How to resolve log4j vulnerabilities

log4j vulnerabilities have been found on our instance of Jenkins. The plugins look fine but the following came up in a scan:

The version of Apache Log4j on the remote host is 2.x < 2.15.0. It is, therefore, affected by a remote code execution vulnerability in the JDNI parser due to improper log validation. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands. \n\nLog4j 1.x, which reached its End of Life prior to 2016, comes with JMSAppender which will perform a JNDI lookup if enabled in Log4j’s configuration file, hence customers should evaluate triggers in 1.x based on the risk that it is EOL and whether JNDI lookups are enabled.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

What needs to be done to remediate this problem?

Jenkins doesn’t us log4j. Almost all plugins don’t use log4j and those that did were updated.

How to remedy the non existent situation? Update your core and plugins and file bugs if any remaining plugins still use it.

Also read and the comments