[CONFSERVER-59549] Apache Log4j - Arbitrary Code Execution in confserver/confluence (master) - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 6.6.18, 7.4.1, 7.5.1, 7.6.0
Affects Version/s: 7.3.0, 7.4.0
Component/s: Server - Platform
Labels:

Fixed in Long Term Support Release/s:

Download 6.6, 7.4
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

Issue Summary

Arbitrary Code Execution in confserver/confluence (master)

Steps to Reproduce

Vulnerability: Arbitrary Code Execution
Severity: High
Project: confserver/confluence
Branch: master
Scan Date: Unknown
Vulnerability ID: CVE-2019-17571

log4j-core is vulnerable to arbitrary code execution. Deserialization of untrusted data in `TcpSocketServer` and `UdpSocketServer` when listening for log data allows an attacker to execute arbitrary code via a malicious deserialization gadget.

View more details

Expected Results

N/A

Actual Results

N/A

Workaround

N/A

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load; Page Failed to load; Page Failed to load; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(5 mentioned in)

Denise Unterwurzacher [Atlassian] (Inactive) added a comment - 07/Jul/2022 7:58 PM

7d00cd4efe44 No you wouldn't have this issue in 7.13.2, the issue was fixed in all version above Confluence 7.6.0

Denise Unterwurzacher [Atlassian] (Inactive) added a comment - 07/Jul/2022 7:58 PM 7d00cd4efe44 No you wouldn't have this issue in 7.13.2 , the issue was fixed in all version above Confluence 7.6.0

lance_lyons added a comment - 05/Jul/2022 10:07 PM

Would we have this issue with Confluence 7.13.2

lance_lyons added a comment - 05/Jul/2022 10:07 PM Would we have this issue with Confluence 7.13.2

Ellen Oates added a comment - 11/Jun/2020 10:05 AM

If you're running the Confluence 7.4 Enterprise release, a fix for this issue is now available in Confluence 7.4.1, which you can find in the Download Archives.

Ellen Oates added a comment - 11/Jun/2020 10:05 AM If you're running the Confluence 7.4 Enterprise release, a fix for this issue is now available in Confluence 7.4.1, which you can find in the Download Archives .

Ellen Oates added a comment - 05/Jun/2020 11:27 AM

A fix for this issue is available to Server and Data Center customers in Confluence 7.5.1
Upgrade now or check out the Release Notes to see what other issues are resolved.

Ellen Oates added a comment - 05/Jun/2020 11:27 AM A fix for this issue is available to Server and Data Center customers in Confluence 7.5.1 Upgrade now or check out the Release Notes to see what other issues are resolved.

Assignee:: Hasnae (Inactive)

Reporter:: Andrei Khudavets

Affected customers:: 1 This affects my team

Watchers:: 15 Start watching this issue

Created:: 02/Mar/2020 3:58 AM

Updated:: 07/Jul/2022 7:58 PM

Resolved:: 05/Jun/2020 10:13 AM

Confluence Data Center

Details

Description

Issue Summary

Steps to Reproduce

Expected Results

Actual Results

Workaround

Attachments

Issue Links

Forms

Activity

[CONFSERVER-59549] Apache Log4j - Arbitrary Code Execution in confserver/confluence (master)

Collapse comment: Denise Unterwurzacher [Atlassian] (Inactive) added a comment - 07/Jul/2022 7:58 PM

Expand comment: Denise Unterwurzacher [Atlassian] (Inactive) added a comment - 07/Jul/2022 7:58 PM

Collapse comment: lance_lyons added a comment - 05/Jul/2022 10:07 PM

Expand comment: lance_lyons added a comment - 05/Jul/2022 10:07 PM

Collapse comment: Ellen Oates added a comment - 11/Jun/2020 10:05 AM

Expand comment: Ellen Oates added a comment - 11/Jun/2020 10:05 AM

Collapse comment: Ellen Oates added a comment - 05/Jun/2020 11:27 AM

Expand comment: Ellen Oates added a comment - 05/Jun/2020 11:27 AM

People

Dates