Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Log4j Vulnerability CVE-2021-45046

Jayachandran Palanisamy
Jayachandran Palanisamy December 15, 2021

Team,

Do you have any update reg. this vulnerability?
https://nvd.nist.gov/vuln/detail/CVE-2021-45046

I m not able to see any updates reg. that in this KB since it's relevant to CVE-2021-44228
https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html

/Jay


Answer
Watch
Like # people like this
1203 views

6 answers

Suggest an answer

Log in or Sign up to answer
1 vote
Daniel Ebers
Daniel Ebers
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 31, 2022

Please also review https://jira.atlassian.com/browse/JRASERVER-62838 where you can see the progress of a version 2 implementation for Log4j within Atlassian products.
As of today, version 2 is not available but a special patched version of Log4j is used with Jira, for example.

Reply
1 vote
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 15, 2021

Hi all,

Daniel from Atlassian Support - I'd like to let you know that we have updated the advisory to include more information about Bitbucket Server, Bitbucket Data Center, and the bundled elasticsearch product. Please refer to the advisory for the most current guidance:

Thanks,
Daniel Eads | Atlassian Support 

Reply
1 vote
Chihara
Chihara
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 15, 2021

There are 2 log4j-core-2.x libraries in Bitbucket 7.18. One is app/WEB-INF/lib/log4j-core-2.14.1.jar and the other is elasticseach/lib/log4j-core-2.11.1.jar and  JNDILookup.class in them.

Does anyone knows if Bitbucket is not affected for CVE-2021-45046 or not?

Reply
0 votes
Brendan St-Martin
Brendan St-Martin
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
December 15, 2021

Based on the previous responses that on-prem versions of Jira/Confluenc/etc. use a forked version of log4j1 then they should be clear of CVE-2021-45046 also, as per the apache log4j security page: "Log4j 1.x mitigation: Log4j 1.x is not impacted by this vulnerability."

Screen Shot 2021-12-15 at 2.35.08 PM.png

Reply
0 votes
Kishan Sharma
Kishan Sharma
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
December 15, 2021

Hi @Jayachandran Palanisamy 

Here's an official response statement from Atlassian on Community

You can also find more information on the previously-published FAQ:

Reply
0 votes
Mikael Sandberg
Mikael Sandberg
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
December 15, 2021

Please refer to this thread for all the details, https://community.atlassian.com/t5/Trust-Security-articles/Atlassian-s-Response-to-Log4j-CVE-2021-44228/ba-p/1886598

Reply
groups-icon
Data Center
TAGS
AUG Leaders

Atlassian Community Events

    See all events