Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Hi Team,

We are using Jira version which has “log4j2-stacktrace-origins-2.2-atlassian-2.jar” installed in lib. Is this version of jar impacted because of  log4j2 vulnerability CVE-2021-44228?

If it is impacted, what is the remediation ? is there any workaround?

 

Thanks

Baki

2 answers

1 accepted

1 vote
Answer accepted

Hi all,

Daniel with Atlassian Support here to let you know our security team has finished its investigation. We have an official response statement here on Community, which you can access at this link.

More information can be found on our advisory page, as well as the previously-published FAQ:

Thanks,
Daniel Eads | Atlassian Support

Hi @Bakiyaraj Periyasamy . 

You are only affected if you are using JMSAppender. Therefore simply looking if <install-directory>/atlassian-jira/WEB-INF/classes/log4.properties has this is the way to determine if you are vulnerable, regardless of the Jira version you are using. You may review the following KB with regards to this: 
https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html

By default this is not present in Jira. Therefore please check if your log4.properties contains this. If so, then the mitigation steps would be to comment out org.apache.log4j.JMSAppender to disable this temporarily. 

Suggest an answer

Log in or Sign up to answer
TAGS

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you