-
Public Security Vulnerability
-
Resolution: Fixed
-
Low
-
8.13.20, 8.22.2, 8.20.8
-
None
-
8.1
-
High
-
CVE-2020-9493
The version of log4j used by Jira has been updated from version 1.2.17-atlassian-3 to 1.2.17-atlassian-16 to address the following vulnerabilities:
CVE-2021-4104
JMSAppender is vulnerable to a deserialization flaw. A local attacker with privileges to update the Jira configuration can exploit this to execute arbitrary code. Jira is not configured to use JMSAppender, nor does Atlassian provide any documentation on using JMSAppender with Jira. Atlassian has remediated this vulnerability by preventing external JNDI lookups in the Atlassian version of log4j.
CVE-2020-9493 and CVE-2022-23307
Apache Chainsaw is bundled with log4j 1.2.x, and is vulnerable to a deserialization flaw. A remote, unauthenticated attacker could exploit this to execute arbitrary code. Please note that Chainsaw is a log viewer that is designed to be executed manually. It is not required by Jira, nor is it executed by default, nor does Atlassian provide any documentation on using Chainsaw with Jira. Atlassian has remediated this vulnerability by removing Chainsaw from the Atlassian version of log4j.
CVE-2022-23302
JMSSink is vulnerable to a deserialization flaw. A local attacker with privileges to update the Jira configuration can exploit this to execute arbitrary code. Jira is not configured to use JMSSink by default, nor does Atlassian provide any documentation on using JMSSink with Jira. Atlassian has remediated this vulnerability by removing JMSSink from the Atlassian version of log4j.
CVE-2022-23305
JDBCAppender is vulnerable to a SQL injection flaw when configured to use the message converter (%m). A remote, unauthenticated attacker can exploit this to execute arbitrary SQL queries. Jira is not configured to use JDBCAppender by default, nor does Atlassian provide any documentation on using JDBCAppender with Jira. Atlassian has remediated this vulnerability by removing JDBCAppender from the Atlassian version of log4j.
Affected versions of Jira:
- Versions < 8.13.21
- All versions 8.14.x through 8.19.x
- Versions 8.21.x
- Versions 8.22.x < 8.22.3
Fixed versions of Jira:
- Versions 8.13.x >= 8.13.21
- Versions 8.20.x >= 8.20.9
- Versions 8.22.x >= 8.22.3
- Versions >= 9.0.0
- relates to
-
JRASERVER-62838 Upgrade to log4j 2.x
- Closed
- mentioned in
-
Page Loading...