CVE-2021-44228 - log4shell, and CVE-2021-45046
Reference
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
Summary
A vulnerability affecting the Java logging library Apache Log4j 2 has been publicly disclosed for versions 2.0.x to 2.15.0. On-premises Jira and Confluence instances, and by extension, our apps do not use the affected library. However, your instance may still be exposed depending on local configuration.
See the Atlassian FAQ for more:
Impact
All our apps use the platform provided log4j implementation which is 1.2.x, so are not vulnerable to this exploit.
Validation
We have performed our own validation using a proof-of-concept found online. We verified that the version of log4j shipped with Jira did not result in a replication when using the default logger configuration.
App-specific testing
As JEMH specifically processes user supplied content we have also verified that the exploit doesn’t work from email content with default configurations of log4j.
Our App log4j Dependencies
New releases of our apps will be specifically using log4j version 1.2.17-atlassian-13 (or higher) that is not vulnerable to these exploits. See below for app versions with this update:
App | Version | Host Platform Compatibility |
---|---|---|
Enterprise Mail Handler for Jira | 3.3.71+ | Jira 8.0.0 - 8.21.0 |
Custom Space User Management for Confluence (CSUM) | 3.1.6+ | Confluence 6.13.0 - 7.15.0 |
SU for Jira | 1.12.5+ | Jira 8.0.0 - 8.21.0 |
SU for Confluence | 2.5.3+ | Confluence 6.13.0 - 7.15.0 |
LaTeX and MathJax for Confluence | 1.7.7+ | Confluence 7.0.1 - 7.15.0 |
Enterprise Email Queue for Jira (EMQ) | 1.9.26+ | Jira 8.0.0 - 8.21.0 |
Project User Manager for Jira (PUM) | 1.2.2+ | Jira 8.0.0 - 8.21.0 |
Unaffected Apps
The following apps do not use log4j so are not applicable.
Enterprise Mail Handler for Jira Cloud (JEMHC)
SU for Bitbucket