Details
-
Suggestion
-
Resolution: Done
-
805
-
1
-
-
Description
Problem Definition
A version of Log4j 1.2.17 which has been shipping with JIRA is not supported anymore.
Suggested Solution
Upgrade to a supported version of Log4j 2.x. See http://logging.apache.org/log4j/2.x/
Workaround
None
Note on CVE-2021-44228
Short summary: not vulnerable to CVE-2021-44228
Details:
quote from FAQ for CVE-2021-44228
...
Some on-premises products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228.
We have done additional analysis on this fork and confirmed a new but similar vulnerability that can only be exploited by a trusted party. For that reason, Atlassian rates the severity level for on-premises products as low.
Note on CVE-2019-17571
Short summary: not vulnerable to CVE-2019-17571
Details:
Vulnerability details: CVE-2019-17571 and Deserialization of Untrusted Data
SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data.
- The vulnerability can only be exploited if log4j is configured to receive log messages from other systems over TCP or UDP, this is not a default setting
. - Also, Jira uses Atlassian-maintained fork of Log4j (1.2.17-atlassian-3). In that version, we deleted the code affected by CVE-2019-17571, so it's no longer even possible to configure it to make the vulnerability exploitable
.
Attachments
Issue Links
- is related to
-
JRASERVER-62958 Enabling access logging might cause JIRA to stall
-
- Gathering Impact
-
-
JRASERVER-73885 Jira: Multiple vulnerabilities in log4j < 1.2.17-atlassian-16
-
- Published
-
- relates to
-
-
- Gathering Impact
-
-
- Closed
- mentioned in
-
Page Loading...
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-