Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

log4j2 vulnerability CVE-2021-44228

Bakiyaraj Periyasamy
Bakiyaraj Periyasamy
Contributor
December 13, 2021

Hi Team,

We are using Jira version which has “log4j2-stacktrace-origins-2.2-atlassian-2.jar” installed in lib. Is this version of jar impacted because of  log4j2 vulnerability CVE-2021-44228?

If it is impacted, what is the remediation ? is there any workaround?

 

Thanks

Baki

Answer
Watch
Like # people like this
2716 views

3 answers

1 vote
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 13, 2021 edited

Hi all,

Daniel with Atlassian Support here to let you know our security team has finished its investigation. We have an official response statement here on Community, which you can access at this link.

More information can be found on our advisory page, as well as the previously-published FAQ:

Thanks,
Daniel Eads | Atlassian Support

View More Comments
ITS Admin GVPL
ITS Admin GVPL
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
December 14, 2021

Thanks Daniel,

We don't find the line containing: org.apache.log4j.net.JMSAppender

But for the above question asked by Bakiyaraj, I don't see a direct answer in those solutions provided by you.

We also find : log4j2-stacktrace-origins-2.2-atlassian-2.jar  installed.

Are we affected ?

Kindly advise.

Thanks,

Hariharan

Like 2 people like this
Hieu
Hieu
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 17, 2021 
<dependencies>
    <dependency>
        <groupId>org.slf4j</groupId>
        <artifactId>slf4j-api</artifactId>
        <version>1.7.7</version>
        <scope>provided</scope>
   </dependency>
</dependencies>


extract the jar file, I saw that in this jar, Atlassian use log4j 1.7.7, so I don't think we have to adjust some things

Like
Reply
1 vote
Nikki Zavadska _Appfire_
Nikki Zavadska _Appfire_
Community Champion
December 13, 2021

HI @Bakiyaraj Periyasamy

You can find all updates related to Log4J vulnerability on this FAQ page 👉 https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html

View More Comments
Nikki Zavadska _Appfire_
Nikki Zavadska _Appfire_
Community Champion
December 13, 2021

If you find a line containing the org.apache.log4j.net.JMSAppender, you may be vulnerable. If you do not find a line containing the org.apache.log4j.net.JMSAppender, you do not have this specific vulnerable configuration.

Like Marc Kortleven likes this
Reply
0 votes
Kishan Sharma
Kishan Sharma
Community Champion
December 13, 2021

Hi @Bakiyaraj Periyasamy You can read this FAQ related to the log4j zero-day, hopefully it will help address some initial questions you may have.

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

Community
Forums
FAQs Forums guidelines
Learning
About learning Resources
Events
Champions
Copyright © 2025 Atlassian
Privacy Policy Terms Security
Welcome illustration

Welcome to the new Atlassian Community

Online forums and learning are now in one easy-to-use experience.

By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.