Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Log4J vulnerability

Rakhita.Kumarawadu
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
June 7, 2022

We have a self-managed instance of Bamboo, which is currently on version 8.1.3. Our security scans have picked up this version has log4j-1.2.15.jar (bundled in atlassian-nav-links-plugin-3.3.9.jar), which has multiple vulnerabilities (e.g. CVE-2021-44228). Atlassian has confirmed self managed instances that maintain fork of log4j-1.2.17.jar is not vulnerable for some of these (link below) but there's no mention of log4j-1.2.15.

https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html#:~:text=Summary%20of%20Vulnerability%20Multiple%20Atlassian%20products%20use%20the,attacker%20controlled%20LDAP%20and%20other%20JNDI%20related%20endpoints.

Can you please advise if self-managed instances that maintain a fork of log4j-1.2.15.jar has any known vulnerabilities? Also advise if there's a way to update the log4j-1.2.15 to 1.2.17. Current version of Bamboo (8.2.3) doesn't seem to solve this issue.

Feel free to get back to me if you require further information. Thanks.

1 answer

1 vote
Eduardo Alvarenga
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 7, 2022

Hello @Rakhita.Kumarawadu,

We have a self-managed instance of Bamboo, which is currently on version 8.1.3. Our security scans have picked up this version has log4j-1.2.15.jar

Bamboo 8.1.3 bundles log4j-1.2.17-atlassian-15 and not log4j-1.2.15 -- Notice that the version is 1.2.17, whilst the patch is "-15".

If you are looking to update it to log4j-1.2.17-atlassian-16 (latest by today, 08/Jun/2022) you will need to upgrade Bamboo to any of the following versions as listed on the provided FAQ:

  • Bamboo 8.0.7
  • Bamboo 8.1.4
  • Bamboo 8.2.1

Kind regards,

Eduardo Alvarenga
Atlassian Support APAC

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events