You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
Hello Community! Per list-of-security-vulnerabilities-addressed-in-atlassian-log4j1 , the mitigation notes for CVE-2020-9488 indicate the following:
Not vulnerable in the default configuration.
If you're using Log4j to email errors to admins, as a workaround, set the
mail.smtp.ssl.checkserveridentity system property to true.
Question: how do we know if we're using the default config or if we're using log4j to email errors to admins?
For anyone who's curious, per Atlassian Support:
If you would like to know if you are using default configuration or using log4j for sending email errors to admins:
That said, by default, Jira does not use the SMTPAppender to send log information via SMTP email.
Ultimately, if you've never configured the appender for SMTP in Log4j's configuration file (log4j.properties), you shouldn't have to worry about the CVE applying to your instance.
However, if you'd like to verify, you can look at Jira's log4j.properties file in Jira's installation directory to confirm if the appender is enabled inside the log4j.properties file.
The setting begins with a line that should look very similar to this:
Additionally, if you'd like to remain on the side of caution, then you can always setup the JVM argument: