Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Log4j 2 now live for Jira Software and Jira Service Management Server and Data Center

Hi there, my name is Andrzej Kotas and I am part of Jira’s product team. As we develop Jira, security is always top of mind and Atlassian remains committed to delivering secure, reliable software solutions to enable you to focus on meeting your core business goals. This is why I am pleased to share an update to our fork of Log4j.

As many of you may recall, the Log4shell 10.0 CVSS critical vulnerability struck the IT industry in December of 2021. While Log4j 1 reached the end-of-life state and is no longer maintained by the Apache Software Foundation, Jira Server and Data Center still heavily rely on the library.

As a solution, we created our own fork of Log4j1 atlassian/log4j1 aiming to resolve security vulnerabilities as they appear and provide the best possible performance while maintaining backward compatibility with the original library. Our branch of in-house maintained Log4J-1 is not vulnerable to Log4Shell.

However, this vulnerability amplified the need for the 2.x update across the industry, including Jira. In order to take the extra step to ensure continued compliance, we announced in August that we would upgrade Log4J to >= 2.17.2 within an expedited timeframe. Knowing this would be a breaking change, we wanted to make sure and mitigate the impact on the Ecosystem.

Today that update is live with the release of Jira Software 9.5 and Jira Service Management 5.5.

What are my options?

Customers wanting to remove atlassian/log4j1 from their surface may now do so with the 9.5 / 5.5 upgrade. Download Jira Software 9.5 or Jira Service Management 5.5. Please note these upgrades include breaking changes.

Customers who do not wish to upgrade to Log4j 2 at this time may remain on their supported version. The next Jira LTS (planned for later in 2023) will include the Log4J 2 upgrade.

Should you require more details about the technical aspects of the change or is with the need of upgrading your plugin, application, or in-house solution please make sure to consult

Wait there is more

Jira 9.5 / JSM 5.5 release is not only Log4j upgrade, we’re happy to present

For more details on this release please follow the &

 

Thank you for being part of the Data Center community and please share any questions in the comments below.

1 comment

Comment

Log in or Sign up to comment
Taranjeet Singh
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
December 8, 2022

@Andrzej Kotas Thank you for sharing the information about this important upgrade of Log4j library for Jira Software and Jira Service Management Server and Data Center products.

TAGS
AUG Leaders

Atlassian Community Events