• Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Low Low
    • 8.1.2, 8.0.6, 8.2.0
    • 7.0.0, 7.1.0, 7.2.0, 8.1.1
    • Installation
    • None

      Issue Summary

      log4j-1.2.17-atlassian-3 is exposure to CVE-2021-4104  if JMSAppender is used (which is not configured by default)

      More details at https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html 

      Steps to Reproduce

      1. Configure JMSAppender at log4j properties
      2. Follow steps at CVE-2021-4104 to affect Bamboo instance

      Expected Results

      Instance is not affected

      Actual Results

      Instance might be affected

      Workaround

      Workaround #1

      Shutdown Bamboo and replace $BAMBOO_INSTALL/atlassian-bamboo/WEB-INF/lib/log4j-1.2.17-atlassian-3.jar with log4j-1.2.17-atlassian-15.jar

      Workaround #2

      Remove any custom logging configuration for the JMS Appender on both the Bamboo Server ($BAMBOO_INSTALL/atlassian-bamboo/WEB-INF/classes/log4j.properties and Bamboo remote agents as follows:

      If you have a properties file specified for the variable wrapper.java.additional.X=-Dlog4j.configuration (in <bamboo-agent-home>/conf/wrapper.conf), check if the org.apache.log4j.net.JMSAppender is present in the properties file. If it is, you will need to comment it out or remove it.

            [BAM-21588] log4j dependency is exposure to CVE-2021-4104

            Santhosh Thokur Raghava made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 1005583 ]
            Eduardo Alvarenga (Inactive) made changes -
            Remote Link Original: This issue links to "BDEV-16896 (Jira)" [ 616985 ] New: This issue links to "BDEV-16896 (Hello Jira)" [ 616985 ]
            Eduardo Alvarenga (Inactive) made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 664219 ]
            Jeremy Owen made changes -
            Description Original: h3. Issue Summary

            log4j-1.2.17-atlassian-3 is exposure to [CVE-2021-4104|https://nvd.nist.gov/vuln/detail/CVE-2021-4104]  if JMSAppender is used.

            More details at [https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html
            h3. Steps to Reproduce
             # Configure JMSAppender at log4j properties
             # Follow steps at [CVE-2021-4104|https://nvd.nist.gov/vuln/detail/CVE-2021-4104] to affect Bamboo instance

            h3. Expected Results

            Instance is not affected
            h3. Actual Results

            Instance might be affected
            h3. Workaround
             * Remove usage of JMSAppender
             * Shutdown Bamboo and replace {{$BAMBOO_INSTALL/atlassian-bamboo/WEB-INF/lib/log4j-1.2.17-atlassian-3.jar}} with [log4j-1.2.17-atlassian-15.jar|https://packages.atlassian.com/artifactory/maven-3rdparty-local/log4j/log4j/1.2.17-atlassian-15/log4j-1.2.17-atlassian-15.jar]
            New: h3. Issue Summary

            log4j-1.2.17-atlassian-3 is exposure to [CVE-2021-4104|https://nvd.nist.gov/vuln/detail/CVE-2021-4104]  if JMSAppender is used (which is not configured by default)

            More details at [https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html
            h3. Steps to Reproduce
             # Configure JMSAppender at log4j properties
             # Follow steps at [CVE-2021-4104|https://nvd.nist.gov/vuln/detail/CVE-2021-4104] to affect Bamboo instance

            h3. Expected Results

            Instance is not affected
            h3. Actual Results

            Instance might be affected
            h3. Workaround

            h6. Workaround #1
            Shutdown Bamboo and replace {{$BAMBOO_INSTALL/atlassian-bamboo/WEB-INF/lib/log4j-1.2.17-atlassian-3.jar}} with [log4j-1.2.17-atlassian-15.jar|https://packages.atlassian.com/artifactory/maven-3rdparty-local/log4j/log4j/1.2.17-atlassian-15/log4j-1.2.17-atlassian-15.jar]

            h6. Workaround #2
            Remove any custom logging configuration for the JMS Appender on both the Bamboo Server ({{$BAMBOO_INSTALL/atlassian-bamboo/WEB-INF/classes/log4j.properties}} and Bamboo remote agents as follows:

            If you have a properties file specified for the variable {{wrapper.java.additional.X=-Dlog4j.configuration}} (in {{<bamboo-agent-home>/conf/wrapper.conf}}), check if the org.apache.log4j.net.JMSAppender is present in the properties file. If it is, you will need to comment it out or remove it.
            Jeremy Owen made changes -
            Description Original: h3. Issue Summary

            log4j-1.2.17-atlassian-3 is exposure to [CVE-2021-4104|https://nvd.nist.gov/vuln/detail/CVE-2021-4104]  if JMSAppender is used.

