CVE-2021-44228 log4shell exploit

Summary

This zero day exploit affects log4j 2.x+ which Jira, confluence and by extension, our apps do not use.

• https://youtu.be/m_AkCbFc8DM

Default Jira/Confluence are not vulnerable

Jira/Confluence ships with log4j 1.2.x that by default is not vulnerable. Customizations to log4j config can introduce the exploit, see Atlassian FAQ for more

• https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html

Validation

We did our own validation using https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce through which we verified the exploit, we verified then that the version of log4j shipped with Atlassian did not result in a replication.

JEMH Specific testing

As JEMH specifically processes user generated content we have also verified that the exploit doesn’t work from email content with default configurations of log4j.

Related links:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

• https://github.com/advisories/GHSA-jfh8-c2jp-5v3q