log4j dependency is exposure to CVE-2021-4104

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: Low
    • 8.1.2, 8.0.6, 8.2.0
    • Affects Version/s: 7.0.0, 7.1.0, 7.2.0, 8.1.1
    • Component/s: Installation
    • None
    • Severity 1 - Critical

      Issue Summary

      log4j-1.2.17-atlassian-3 is exposure to CVE-2021-4104  if JMSAppender is used (which is not configured by default)

      More details at https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html 

      Steps to Reproduce

      1. Configure JMSAppender at log4j properties
      2. Follow steps at CVE-2021-4104 to affect Bamboo instance

      Expected Results

      Instance is not affected

      Actual Results

      Instance might be affected

      Workaround

      Workaround #1

      Shutdown Bamboo and replace $BAMBOO_INSTALL/atlassian-bamboo/WEB-INF/lib/log4j-1.2.17-atlassian-3.jar with log4j-1.2.17-atlassian-15.jar

      Workaround #2

      Remove any custom logging configuration for the JMS Appender on both the Bamboo Server ($BAMBOO_INSTALL/atlassian-bamboo/WEB-INF/classes/log4j.properties and Bamboo remote agents as follows:

      If you have a properties file specified for the variable wrapper.java.additional.X=-Dlog4j.configuration (in <bamboo-agent-home>/conf/wrapper.conf), check if the org.apache.log4j.net.JMSAppender is present in the properties file. If it is, you will need to comment it out or remove it.

            Assignee:
            Alexey Chystoprudov
            Reporter:
            Alexey Chystoprudov
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: