-
Bug
-
Resolution: Fixed
-
Low
-
7.0.0, 7.1.0, 7.2.0, 8.1.1
-
None
-
Severity 1 - Critical
-
Issue Summary
log4j-1.2.17-atlassian-3 is exposure to CVE-2021-4104 if JMSAppender is used (which is not configured by default)
More details at https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html
Steps to Reproduce
- Configure JMSAppender at log4j properties
- Follow steps at CVE-2021-4104 to affect Bamboo instance
Expected Results
Instance is not affected
Actual Results
Instance might be affected
Workaround
Workaround #1
Shutdown Bamboo and replace $BAMBOO_INSTALL/atlassian-bamboo/WEB-INF/lib/log4j-1.2.17-atlassian-3.jar with log4j-1.2.17-atlassian-15.jar
Workaround #2
Remove any custom logging configuration for the JMS Appender on both the Bamboo Server ($BAMBOO_INSTALL/atlassian-bamboo/WEB-INF/classes/log4j.properties and Bamboo remote agents as follows:
If you have a properties file specified for the variable wrapper.java.additional.X=-Dlog4j.configuration (in <bamboo-agent-home>/conf/wrapper.conf), check if the org.apache.log4j.net.JMSAppender is present in the properties file. If it is, you will need to comment it out or remove it.
- is action for
-
BDEV-16896 Failed to load
[BAM-21588] log4j dependency is exposure to CVE-2021-4104
Remote Link | New: This issue links to "Page (Confluence)" [ 1005583 ] |
Remote Link | Original: This issue links to "BDEV-16896 (Jira)" [ 616985 ] | New: This issue links to "BDEV-16896 (Hello Jira)" [ 616985 ] |
Remote Link | New: This issue links to "Page (Confluence)" [ 664219 ] |
Description |
Original:
h3. Issue Summary
log4j-1.2.17-atlassian-3 is exposure to [CVE-2021-4104|https://nvd.nist.gov/vuln/detail/CVE-2021-4104] if JMSAppender is used. More details at [https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html] h3. Steps to Reproduce # Configure JMSAppender at log4j properties # Follow steps at [CVE-2021-4104|https://nvd.nist.gov/vuln/detail/CVE-2021-4104] to affect Bamboo instance h3. Expected Results Instance is not affected h3. Actual Results Instance might be affected h3. Workaround * Remove usage of JMSAppender * Shutdown Bamboo and replace {{$BAMBOO_INSTALL/atlassian-bamboo/WEB-INF/lib/log4j-1.2.17-atlassian-3.jar}} with [log4j-1.2.17-atlassian-15.jar|https://packages.atlassian.com/artifactory/maven-3rdparty-local/log4j/log4j/1.2.17-atlassian-15/log4j-1.2.17-atlassian-15.jar] |
New:
h3. Issue Summary
log4j-1.2.17-atlassian-3 is exposure to [CVE-2021-4104|https://nvd.nist.gov/vuln/detail/CVE-2021-4104] if JMSAppender is used (which is not configured by default) More details at [https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html] h3. Steps to Reproduce # Configure JMSAppender at log4j properties # Follow steps at [CVE-2021-4104|https://nvd.nist.gov/vuln/detail/CVE-2021-4104] to affect Bamboo instance h3. Expected Results Instance is not affected h3. Actual Results Instance might be affected h3. Workaround h6. Workaround #1 Shutdown Bamboo and replace {{$BAMBOO_INSTALL/atlassian-bamboo/WEB-INF/lib/log4j-1.2.17-atlassian-3.jar}} with [log4j-1.2.17-atlassian-15.jar|https://packages.atlassian.com/artifactory/maven-3rdparty-local/log4j/log4j/1.2.17-atlassian-15/log4j-1.2.17-atlassian-15.jar] h6. Workaround #2 Remove any custom logging configuration for the JMS Appender on both the Bamboo Server ({{$BAMBOO_INSTALL/atlassian-bamboo/WEB-INF/classes/log4j.properties}} and Bamboo remote agents as follows: If you have a properties file specified for the variable {{wrapper.java.additional.X=-Dlog4j.configuration}} (in {{<bamboo-agent-home>/conf/wrapper.conf}}), check if the org.apache.log4j.net.JMSAppender is present in the properties file. If it is, you will need to comment it out or remove it. |
