Log4J version 1.2.17-atlassian-3 used in Fisheye and Crucible is vulnerable to CVE-2021-4104. The JMSAppender in Log4J 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4J configuration. Note this issue only affects Log4J 1.2 when specifically configured to use JMSAppender, which is not the default.

The vulnerability has been fixed in Log4J version 1.2.17-atlassian-15, in which the JMS-related code has been deleted, so that it's even not possible to configure the JMSAppender.

Affected Fisheye / Crucible versions:

< 4.8.9

Fix version:

4.8.9

Notes:

Please note that Log4j 1.2.x is not vulnerable to CVE-2021-44228.

References:

https://nvd.nist.gov/vuln/detail/CVE-2021-4104

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

https://github.com/advisories/GHSA-jfh8-c2jp-5v3q