Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Some of Atlasian plugin dependencies are using log4j vulnerable versions

Anuroop Kottamparambil February 18, 2022

Hello Team,

We have customized plugins where it is used some of dependencies of log4j vulnerable versions. These are atlassian maven artifacts.

 

The dependency details
<groupId>com.atlassian.maven.plugins</groupId>
<artifactId>maven-bamboo-plugin</artifactId>

<version>${amps.version}</version> # amps.version: 1000.0.8-log4j2
<extensions>true</extensions>

<dependency>
<groupId>com.atlassian.bamboo</groupId>
<artifactId>atlassian-bamboo-web</artifactId>
<version>${bamboo.version}</version> # bamboo.version: 6.1.4
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.atlassian.bamboo</groupId>
<artifactId>atlassian-bamboo-api</artifactId>
<version>${bamboo.version}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.atlassian.bamboo</groupId>
<artifactId>atlassian-bamboo-deployments</artifactId>
<version>${bamboo.version}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.atlassian.plugins.rest</groupId>
<artifactId>atlassian-rest-common</artifactId>
<version>1.0.2</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.atlassian.sal</groupId>
<artifactId>sal-api</artifactId>
<version>2.6.0</version>
<scope>provided</scope>
</dependency>

I couldn't figure it out which exact plugin dependency that actually pulling older version of log4j core lib. Right now, it is pulling log4j core 2.13* jar. If some can help me on finding the right artifacts that would be great!

1 answer

2 votes
Brian D February 18, 2022

Hi,

Maybe the output from 'atlas-mvn dependency:tree' will show why that version of log4j is getting resolved.

Anuroop Kottamparambil February 18, 2022

I figured it! Thank you so much! You have saved my day :).

Like Brian D likes this

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events