Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,295,646
Community Members
 
Community Events
165
Community Groups

how to resolve log4j-1.2.17-atlassian-15.jar file on confluence server

i have log4j file log4j-1.2.17-atlassian-15.jar that is failing for security scan, how do i remediate this

2 answers

1 accepted

1 vote
Answer accepted

Hi @Stephen_Peprah 
I hope you are well.

Your security scan is certainly reporting that package as vulnerable because of CVE-2021-44228 .

However, as stated on FAQ for CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 your environment may not be vulnerable to it

Is my on-premises Server/Data Center instance affected?

Our Security team investigated the impact of the Log4j remote code execution vulnerability (CVE-2021-44228) and have determined that no Atlassian on-premises products are vulnerable to CVE-2021-44228.

Some on-premises products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228. We have done additional analysis on this fork and confirmed a new but similar vulnerability that can only be exploited by a trusted party. For that reason, Atlassian rates the severity level for on-premises products as low. Specifically, Atlassian products that use Log4j 1.x are only affected if all of the following non-default configurations are in place: 

  • The JMS Appender is configured in the application's Log4j configuration
  • The javax.jms API is included in the application's CLASSPATH (e.g. for Jira the <install>/WEB-INF/lib sub-directory)
  • The JMS Appender has been configured with a JNDI lookup to a third party. Note: this can only be done by a trusted user modifying the application's configuration, or by trusted code setting a property at runtime 

The following products use the Atlassian-maintained fork of Log4j 1.2.17:

  • Bamboo Server and Data Center
  • Confluence Server and Data Center
  • Crowd Server and Data Center
  • Fisheye / Crucible
  • Jira Server and Data Center

You can check if you are vulnerable by inspecting the Log4j configuration file. If you find a line containing the org.apache.log4j.net.JMSAppender, you may be vulnerable. If you do not find a line containing the org.apache.log4j.net.JMSAppender, you do not have this specific vulnerable configuration.

If you don't have the exact configuration detailed above, then you won't be vulnerable and you can discuss with your security team to have an exception flagged for your Confluence instance.

I hope that helps.

Kind regards,
Thiago Masutti

 

May I ask how to solve this problem

 

Apache Log4j 1.2 Remote Code Execution Vulnerability

QID: 376187
Category: Local
Associated CVEs: CVE-2021-4104
Vendor Reference: CVE-2021-4104
Bugtraq ID: -
Service Modified: 04/13/2022
User Modified: -
Edited: No
PCI Vuln: Yes

 

THREAT:
Apache Log4j is a Java-based logging utility. It is part of the Apache Logging Services, a project of the Apache Software Foundation.
The JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration.
The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI
requests that result in remote code execution in a similar fashion to CVE-2021-44228.
Affected versions:
Log4j version 1.2
QID Detection: (Authenticated) - Linux
This detection is based on querying the OS package managers on the target. If the target has a log4j package with a version in 1.2, the target is flagged as potentially vulnerable.

QID Detection: (Authenticated) - Windows
On Windows system, the QID identifies vulnerable instance of log4j via WMI to check log4j included in the running processes via command-line.


IMPACT:
Successful exploitation of this vulnerability could lead to remote code execution (RCE) on the target.


SOLUTION:
Customers are advised to upgrade their Log4j to the version in 2.16. If updating the version is not possible, please refer to the mitigations mentioned
here Log4j (https://logging.apache.org/log4j/2.x/security.html).Workaround:Audit your logging configuration to ensure it has no JMSAppender
configured. Log4j 1.2 configurations without JMSAppender are not impacted by this vulnerability.
Log4j 1.x does not have Lookups, so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their
configuration.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
Log4j 1.2 (https://logging.apache.org/log4j/2.x/security.html#)


COMPLIANCE:
Not Applicable


EXPLOITABILITY:
There is no exploitability information for this vulnerability.


ASSOCIATED MALWARE:
There is no malware information for this vulnerability.
RESULTS:
PATH  
/home/ubuntu/confluence/confluence/WEBINF/lib/log4j-1.2.17-atlassian-3.jar

VERSION
1.2.17-atlassian-3

JMS_CLASS_STATUS

JMSAppender CLASS FOUND

BASE_DIR

/home/ubuntu/confluence

PATH 
/home/ubuntu/downloads/jira.bak/lib/log4j-1.2.17-atlassian-2.jar

VERSION

1.2.17-atlassian-2

JMS_CLASS_STATUS

JMSAppender CLASS FOUND

/home/ubuntu/downloads
/opt/atlassian/jira/lib/log4j-1.2.17-atlassian-3.jar

1.2.17-atlassian-3 JMSAppender CLASS FOUND

BASE_DIR

/opt/atlassian/jira

PATH 
/opt/atlassian/confluence/confluence/WEB-INF/lib/log4j-1.2.17-atlassian-3.jar

VERSION
1.2.17-atlassian-3

JMS_CLASS_STATUS

JMSAppender CLASS FOUND

BASE_DIR

/opt/atlassian/confluence

PATH 
/home/ubuntu/2021_11_10-confluence-7.6.2-back/confluence/confluence/WEB-INF/li
b/log4j-1.2.17-atlassian-3.jar

VERSION
1.2.17-atlassian-3

JMS_CLASS_STATUS

JMSAppender CLASS FOUND

BASE_DIR

/home/ubuntu/2021_11_10-confluence-7.6.2-back

Please could you read Thiago's answer - it tells you what to do to prevent this being a security problem.

0 votes

Welcome to the Atlassian Community!

You'll need to upgrade to a later version of Confluence.

Both jira and Confluence have been upgraded to the latest version, the log4j problem has not been resolved, what should I do? Can I upgrade log4j myself?

You've asked this as a question elsewhere, that's a better place to get an answer.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Confluence

Confluence: Where work and wellness meet

Feeling overwhelmed by the demands of work and life? With a 25% increase in the prevalence of anxiety and depression worldwide during the pandemic, for most of us, it’s a resounding yes . 🙋‍♀️ ...

931 views 13 27
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you