Bear with me here,
This article outlines the following summary:
- No Atlassian on-premises products are vulnerable to CVE-2021-44228.
- Some on-premises products utilise a Atlassian-maintained fork of Log4j 1.2.17, which while not vulnerable to CVE-2021-44228, is vulnerable to a new but similar vulnerability that can be exploited when a trusted party is present and the JMS Appender is enabled in configuration (non-default).
- Two similar vulnerabilities discovered in non-default configurations of Log4j are:
- 2.0-beta9 to 2.15.0 (inclusive) are affected by CVE-2021-45046
- 2.0-alpha1 through 2.16.0 (excluding 2.12.3) are affected by CVE-2021-45105
- Neither of these vulnerability applies to Atlassian's Log4j 1.x maintained fork as outlined in this FAQ page.
Now, regardless of the above summary, Atlassian go on to say:
"Regardless of whether the vulnerable configuration is in use, Atlassian will be addressing CVE-2021-45046 and CVE-2021-45105 by upgrading to log4j 2.17.0 (or greater) in line with the timeframes detailed in the Atlassian Security Bugfix Policy."
Atlassian do not go on to mention within the article itself what category these two vulnerabilities fall under (Critical, High, Medium or Low), however, we know the following!
The record date of CVE-2021-45046 was 14th Dec 2021 and has a base score of 9.0. Categorising this as Critical by Atlassian's Bugfix Policy.
The record date of CVE-2021-45105 was 16th Dec 2021 and has a base score of 5.9. Categorising this as Medium by Atlassian's Bugfix Policy.
Meaning, both CVE's "should be patched within 90 days of being reported".
This lands on the March 14th and 16th, 2022 as the date Confluence devs should have upgraded server distro's that include "Log4j 2.17.0 (or later)". Around 3 weeks after this Post! They have some time, granted!
Am I wrong in all of the above thoughts and findings?
