Upgrade Apache Log4j to 2.25.3

XMLWordPrintable

    • Type: Suggestion
    • Resolution: Unresolved
    • None
    • Component/s: Data Center - Apps
    • None
    • 27
    • 9
    • Hide

      Hello - we are working on bumping log4j to a secure version but we also wanted to ensure that Jira is not vulnerable.

      Jira DC uses Log4j2 2.20.0 (a version within the vulnerable range)
      exploitation requires an active SocketAppender or SocketServer/TcpSocketServer
      but we've confirmed that we are not using these^
      so vulnerable component of this library is simply not used by Jira DC

      Show
      Hello - we are working on bumping log4j to a secure version but we also wanted to ensure that Jira is not vulnerable. Jira DC uses Log4j2 2.20.0 (a version within the vulnerable range) exploitation requires an active SocketAppender or SocketServer/TcpSocketServer but we've confirmed that we are not using these^ so vulnerable component of this library is simply not used by Jira DC

      Jira is currently using a version of Apache Log4J earlier than 2.25.3. As a result, our automated security scanners are triggering for CVE-2025-68161.

              Assignee:
              Unassigned
              Reporter:
              Herb Lamb
              Votes:
              7 Vote for this issue
              Watchers:
              13 Start watching this issue

                Created:
                Updated: