When is Confluence Servers Log4j version being upgraded to Log4J 2.17.0 (or later)?

Samuel Leung February 23, 2022

Bear with me here,

This article outlines the following summary:

  • No Atlassian on-premises products are vulnerable to CVE-2021-44228.
  • Some on-premises products utilise a Atlassian-maintained fork of Log4j 1.2.17, which while not vulnerable to CVE-2021-44228, is vulnerable to a new but similar vulnerability that can be exploited when a trusted party is present and the JMS Appender is enabled in configuration (non-default). 
  • Two similar vulnerabilities discovered in non-default configurations of Log4j are:
    • 2.0-beta9 to 2.15.0 (inclusive) are affected by CVE-2021-45046
    • 2.0-alpha1 through 2.16.0 (excluding 2.12.3) are affected by CVE-2021-45105
    • Neither of these vulnerability applies to Atlassian's Log4j 1.x maintained fork as outlined in this FAQ page.

Now, regardless of the above summary, Atlassian go on to say:

"Regardless of whether the vulnerable configuration is in use, Atlassian will be addressing CVE-2021-45046 and CVE-2021-45105 by upgrading to log4j 2.17.0 (or greater) in line with the timeframes detailed in the Atlassian Security Bugfix Policy."

Atlassian do not go on to mention within the article itself what category these two vulnerabilities fall under (Critical, High, Medium or Low), however, we know the following!

The record date of CVE-2021-45046 was 14th Dec 2021 and has a base score of 9.0. Categorising this as Critical by Atlassian's Bugfix Policy.

The record date of CVE-2021-45105 was 16th Dec 2021 and has a base score of 5.9. Categorising this as Medium by Atlassian's Bugfix Policy.

Meaning, both CVE's "should be patched within 90 days of being reported".

This lands on the March 14th and 16th, 2022 as the date Confluence devs should have upgraded server distro's that include "Log4j 2.17.0 (or later)". Around 3 weeks after this Post! They have some time, granted!

Am I wrong in all of the above thoughts and findings?  

1 comment

Daniel Ebers
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 18, 2022

Hi @Samuel Leung

reviewing https://jira.atlassian.com/browse/CONFSERVER-59742 I seem to understand log4j (v2) will be included in version 8 (at least according to the fixVersion of the issue).

Regards,
Daniel

Like Samuel Leung likes this
Samuel Leung August 18, 2022

Thanks @Daniel Ebers

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events