Hi there, my name is Andrzej Kotas and I am part of Jira’s product team. As we develop Jira, security is always top of mind and Atlassian remains committed to delivering secure, reliable software solutions to enable you to focus on meeting your core business goals. This is why I am pleased to share an update to our fork of Log4j.
As many of you may recall, the Log4shell 10.0 CVSS critical vulnerability struck the IT industry in December of 2021. While Log4j 1 reached the end-of-life state and is no longer maintained by the Apache Software Foundation, Jira Server and Data Center still heavily rely on the library.
As a solution, we created our own fork of Log4j1 atlassian/log4j1 aiming to resolve security vulnerabilities as they appear and provide the best possible performance while maintaining backward compatibility with the original library. Our branch of in-house maintained Log4J-1 is not vulnerable to Log4Shell.
However, this vulnerability amplified the need for the 2.x update across the industry, including Jira. In order to take the extra step to ensure continued compliance, we announced in August that we would upgrade Log4J to >= 2.17.2 within an expedited timeframe. Knowing this would be a breaking change, we wanted to make sure and mitigate the impact on the Ecosystem.
Today that update is live with the release of Jira Software 9.5 and Jira Service Management 5.5.
Customers wanting to remove atlassian/log4j1
from their surface may now do so with the 9.5 / 5.5 upgrade. Download Jira Software 9.5 or Jira Service Management 5.5. Please note these upgrades include breaking changes.
Customers who do not wish to upgrade to Log4j 2 at this time may remain on their supported version. The next Jira LTS (planned for later in 2023) will include the Log4J 2 upgrade.
Should you require more details about the technical aspects of the change or is with the need of upgrading your plugin, application, or in-house solution please make sure to consult
Logging and profiling | Administering Jira applications Data Center and Server
Important directories and files | Administering Jira applications Data Center and Server
Jira 9.5 / JSM 5.5 release is not only Log4j upgrade, we’re happy to present
For more details on this release please follow the Jira Software 9.5.x release notes & Jira Service Management 5.5.x release notes
Thank you for being part of the Data Center community and please share any questions in the comments below.
Andrzej Kotas
Product Manager - Jira Software Data Center
Atlassian
Warsaw
1 comment