Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,298,374
Community Members
 
Community Events
165
Community Groups

Both jira and Confluence have been upgraded to the latest version, the log4j problem has not been re

Both jira and Confluence have been upgraded to the latest version, the log4j problem has not been resolved, what should I do? Can I upgrade log4j myself?

I just came into contact with how JIRA should deal with this problem. Should I wait for the official fix or I can solve it myself? I have updated JIRA to the latest version. How to solve the log4j problem? Can I delete it? Will it have any effect?

 

Apache Log4j 1.2 Remote Code Execution Vulnerability

QID: 376187
Category: Local
Associated CVEs: CVE-2021-4104
Vendor Reference: CVE-2021-4104
Bugtraq ID: -
Service Modified: 04/13/2022
User Modified: -
Edited: No
PCI Vuln: Yes

 

THREAT:
Apache Log4j is a Java-based logging utility. It is part of the Apache Logging Services, a project of the Apache Software Foundation.
The JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration.
The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI
requests that result in remote code execution in a similar fashion to CVE-2021-44228.
Affected versions:
Log4j version 1.2
QID Detection: (Authenticated) - Linux
This detection is based on querying the OS package managers on the target. If the target has a log4j package with a version in 1.2, the target is flagged as potentially vulnerable.

QID Detection: (Authenticated) - Windows
On Windows system, the QID identifies vulnerable instance of log4j via WMI to check log4j included in the running processes via command-line.


IMPACT:
Successful exploitation of this vulnerability could lead to remote code execution (RCE) on the target.


SOLUTION:
Customers are advised to upgrade their Log4j to the version in 2.16. If updating the version is not possible, please refer to the mitigations mentioned
here Log4j (https://logging.apache.org/log4j/2.x/security.html).Workaround:Audit your logging configuration to ensure it has no JMSAppender
configured. Log4j 1.2 configurations without JMSAppender are not impacted by this vulnerability.
Log4j 1.x does not have Lookups, so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their
configuration.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
Log4j 1.2 (https://logging.apache.org/log4j/2.x/security.html#)


COMPLIANCE:
Not Applicable


EXPLOITABILITY:
There is no exploitability information for this vulnerability.


ASSOCIATED MALWARE:
There is no malware information for this vulnerability.
RESULTS:
PATH  
/home/ubuntu/confluence/confluence/WEBINF/lib/log4j-1.2.17-atlassian-3.jar

VERSION
1.2.17-atlassian-3

JMS_CLASS_STATUS

JMSAppender CLASS FOUND

BASE_DIR

/home/ubuntu/confluence

PATH 
/home/ubuntu/downloads/jira.bak/lib/log4j-1.2.17-atlassian-2.jar

VERSION

1.2.17-atlassian-2

JMS_CLASS_STATUS

JMSAppender CLASS FOUND

/home/ubuntu/downloads
/opt/atlassian/jira/lib/log4j-1.2.17-atlassian-3.jar

1.2.17-atlassian-3 JMSAppender CLASS FOUND

BASE_DIR

/opt/atlassian/jira

PATH 
/opt/atlassian/confluence/confluence/WEB-INF/lib/log4j-1.2.17-atlassian-3.jar

VERSION
1.2.17-atlassian-3

JMS_CLASS_STATUS

JMSAppender CLASS FOUND

BASE_DIR

/opt/atlassian/confluence

PATH 
/home/ubuntu/2021_11_10-confluence-7.6.2-back/confluence/confluence/WEB-INF/li
b/log4j-1.2.17-atlassian-3.jar

VERSION
1.2.17-atlassian-3

JMS_CLASS_STATUS

JMSAppender CLASS FOUND

BASE_DIR

/home/ubuntu/2021_11_10-confluence-7.6.2-back

1 answer

0 votes

Hi @志强 汤 ,

based on the following article https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html JIRA and Confluence are not affected by this vulnerability.

 

Some self-managed products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228. We have done additional analysis on this fork and confirmed a new but similar vulnerability (CVE-2021-4104) that can only be exploited by a trusted party. For that reason, Atlassian rates the severity level for all other self-managed products as low.

 

Hope this helps,

Fabio

Suggest an answer

Log in or Sign up to answer
TAGS

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you