Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Summary

This zero day exploit affects log4j 2.x+ which Jira, confluence and by extension, our apps do not use.

Default Jira/Confluence are not vulnerable

Jira/Confluence ships with log4j 1.2.x that by default is not vulnerable. Customizations to log4j config can introduce the exploit, see Atlassian FAQ for more

Validation

We did our own validation using https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce through which we verified the exploit, we verified then that the version of log4j shipped with Atlassian did not result in a replication.

JEMH Specific testing

As JEMH specifically processes user generated content we have also verified that the exploit doesn’t work from email content with default configurations of log4j.

  • No labels