Details
-
Bug
-
Resolution: Fixed
-
Low
-
7.0.0, 7.1.0, 7.2.0, 8.1.1
-
None
-
Severity 1 - Critical
-
Description
Issue Summary
log4j-1.2.17-atlassian-3 is exposure to CVE-2021-4104 if JMSAppender is used (which is not configured by default)
More details at https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html
Steps to Reproduce
- Configure JMSAppender at log4j properties
- Follow steps at CVE-2021-4104 to affect Bamboo instance
Expected Results
Instance is not affected
Actual Results
Instance might be affected
Workaround
Workaround #1
Shutdown Bamboo and replace $BAMBOO_INSTALL/atlassian-bamboo/WEB-INF/lib/log4j-1.2.17-atlassian-3.jar with log4j-1.2.17-atlassian-15.jar
Workaround #2
Remove any custom logging configuration for the JMS Appender on both the Bamboo Server ($BAMBOO_INSTALL/atlassian-bamboo/WEB-INF/classes/log4j.properties and Bamboo remote agents as follows:
If you have a properties file specified for the variable wrapper.java.additional.X=-Dlog4j.configuration (in <bamboo-agent-home>/conf/wrapper.conf), check if the org.apache.log4j.net.JMSAppender is present in the properties file. If it is, you will need to comment it out or remove it.
Attachments
Issue Links
- is action for
-
BDEV-16896 Loading...
- mentioned in
-
Page Loading...