We are using Atlassian Jira Project Management Software v8.0.2, I would like to know whether there's any threat of the Apache Log4j vulnerability?
Hey @Lukasz Dabrowka
Some self-managed products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228. We have done additional analysis on this fork and confirmed a new but similar vulnerability (CVE-2021-4104) that can only be exploited by a trusted party. For that reason, Atlassian rates the severity level for all other self-managed products as low. Specifically, Atlassian products that use Log4j 1.x are only affected if all of the following non-default configurations are in place:
The JMS Appender is configured in the application's Log4j configuration
javax.jms API is included in the application's
The JMS Appender has been configured with a JNDI lookup to a third party. Note: this can only be done by a trusted user modifying the application's configuration, or by trusted code setting a property at runtime
The following products use the Atlassian-maintained fork of Log4j 1.2.17:
Bamboo Server and Data Center (including Bamboo Agents)
Confluence Server and Data Center
Crowd Server and Data Center
Fisheye / Crucible
Jira Service Management Server and Data Center
Jira Software Server and Data Center (including Jira Core)
So, unless you've got a modified log4j config, you should be safe. With something this critical though, I'd suggest doing further analysis of your own to verify.
thank you first of all for your intervention, but exactly what command to run on Linux or what file to look at to understand if you are vulnerable or not? I'm reading dozens of posts that seem like horoscopes, each one says a different thing.
Hi everyone! Are you interested in beta testing Atlassian University’s newest (unreleased!) training course? We’re looking for 15-20 volunteers to test our newest training course, Basic reporting...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events