be clear, there is no immediate concern. It auto updates which gives Apple the quick fix route. A new patched version of Xcode, when shipped, will completed remove the affected version.


No references to be concerned about.

Hi there, would the patches for the Log4j be v2.16 and above.

Am asking since the initial CVE mentioned that the patch level should be v2.15, but has since been shown that v2.15 is not sufficient.

Thank you