Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Is Jira Software Data Center (on-prem) vulnerable to CVE-2019-17571 ?

jy
jy February 20, 2022

Based on https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html

The following products use the Atlassian-maintained fork of Log4j 1.2.17:

Jira Software and Data Center

 

How does it mitigate and resolve against this critical vulnerability which affect log4j1.2.17?

 

https://nvd.nist.gov/vuln/detail/CVE-2019-17571

 

Does Atlassian not intend to upgrade their log4j to 2.17.0 or 2.17.1?

 

 

Answer
Watch
Like Be the first to like this
601 views

1 answer

Suggest an answer

Log in or Sign up to answer
0 votes
Fabio Racobaldo _Herzum_
Fabio Racobaldo _Herzum_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
February 21, 2022

Hi @jy ,

in order to mitigate that security issue you should disable JMSAppender as specified in the linked article.

Btw, Atlassian says that they forked log4j 1.2.17 (in 1.2.17-atlassian-3) in order to delete the code affected. Therefore, JIRA is not vulnerable to CVE-2019-17571.

Please take a look to the following issue https://jira.atlassian.com/browse/JRASERVER-62838

Hope this helps,

Fabio

Reply
groups-icon
Data Center
TAGS
AUG Leaders

Atlassian Community Events

    See all events