            More details at [https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html
            h3. Steps to Reproduce
             # Configure JMSAppender at log4j properties
             # Follow steps at [CVE-2021-4104|https://nvd.nist.gov/vuln/detail/CVE-2021-4104] to affect Bamboo instance

            h3. Expected Results

            Instance is not affected
            h3. Actual Results

            Instance might be affected
            h3. Workaround
             * Remove usage of JMSAppender
             * Shutdown Bamboo and replace {{$BAMBOO_INSTALL/atlassian-bamboo/WEB-INF/lib/log4j-1.2.17-atlassian-3.jar}} with [log4j-1.2.17-atlassian-15|https://packages.atlassian.com/artifactory/maven-3rdparty-local/log4j/log4j/1.2.17-atlassian-15/log4j-1.2.17-atlassian-15.jar]
            New: h3. Issue Summary

            log4j-1.2.17-atlassian-3 is exposure to [CVE-2021-4104|https://nvd.nist.gov/vuln/detail/CVE-2021-4104]  if JMSAppender is used.

            More details at [https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html
            h3. Steps to Reproduce
             # Configure JMSAppender at log4j properties
             # Follow steps at [CVE-2021-4104|https://nvd.nist.gov/vuln/detail/CVE-2021-4104] to affect Bamboo instance

            h3. Expected Results

            Instance is not affected
            h3. Actual Results

            Instance might be affected
            h3. Workaround
             * Remove usage of JMSAppender
             * Shutdown Bamboo and replace {{$BAMBOO_INSTALL/atlassian-bamboo/WEB-INF/lib/log4j-1.2.17-atlassian-3.jar}} with [log4j-1.2.17-atlassian-15.jar|https://packages.atlassian.com/artifactory/maven-3rdparty-local/log4j/log4j/1.2.17-atlassian-15/log4j-1.2.17-atlassian-15.jar]
            Jeremy Owen made changes -
            Description Original: h3. Issue Summary

            log4j-1.2.17-atlassian-3 is exposure to [CVE-2021-4104|https://nvd.nist.gov/vuln/detail/CVE-2021-4104]  if JMSAppender is used.

            More details at [https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html
            h3. Steps to Reproduce
             # Configure JMSAppender at log4j properties
             # Follow steps at [CVE-2021-4104|https://nvd.nist.gov/vuln/detail/CVE-2021-4104] to affect Bamboo instance

            h3. Expected Results

            Instance is not affected
            h3. Actual Results

            Instance might be affected
            h3. Workaround
             * Remove usage of JMSAppender
             * Replace log4j-1.2.17-atlassian-3 with [log4j-1.2.17-atlassian-15|https://packages.atlassian.com/artifactory/maven-3rdparty-local/log4j/log4j/1.2.17-atlassian-15/log4j-1.2.17-atlassian-15.jar]
            New: h3. Issue Summary

            log4j-1.2.17-atlassian-3 is exposure to [CVE-2021-4104|https://nvd.nist.gov/vuln/detail/CVE-2021-4104]  if JMSAppender is used.

            More details at [https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html
            h3. Steps to Reproduce
             # Configure JMSAppender at log4j properties
             # Follow steps at [CVE-2021-4104|https://nvd.nist.gov/vuln/detail/CVE-2021-4104] to affect Bamboo instance

            h3. Expected Results

            Instance is not affected
            h3. Actual Results

            Instance might be affected
            h3. Workaround
             * Remove usage of JMSAppender
             * Shutdown Bamboo and replace {{$BAMBOO_INSTALL/atlassian-bamboo/WEB-INF/lib/log4j-1.2.17-atlassian-3.jar}} with [log4j-1.2.17-atlassian-15|https://packages.atlassian.com/artifactory/maven-3rdparty-local/log4j/log4j/1.2.17-atlassian-15/log4j-1.2.17-atlassian-15.jar]
            Marcin Gardias made changes -
            Fix Version/s Original: 7.2.8 [ 99894 ]
            Alexey Chystoprudov made changes -
            Assignee New: Alexey Chystoprudov [ achystoprudov ]
            Alexey Chystoprudov made changes -
            Fix Version/s New: 7.2.8 [ 99894 ]
            Alexey Chystoprudov made changes -
            Fix Version/s New: 8.2.0 [ 99297 ]

              achystoprudov Alexey Chystoprudov
              achystoprudov Alexey Chystoprudov
              Affected customers:
              0 This affects my team
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: