Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Atlassian Jira Project Management Software (v8.0.2#800010-sha1:15b32da) - Apache Log4j vulnerability

Hi all,

We are using Atlassian Jira Project Management Software v8.0.2, I would like to know whether there's any threat of the Apache Log4j vulnerability?

Regards,

Lukasz

2 answers

1 vote

Hey @Lukasz Dabrowka 

https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html has a summary that includes:

 

Some self-managed products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228. We have done additional analysis on this fork and confirmed a new but similar vulnerability (CVE-2021-4104) that can only be exploited by a trusted party. For that reason, Atlassian rates the severity level for all other self-managed products as low. Specifically, Atlassian products that use Log4j 1.x are only affected if all of the following non-default configurations are in place: 

  • The JMS Appender is configured in the application's Log4j configuration

  • The javax.jms API is included in the application's CLASSPATH

  • The JMS Appender has been configured with a JNDI lookup to a third party. Note: this can only be done by a trusted user modifying the application's configuration, or by trusted code setting a property at runtime 

The following products use the Atlassian-maintained fork of Log4j 1.2.17:

  • Bamboo Server and Data Center (including Bamboo Agents)

  • Confluence Server and Data Center

  • Crowd Server and Data Center

  • Fisheye / Crucible

  • Jira Service Management Server and Data Center

  • Jira Software Server and Data Center (including Jira Core)

So, unless you've got a modified log4j config, you should be safe. With something this critical though, I'd suggest doing further analysis of your own to verify.

 

CCM

How would we know if we are using non-default configurations. Bearing in mind we did not configure this. 

Best regards,

Lukasz

How do we determine if this is true or false?

"The javax.jms API is included in the application's CLASSPATH"

Like Calogero Kalos Bonasia likes this

@Craig Castle-Mead 

thank you first of all for your intervention, but exactly what command to run on Linux or what file to look at to understand if you are vulnerable or not? I'm reading dozens of posts that seem like horoscopes, each one says a different thing.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Jira Software

👋 Looking for 15-20 volunteers to test Atlassian training content

Hi everyone! Are you interested in beta testing Atlassian University’s newest (unreleased!) training course? We’re looking for 15-20 volunteers to test our newest training course, Basic reporting...

433 views 19 22
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you