Atlassian's Response to Log4j (CVE-2021-44228)

Thank you for sharing this!

Thanks

What about the elasticsearch recommended by atlassian for bitbucket datacenter (ElasticSearch 6.8.6)?

@license management we will have an update soon on this. 

Hi @Jodie Vlassis 

Our on-prem instance contains this JAR: 
log4j2-stacktrace-origins-2.2-atlassian-2.jar

This other thread has some findings/questions from other community users as well.
https://community.atlassian.com/t5/Jira-Core-Server-questions/Is-log4j2-stacktrace-origins-2-2-atlassian-2-jar-vulnerable-to/qaq-p/1884806

Based on their findings, this log4j2-stacktrace-origins-2.2-atlassian-2.jar appears to be a fork of log4j2. Is it therefore vulnerable?

Please confirm, thanks!

Hi @Jodie Vlassis ,

Thank you for your notice. However, not all users follow the posts in the community in real time.

As a user, is there any way to subscribe to these latest notifications from Atlassian Support's Security?

Hi @Ollie Guan 

You can track all things products and incidents via Atlassian Statuspage - https://status.atlassian.com/

Hi @Jodie Vlassis ,

Thanks for your quick response ^_^.These seem to be services for the cloud. Is there an entrance to the data center?

"We have done additional analysis on this fork and confirmed a new but similar vulnerability that can only be exploited by a trusted party". 

Is it possible to have more informations about this vulnerabilty ? In this case, what's a trusted party ? 

thanks

@julien roynette 

There are indeed 3 vectors. the ldap query that you currently can spot everywhere in the wild. The two others seem to be DNS and RMI. More info here:

https://www.sentinelone.com/blog/cve-2021-44228-staying-secure-apache-log4j-vulnerability/

and 

https://www.picussecurity.com/resource/blog/simulating-and-preventing-cve-2021-44228-apache-log4j-rce-exploits

As for elasticsearch 6.8.6, i can confirm they are vulnerable to the attack, but it can be mitigated by simply adding a "-Dlog4j2.formatMsgNoLookups=true" flag to its java env until a better solution is provided.

Kind regards

Jonas Andersson

thank you

Hi Does this also cover trello?

Hi everyone - the advisory has been updated to address all your concerns hopefully - head on over to:

- https://confluence.atlassian.com/display/SECURITY/Multiple+Products+Security+Advisory+-+Log4j+Vulnerable+To+Remote+Code+Execution+-+CVE-2021-44228

- https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html

Thank you;

Jodie

@Jodie Vlassis the updated advisory does not explicitly state whether log4j2-stacktrace-origins-2.2-atlassian-2.jar is covered by the vulnerability or not. Can we please get an explicit statement for this module?

If the cloud products not vulnerable how do they explain these jndi ldap emails that someone sent from our JIRA cloud admin page to our entire company.

That the email headers say originated from Atlassian themselves (dmarc pass, spf pass, etc) apparently from our company jira portal instance that is hosted.  I reported this in a ticket nearly a day ago they didn't respond.

My organization is mandating a minimum version of log4j, currently 2.17.1.  Even if the log4j vulnerability is handled in the Atlassian-forked 1.2.17 version, it is still 1.2.17 -- the official 1.2.17 is very old and out of support and has other concerns, so this continues to be identified as a problem.  Are there any plans to update versioning for this Atlassian-forked variant?

Representing the "gov" agencies, the mandate from DHS security is to upgrade all software's that has bundled log4j with older versions needs to be updated . The vulnerability tool is flagging any log4j not in v2.x.  

What would be the recommendation by Atlassian to upgrade the log4j 1.2.17 bundled within Jira 8.x package? 

Similar question from our side. We run big Jira/Confluence/Bitbucket/Crowd instances and got a security advisory related to this CVE: https://www.cvedetails.com/cve/CVE-2022-23307/ 

Unfortunately we have only one week to implement a solution to this issue, as the CVE is rated with 10. Can you give us any information, if and when you plan to switch to the actual version of log4j? Is there a workaround, we can implement in the meantime? We run on actual LTS Server/Data Center licenses. 

We are using the Jira and Confluence Data Center Edition. Can Atlassian confirm if the log4j issue has been fixed in any new release yet? And if not, is it planned in coming releases?

We are using Atlassian-renderer 9.0.2 (Maven Repository: com.atlassian.renderer » atlassian-renderer » 9.0.2 (mvnrepository.com)), which is inbuilt have dependency on log4j 1.x version which is vulnerable. 

If i upgrade the dependency externally to 2.x version, then the default methods inside atlassian-renderer does not work, gives class not found exception. (Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/log4j/Logger).

is there a workaround/solution present for this issue, please help.