Log4j not patched to 2.17.1

Some self-managed products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228. We have done additional analysis on this fork and confirmed a new but similar vulnerability (CVE-2021-4104) that can only be exploited by a trusted party. For that reason, Atlassian rates the severity level for all other self-managed products as low. Specifically, Atlassian products that use Log4j 1.x are only affected if all of the following non-default configurations are in place:

Does it mean that Atlassian does not intend to patch log4j to 2.17.1?

There are vulnerabilities that affect 1.2.17 too, and we only consider the vulnerability fully resolved if it is patched to 2.17.1

1 answer

0 votes

You may check the information provided by Atlassian in the following link: https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html. Basically, only if you have org.apache.log4j.net.JMSAppender in your log4j, you may be vulnerable. The mitigation is to disable this temporarily.

Mitigation does not mean the vulnerability is resolved.

Only by patching to the latest log4j 2.17.1 then it is considered resolved.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

What is the process for installing the 2.17.1 patch ?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Forums

Product Q&A

Community resources

Support

Top groups

Community resources

Support

Learn

Community resources

Support

Events

Community resources

Support

Log4j not patched to 2.17.1

1 answer

Suggest an answer

Was this helpful?

Thanks!

DEPLOYMENT TYPE

TAGS

Community showcase

Atlassian Community Events