Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,456,652
Community Members
 
Community Events
176
Community Groups

When is Confluence Servers Log4j version being upgraded to Log4J 2.17.0 (or later)?

Edited

Bear with me here,

This article outlines the following summary:

  • No Atlassian on-premises products are vulnerable to CVE-2021-44228.
  • Some on-premises products utilise a Atlassian-maintained fork of Log4j 1.2.17, which while not vulnerable to CVE-2021-44228, is vulnerable to a new but similar vulnerability that can be exploited when a trusted party is present and the JMS Appender is enabled in configuration (non-default). 
  • Two similar vulnerabilities discovered in non-default configurations of Log4j are:
    • 2.0-beta9 to 2.15.0 (inclusive) are affected by CVE-2021-45046
    • 2.0-alpha1 through 2.16.0 (excluding 2.12.3) are affected by CVE-2021-45105
    • Neither of these vulnerability applies to Atlassian's Log4j 1.x maintained fork as outlined in this FAQ page.

Now, regardless of the above summary, Atlassian go on to say:

"Regardless of whether the vulnerable configuration is in use, Atlassian will be addressing CVE-2021-45046 and CVE-2021-45105 by upgrading to log4j 2.17.0 (or greater) in line with the timeframes detailed in the Atlassian Security Bugfix Policy."

Atlassian do not go on to mention within the article itself what category these two vulnerabilities fall under (Critical, High, Medium or Low), however, we know the following!

The record date of CVE-2021-45046 was 14th Dec 2021 and has a base score of 9.0. Categorising this as Critical by Atlassian's Bugfix Policy.

The record date of CVE-2021-45105 was 16th Dec 2021 and has a base score of 5.9. Categorising this as Medium by Atlassian's Bugfix Policy.

Meaning, both CVE's "should be patched within 90 days of being reported".

This lands on the March 14th and 16th, 2022 as the date Confluence devs should have upgraded server distro's that include "Log4j 2.17.0 (or later)". Around 3 weeks after this Post! They have some time, granted!

Am I wrong in all of the above thoughts and findings?  

1 comment

Daniel Ebers Community Leader Aug 18, 2022

Hi @Samuel Leung

reviewing https://jira.atlassian.com/browse/CONFSERVER-59742 I seem to understand log4j (v2) will be included in version 8 (at least according to the fixVersion of the issue).

Regards,
Daniel

Like Samuel Leung likes this

Comment

Log in or Sign up to comment
TAGS

Atlassian Community Events