Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-62838

Upgrade to log4j 2.x

XMLWordPrintable

    • 805
    • 1
    • Hide

      Hello all,

      In order to take the extra step to ensure continued compliance, we announced in August that we would upgrade Log4J to >= 2.17.2 within an expedited timeframe. Knowing this would be a breaking change, we wanted to make sure and mitigate the impact on the Ecosystem.

      Today that update is live with the release of Jira Software 9.5 and Jira Service Management 5.5.  

      What are my options?

      Customers wanting to remove atlassian/log4j1 from their surface may now do so with the 9.5 / 5.5 upgrade. Download Jira Software 9.5 or Jira Service Management 5.5. Please note these upgrades include breaking changes.

      Customers who do not wish to upgrade to Log4j 2 at this time may remain on their supported version. 

      The next Jira LTS (planned for later in 2023) will include the Log4J 2 upgrade.

      Should you require more details about the technical aspects of the change or is with the need of upgrading your plugin, application, or in-house solution please make sure to consult

      Thanks,

      Andrzej Kotas

      Jira DC Product Manager 

      Show
      Hello all, In order to take the extra step to ensure continued compliance, we announced in August that we would upgrade Log4J to >= 2.17.2 within an expedited timeframe. Knowing this would be a breaking change, we wanted to make sure and mitigate the impact on the Ecosystem. Today that update is live with the release of Jira Software 9.5 and Jira Service Management 5.5 .   What are my options? Customers wanting to remove atlassian/log4j1 from their surface may now do so with the 9.5 / 5.5 upgrade. Download  Jira Software 9.5  or  Jira Service Management 5.5 . Please note these upgrades include breaking changes. Customers who do not wish to upgrade to Log4j 2 at this time may remain on their supported version.  The next Jira LTS (planned for later in 2023) will include the Log4J 2 upgrade. Should you require more details about the technical aspects of the change or is with the need of upgrading your plugin, application, or in-house solution please make sure to consult Log4j upgrade update Logging and profiling   Important directories and files Thanks, Andrzej Kotas Jira DC Product Manager 
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Problem Definition

      A version of Log4j 1.2.17 which has been shipping with JIRA is not supported anymore.

      Suggested Solution

      Upgrade to a supported version of Log4j 2.x. See http://logging.apache.org/log4j/2.x/

      Workaround

      None

      Note on CVE-2021-44228

      Short summary: not vulnerable to CVE-2021-44228

      Details:
      quote from FAQ for CVE-2021-44228

      ...
      Some on-premises products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228.
      We have done additional analysis on this fork and confirmed a new but similar vulnerability that can only be exploited by a trusted party. For that reason, Atlassian rates the severity level for on-premises products as low.

      Note on CVE-2019-17571

      Short summary: not vulnerable to CVE-2019-17571

      Details:
      Vulnerability details: CVE-2019-17571 and Deserialization of Untrusted Data

      SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data.

      • The vulnerability can only be exploited if log4j is configured to receive log messages from other systems over TCP or UDP, this is not a default setting .
      • Also, Jira uses Atlassian-maintained fork of Log4j (1.2.17-atlassian-3). In that version, we deleted the code affected by CVE-2019-17571, so it's no longer even possible to configure it to make the vulnerability exploitable .

              Unassigned Unassigned
              76751a84ac4d SiriusXM Atlassian Administrator
              Votes:
              248 Vote for this issue
              Watchers:
              246 Start watching this issue

                Created:
                Updated:
                Resolved: