Update Log4J to 1.2.17-atlassian-15 to fix CVE-2021-4104

XMLWordPrintable

    • 3.9
    • Low
    • CVE-2021-4104

      Log4J version 1.2.17-atlassian-3 used in Fisheye and Crucible is vulnerable to CVE-2021-4104. The JMSAppender in Log4J 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4J configuration. Note this issue only affects Log4J 1.2 when specifically configured to use JMSAppender, which is not the default.

      The vulnerability has been fixed in Log4J version 1.2.17-atlassian-15, in which the JMS-related code has been deleted, so that it's even not possible to configure the JMSAppender.

      Affected Fisheye / Crucible versions:

      < 4.8.9

      Fix version:

      4.8.9

      Notes:

      Please note that Log4j 1.2.x is not vulnerable to CVE-2021-44228.

      References:

      https://nvd.nist.gov/vuln/detail/CVE-2021-4104

      https://nvd.nist.gov/vuln/detail/CVE-2021-44228

      https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

            Assignee:
            Unassigned
            Reporter:
            Security Metrics Bot
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: