Atlassian's Response to Log4j (CVE-2021-44228)

On December 9, Atlassian became aware of the vulnerability CVE-2021-44228 - Log4j.

Impact on Cloud Products

This vulnerability has been mitigated for all Atlassian cloud products previously using vulnerable versions of Log4j. To date, our analysis has not identified compromise of Atlassian systems or customer data prior to the patching of these systems. Atlassian customers are not vulnerable, and no action is required.

Impact on On-Premises Products

No Atlassian on-premises products are vulnerable to CVE-2021-44228.

Some on-premises products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228. We have done additional analysis on this fork and confirmed a new but similar vulnerability that can only be exploited by a trusted party. For that reason, Atlassian rates the severity level for on-premises products as low.

 

For further detailed information, please visit;

https://confluence.atlassian.com/display/SECURITY/Multiple+Products+Security+Advisory+-+Log4j+Vulnerable+To+Remote+Code+Execution+-+CVE-2021-44228

https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html

20 comments

Comment

Log in or Sign up to comment
Dave Liao
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
December 13, 2021

Thank you for sharing this!

Like Jodie Vlassis likes this
Muhammad Umer Rathore December 13, 2021

Thanks

Like Jodie Vlassis likes this
license management December 14, 2021

What about the elasticsearch recommended by atlassian for bitbucket datacenter (ElasticSearch 6.8.6)?

Like # people like this
Jodie Vlassis
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 14, 2021

@license management we will have an update soon on this. 

Mathew Lam December 14, 2021

Hi @Jodie Vlassis 

Our on-prem instance contains this JAR: 
log4j2-stacktrace-origins-2.2-atlassian-2.jar

 

This other thread has some findings/questions from other community users as well.
https://community.atlassian.com/t5/Jira-Core-Server-questions/Is-log4j2-stacktrace-origins-2-2-atlassian-2-jar-vulnerable-to/qaq-p/1884806

 

Based on their findings, this log4j2-stacktrace-origins-2.2-atlassian-2.jar appears to be a fork of log4j2. Is it therefore vulnerable?

Please confirm, thanks!

Like # people like this
Ollie Guan
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
December 14, 2021

Hi @Jodie Vlassis ,

Thank you for your notice. However, not all users follow the posts in the community in real time.

As a user, is there any way to subscribe to these latest notifications from Atlassian Support's Security?

Jodie Vlassis
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 14, 2021

Hi @Ollie Guan 

 

You can track all things products and incidents via Atlassian Statuspage - https://status.atlassian.com/

Ollie Guan
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
December 14, 2021

Hi @Jodie Vlassis ,

Thanks for your quick response ^_^.These seem to be services for the cloud. Is there an entrance to the data center?

Julien Roynette December 15, 2021

"We have done additional analysis on this fork and confirmed a new but similar vulnerability that can only be exploited by a trusted party". 

Is it possible to have more informations about this vulnerabilty ? In this case, what's a trusted party ? 

thanks

Like Ruben Nuredini likes this
license management December 15, 2021

@julien roynette 

There are indeed 3 vectors. the ldap query that you currently can spot everywhere in the wild. The two others seem to be DNS and RMI. More info here:

https://www.sentinelone.com/blog/cve-2021-44228-staying-secure-apache-log4j-vulnerability/

and 

https://www.picussecurity.com/resource/blog/simulating-and-preventing-cve-2021-44228-apache-log4j-rce-exploits

As for elasticsearch 6.8.6, i can confirm they are vulnerable to the attack, but it can be mitigated by simply adding a "-Dlog4j2.formatMsgNoLookups=true" flag to its java env until a better solution is provided.

 

Kind regards

 

Jonas Andersson

Like # people like this
Julien Roynette December 15, 2021

thank you

Brad McLaren December 16, 2021

Hi Does this also cover trello?

Jodie Vlassis
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 16, 2021
Like Dave Liao likes this
Richard Thomson December 16, 2021

@Jodie Vlassis the updated advisory does not explicitly state whether log4j2-stacktrace-origins-2.2-atlassian-2.jar is covered by the vulnerability or not. Can we please get an explicit statement for this module?

Like # people like this
Paul Burden December 17, 2021

If the cloud products not vulnerable how do they explain these jndi ldap emails that someone sent from our JIRA cloud admin page to our entire company.

That the email headers say originated from Atlassian themselves (dmarc pass, spf pass, etc) apparently from our company jira portal instance that is hosted.  I reported this in a ticket nearly a day ago they didn't respond.

hacktheworld.png

David Stallard January 18, 2022

My organization is mandating a minimum version of log4j, currently 2.17.1.  Even if the log4j vulnerability is handled in the Atlassian-forked 1.2.17 version, it is still 1.2.17 -- the official 1.2.17 is very old and out of support and has other concerns, so this continues to be identified as a problem.  Are there any plans to update versioning for this Atlassian-forked variant?

Like # people like this
Balaji Sampath February 1, 2022

Representing the "gov" agencies, the mandate from DHS security is to upgrade all software's that has bundled log4j with older versions needs to be updated . The vulnerability tool is flagging any log4j not in v2.x.  

What would be the recommendation by Atlassian to upgrade the log4j 1.2.17 bundled within Jira 8.x package? 

Like Michael Kingsbury likes this
Sven Sonnendorfer February 2, 2022

Similar question from our side. We run big Jira/Confluence/Bitbucket/Crowd instances and got a security advisory related to this CVE: https://www.cvedetails.com/cve/CVE-2022-23307/ 

Unfortunately we have only one week to implement a solution to this issue, as the CVE is rated with 10. Can you give us any information, if and when you plan to switch to the actual version of log4j? Is there a workaround, we can implement in the meantime? We run on actual LTS Server/Data Center licenses. 

kevinlou777 March 14, 2022

We are using the Jira and Confluence Data Center Edition. Can Atlassian confirm if the log4j issue has been fixed in any new release yet? And if not, is it planned in coming releases?

Nidhi Yadav December 16, 2022

We are using Atlassian-renderer 9.0.2 (Maven Repository: com.atlassian.renderer » atlassian-renderer » 9.0.2 (mvnrepository.com)), which is inbuilt have dependency on log4j 1.x version which is vulnerable. 

If i upgrade the dependency externally to 2.x version, then the default methods inside atlassian-renderer does not work, gives class not found exception. (Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/log4j/Logger).

is there a workaround/solution present for this issue, please help.

TAGS
AUG Leaders

Atlassian Community Events