Description |
Original:
h3. Issue Summary
log4j-1.2.17-atlassian-3 is exposure to [CVE-2021-4104|https://nvd.nist.gov/vuln/detail/CVE-2021-4104] if JMSAppender is used. More details at [https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html] h3. Steps to Reproduce # Configure JMSAppender at log4j properties # Follow steps at [CVE-2021-4104|https://nvd.nist.gov/vuln/detail/CVE-2021-4104] to affect Bamboo instance h3. Expected Results Instance is not affected h3. Actual Results Instance might be affected h3. Workaround * Remove usage of JMSAppender * Shutdown Bamboo and replace {{$BAMBOO_INSTALL/atlassian-bamboo/WEB-INF/lib/log4j-1.2.17-atlassian-3.jar}} with [log4j-1.2.17-atlassian-15|https://packages.atlassian.com/artifactory/maven-3rdparty-local/log4j/log4j/1.2.17-atlassian-15/log4j-1.2.17-atlassian-15.jar] |
New:
h3. Issue Summary
log4j-1.2.17-atlassian-3 is exposure to [CVE-2021-4104|https://nvd.nist.gov/vuln/detail/CVE-2021-4104] if JMSAppender is used. More details at [https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html] h3. Steps to Reproduce # Configure JMSAppender at log4j properties # Follow steps at [CVE-2021-4104|https://nvd.nist.gov/vuln/detail/CVE-2021-4104] to affect Bamboo instance h3. Expected Results Instance is not affected h3. Actual Results Instance might be affected h3. Workaround * Remove usage of JMSAppender * Shutdown Bamboo and replace {{$BAMBOO_INSTALL/atlassian-bamboo/WEB-INF/lib/log4j-1.2.17-atlassian-3.jar}} with [log4j-1.2.17-atlassian-15.jar|https://packages.atlassian.com/artifactory/maven-3rdparty-local/log4j/log4j/1.2.17-atlassian-15/log4j-1.2.17-atlassian-15.jar] |
Description |
Original:
h3. Issue Summary
log4j-1.2.17-atlassian-3 is exposure to [CVE-2021-4104|https://nvd.nist.gov/vuln/detail/CVE-2021-4104] if JMSAppender is used. More details at [https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html] h3. Steps to Reproduce # Configure JMSAppender at log4j properties # Follow steps at [CVE-2021-4104|https://nvd.nist.gov/vuln/detail/CVE-2021-4104] to affect Bamboo instance h3. Expected Results Instance is not affected h3. Actual Results Instance might be affected h3. Workaround * Remove usage of JMSAppender * Replace log4j-1.2.17-atlassian-3 with [log4j-1.2.17-atlassian-15|https://packages.atlassian.com/artifactory/maven-3rdparty-local/log4j/log4j/1.2.17-atlassian-15/log4j-1.2.17-atlassian-15.jar] |
New:
h3. Issue Summary
log4j-1.2.17-atlassian-3 is exposure to [CVE-2021-4104|https://nvd.nist.gov/vuln/detail/CVE-2021-4104] if JMSAppender is used. More details at [https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html] h3. Steps to Reproduce # Configure JMSAppender at log4j properties # Follow steps at [CVE-2021-4104|https://nvd.nist.gov/vuln/detail/CVE-2021-4104] to affect Bamboo instance h3. Expected Results Instance is not affected h3. Actual Results Instance might be affected h3. Workaround * Remove usage of JMSAppender * Shutdown Bamboo and replace {{$BAMBOO_INSTALL/atlassian-bamboo/WEB-INF/lib/log4j-1.2.17-atlassian-3.jar}} with [log4j-1.2.17-atlassian-15|https://packages.atlassian.com/artifactory/maven-3rdparty-local/log4j/log4j/1.2.17-atlassian-15/log4j-1.2.17-atlassian-15.jar] |
Fix Version/s | Original: 7.2.8 [ 99894 ] |
Assignee | New: Alexey Chystoprudov [ achystoprudov ] |
Fix Version/s | New: 7.2.8 [ 99894 ] |
Fix Version/s | New: 8.2.0 [ 99297 ] |