Hi rajesh@csgi ,
if you are referring to CVE-2021-4422228 Fecru is not affected. Please check the following article https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html
No other Atlassian self-managed products are vulnerable to CVE-2021-44228.
Some self-managed products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228. We have done additional analysis on this fork and confirmed a new but similar vulnerability (CVE-2021-4104) that can only be exploited by a trusted party. For that reason, Atlassian rates the severity level for all other self-managed products as low. Specifically, Atlassian products that use Log4j 1.x are only affected if all of the following non-default configurations are in place:
The JMS Appender is configured in the application's Log4j configuration
The javax.jms
API is included in the application's CLASSPATH
The JMS Appender has been configured with a JNDI lookup to a third party. Note: this can only be done by a trusted user modifying the application's configuration, or by trusted code setting a property at runtime
The following products use the Atlassian-maintained fork of Log4j 1.2.17:
Bamboo Server and Data Center (including Bamboo Agents)
Confluence Server and Data Center
Crowd Server and Data Center
Fisheye / Crucible
Jira Service Management Server and Data Center
Jira Software Server and Data Center (including Jira Core)
Hope this helps,
Fabio
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
you're welcome rajesh@csgi .
Bitbucket is impacted so you need to choose one of the proposed actions as defined in the linked article.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
This blog does not address the chainsaw vulnerability which is present in Log4j 1.2.17 which Atlassian explains is used by Fisheye. "Some self-managed products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228. "
This blog is also from December. That is before chainsaw was published in January. Why it Atlassian not addressing the Chainsaw issue?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Fabio Racobaldo _Herzum_ : Fisheye and crucible having the jar of log4j-1.2.16.jar is vulnerable to CVE-2021-4104? can you please clarify on this or share any information if you have related to it.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.