Vulnerability Question related with Atlassian Bundled Plugins

Rakesh Jajper January 14, 2022

Hi Team,

As per recent scan we found out that there are lot of places where Atlassian bundled plugins are using log4j 1.2.17 inside.

We are using Jira Service Management 8.13.

Any suggestions how we can remediate this kind of issues, does Atlassian has released any guideline around bundled plugins?

We can upgrade to newer version but how can we make sure that new version is using updated log4j files.

 

Here are file names:

Jira

------------

Plugin Output:

  Path              : C:\Program Files\Atlassian\JIRA\atlassian-jira\WEB-INF\atlassian-bundled-plugins\analytics-client-6.1.7.jar

  Installed version : 1.2.17

  Fixed version     : 2.16.0

 

  Path              : C:\Program Files\Atlassian\JIRA\atlassian-jira\WEB-INF\atlassian-bundled-plugins\atlassian-whisper-plugin-3.0.0.jar

  Installed version : 1.2.17

  Fixed version     : 2.16.0

 

  Path              : C:\Program Files\Atlassian\JIRA\bin\password-cipher-cli-1.0.15.jar

  Installed version : 1.2.17

  Fixed version     : 2.16.0"

 

Confluence

---------------------

Plugin Output:

  Path              : C:\Program Files\Atlassian\Confluence\confluence\WEB-INF\atlassian-bundled-plugins\analytics-client-5.8.10.jar

  Installed version : 1.2.17

  Fixed version     : 2.16.0

 

  Path              : E:\Program Files\Atlassian\Application Data\Confluence\plugins-osgi-cache\transformed-plugins\analytics-client-5.8.10_1629078628000.jar

  Installed version : 1.2.17

  Fixed version     : 2.16.0

1 answer

0 votes
Pramodh M
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
January 14, 2022

@Rakesh Jajper 

Welcome to the Community!!

Yes, absolutely right. Upgrading the instance will replace the installation directory, so does the jar files!!

Suggest an answer

Log in or Sign up to answer