Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

is there any new Fisheye and Crucible releases planned to address the Log4j issue

rajesh@csgi March 21, 2022

is there any new Fisheye and Crucible releases planned to address the Log4j issue

1 answer

1 accepted

2 votes
Answer accepted
Fabio Racobaldo _Herzum_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
March 21, 2022

Hi rajesh@csgi ,

if you are referring to CVE-2021-4422228 Fecru is not affected. Please check the following article https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html

All Other Self-Managed Products

No other Atlassian self-managed products are vulnerable to CVE-2021-44228.

Some self-managed products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228. We have done additional analysis on this fork and confirmed a new but similar vulnerability (CVE-2021-4104) that can only be exploited by a trusted party. For that reason, Atlassian rates the severity level for all other self-managed products as low. Specifically, Atlassian products that use Log4j 1.x are only affected if all of the following non-default configurations are in place: 

  • The JMS Appender is configured in the application's Log4j configuration

  • The javax.jms API is included in the application's CLASSPATH

  • The JMS Appender has been configured with a JNDI lookup to a third party. Note: this can only be done by a trusted user modifying the application's configuration, or by trusted code setting a property at runtime 

The following products use the Atlassian-maintained fork of Log4j 1.2.17:

  • Bamboo Server and Data Center (including Bamboo Agents)

  • Confluence Server and Data Center

  • Crowd Server and Data Center

  • Fisheye / Crucible

  • Jira Service Management Server and Data Center

  • Jira Software Server and Data Center (including Jira Core)

 

Hope this helps,

Fabio

rajesh@csgi March 21, 2022

Thanks Fabio,

Could you confirm the same regarding Bitbucket.

Fabio Racobaldo _Herzum_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
March 21, 2022

you're welcome rajesh@csgi .

Bitbucket is impacted so you need to choose one of the proposed actions as defined in the linked article.

Roel Storms March 23, 2022

This blog does not address the chainsaw vulnerability which is present in Log4j 1.2.17 which Atlassian explains is used by Fisheye. "Some self-managed products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228. "

This blog is also from December. That is before chainsaw was published in January. Why it Atlassian not addressing the Chainsaw issue?

CVE-2022-23307 : CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw wa (cvedetails.com)

Anusha Hegde
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
June 19, 2023

@Fabio Racobaldo _Herzum_ : Fisheye and crucible having the jar of  log4j-1.2.16.jar is vulnerable to CVE-2021-4104? can you please clarify on this or share any information if you have related to it.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events