Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Is log4j2-stacktrace-origins-2.2-atlassian-2.jar vulnerable to CVE-2021-44228?

Is the only jar file:

\Atlassian\JIRA\atlassian-jira\WEB-INF\lib\log4j2-stacktrace-origins-2.2-atlassian-2.jar

that CVE-2021-44228 refers as affected version.

3 answers

1 accepted

4 votes
Answer accepted
Daniel Eads Atlassian Team Dec 10, 2021

Hi @Ramiro Encinas ,

Daniel from Atlassian Support here. I'd just like to provide you with this preliminary FAQ related to the log4j zero-day. Our Security team is currently investigating the impact of the Log4j remote code execution vulnerability (CVE-2021-44228) and determining any possible impacts. In the meantime, hopefully this FAQ will help address some initial questions you may have.

Thanks,
Daniel Eads | Atlassian Support

Hi @Daniel Eads ,

I read the FAQ for CVE-2021-44228, thanks.

I have checked the log4j2-stacktrace-origins-2.2-atlassian-2.jar.
I checked the mvnrepository and found that the log4j2-stacktrace-origins package has only version 2.2-atlassian-2 available in Atlassian.

https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j2-stacktrace-origins 

Looking at the Bitbucket repository, which seems to be the source code of the package, this code is described as the code that cut out the stack trace part from log4j 2.x.
Therefore, this log4j2-stacktrace-origins-2.2-atlassian-2.jar is considered to be a copy of the code from a place unrelated to this vulnerability, so we thought there was no vulnerability issue.

Would you please give us your opinion?

Thanks,

Like Todd Ward likes this

Our security team told us that for those who have a java application with these modules:

log4j-api-2.10.0.jar to log4j-api-2.14.x.jar
log4j-core-2.10.0.jar to log4j-core-2.14.x.jar

and that cannot be upgraded to latest log4j fixed version,  they can mitigate the vulnerability by adding this to their application's java parameters: 

-Dlog4j2.formatMsgNoLookups=true

 

Can someone from Atlassian confirm this?

0 votes

Hi all,

Daniel with Atlassian Support here to let you know our security team has finished its investigation. We have an official response statement here on Community, which you can access at this link.

More information can be found on our advisory page, as well as the previously-published FAQ:

Thanks,
Daniel Eads | Atlassian Support

Hi Daniel,

I have checked all the provided links, but there is no answer according to the question.
On our Jira and Conf (besides the log4j-1.2.17-atlassian-3.jar) server we also have log4j2-stacktrace-origins-2.2-atlassian-2.jar:

  • <jira-install-dir>/atlassian-jira/WEB-INF/lib/log4j2-stacktrace-origins-2.2-atlassian-2.jar
  • <conf-install-dir>atlassian/confluence/confluence/WEB-INF/lib/log4j2-stacktrace-origins-2.2-atlassian-2.jar

Is this a vulnerability problem?

Thanks,
Ales

Like # people like this
Daniel Eads Atlassian Team Dec 21, 2021

Regarding log4j2-stacktrace-origins-2.2-atlassian-2.jar - this library is a highly cut down version of log4j 2.x that has just the stacktrace packaging code and nothing else. This results in the requirements for the vulnerability not being met.

If you wish to verify this on your own, you can expand the .jar and check for the presence of JndiLookup.class (it's not in this file). Apache's advisory mentions this in its mitigation section.

Like # people like this

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Apps & Integrations

Send an Email or Publish to Confluence - What should you do with your release notes?

Background When you hear the words ‘Release notes’, almost always you think of an unsolicited email from a software vendor. But I am here to tell you that from our data, sending release notes via E...

90 views 0 1
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you