Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

log4j2 vulnerability CVE-2021-44228

Bakiyaraj Periyasamy
Bakiyaraj Periyasamy December 13, 2021

Hi Team,

We are using Jira version which has “log4j2-stacktrace-origins-2.2-atlassian-2.jar” installed in lib. Is this version of jar impacted because of  log4j2 vulnerability CVE-2021-44228?

If it is impacted, what is the remediation ? is there any workaround?

 

Thanks

Baki

Answer
Watch
Like # people like this
2573 views

3 answers

1 vote
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 13, 2021

Hi all,

Daniel with Atlassian Support here to let you know our security team has finished its investigation. We have an official response statement here on Community, which you can access at this link.

More information can be found on our advisory page, as well as the previously-published FAQ:

Thanks,
Daniel Eads | Atlassian Support

View More Comments
ITS Admin GVPL
ITS Admin GVPL December 14, 2021

Thanks Daniel,

We don't find the line containing: org.apache.log4j.net.JMSAppender

But for the above question asked by Bakiyaraj, I don't see a direct answer in those solutions provided by you.

We also find : log4j2-stacktrace-origins-2.2-atlassian-2.jar  installed.

Are we affected ?

Kindly advise.

Thanks,

Hariharan

Like # people like this
Hieu
Hieu
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 17, 2021 
<dependencies>
    <dependency>
        <groupId>org.slf4j</groupId>
        <artifactId>slf4j-api</artifactId>
        <version>1.7.7</version>
        <scope>provided</scope>
   </dependency>
</dependencies>


extract the jar file, I saw that in this jar, Atlassian use log4j 1.7.7, so I don't think we have to adjust some things

Like
Reply
1 vote
Nikki Zavadska _Appfire_
Nikki Zavadska _Appfire_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
December 13, 2021

HI @Bakiyaraj Periyasamy

You can find all updates related to Log4J vulnerability on this FAQ page 👉 https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html

View More Comments
Nikki Zavadska _Appfire_
Nikki Zavadska _Appfire_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
December 13, 2021

If you find a line containing the org.apache.log4j.net.JMSAppender, you may be vulnerable. If you do not find a line containing the org.apache.log4j.net.JMSAppender, you do not have this specific vulnerable configuration.

Like Marc Kortleven likes this
Reply
0 votes
Kishan Sharma
Kishan Sharma
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
December 13, 2021

Hi @Bakiyaraj Periyasamy You can read this FAQ related to the log4j zero-day, hopefully it will help address some initial questions you may have.

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events