Both jira and Confluence have been upgraded to the latest version, the log4j problem has not been resolved, what should I do? Can I upgrade log4j myself?
I just came into contact with how JIRA should deal with this problem. Should I wait for the official fix or I can solve it myself? I have updated JIRA to the latest version. How to solve the log4j problem? Can I delete it? Will it have any effect?
Apache Log4j 1.2 Remote Code Execution Vulnerability
QID: 376187
Category: Local
Associated CVEs: CVE-2021-4104
Vendor Reference: CVE-2021-4104
Bugtraq ID: -
Service Modified: 04/13/2022
User Modified: -
Edited: No
PCI Vuln: Yes
THREAT:
Apache Log4j is a Java-based logging utility. It is part of the Apache Logging Services, a project of the Apache Software Foundation.
The JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration.
The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI
requests that result in remote code execution in a similar fashion to CVE-2021-44228.
Affected versions:
Log4j version 1.2
QID Detection: (Authenticated) - Linux
This detection is based on querying the OS package managers on the target. If the target has a log4j package with a version in 1.2, the target is flagged as potentially vulnerable.
QID Detection: (Authenticated) - Windows
On Windows system, the QID identifies vulnerable instance of log4j via WMI to check log4j included in the running processes via command-line.
IMPACT:
Successful exploitation of this vulnerability could lead to remote code execution (RCE) on the target.
SOLUTION:
Customers are advised to upgrade their Log4j to the version in 2.16. If updating the version is not possible, please refer to the mitigations mentioned
here Log4j (https://logging.apache.org/log4j/2.x/security.html).Workaround:Audit your logging configuration to ensure it has no JMSAppender
configured. Log4j 1.2 configurations without JMSAppender are not impacted by this vulnerability.
Log4j 1.x does not have Lookups, so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their
configuration.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
Log4j 1.2 (https://logging.apache.org/log4j/2.x/security.html#)
COMPLIANCE:
Not Applicable
EXPLOITABILITY:
There is no exploitability information for this vulnerability.
ASSOCIATED MALWARE:
There is no malware information for this vulnerability.
RESULTS:
PATH
/home/ubuntu/confluence/confluence/WEBINF/lib/log4j-1.2.17-atlassian-3.jar
VERSION
1.2.17-atlassian-3
JMS_CLASS_STATUS
JMSAppender CLASS FOUND
BASE_DIR
/home/ubuntu/confluence
PATH
/home/ubuntu/downloads/jira.bak/lib/log4j-1.2.17-atlassian-2.jar
VERSION
1.2.17-atlassian-2
JMS_CLASS_STATUS
JMSAppender CLASS FOUND
/home/ubuntu/downloads
/opt/atlassian/jira/lib/log4j-1.2.17-atlassian-3.jar
1.2.17-atlassian-3 JMSAppender CLASS FOUND
BASE_DIR
/opt/atlassian/jira
PATH
/opt/atlassian/confluence/confluence/WEB-INF/lib/log4j-1.2.17-atlassian-3.jar
VERSION
1.2.17-atlassian-3
JMS_CLASS_STATUS
JMSAppender CLASS FOUND
BASE_DIR
/opt/atlassian/confluence
PATH
/home/ubuntu/2021_11_10-confluence-7.6.2-back/confluence/confluence/WEB-INF/li
b/log4j-1.2.17-atlassian-3.jar
VERSION
1.2.17-atlassian-3
JMS_CLASS_STATUS
JMSAppender CLASS FOUND
BASE_DIR
/home/ubuntu/2021_11_10-confluence-7.6.2-back
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.