CVE-2021-44228 - log4shell, and CVE-2021-45046

Reference

Summary

A vulnerability affecting the Java logging library Apache Log4j 2 has been publicly disclosed for versions 2.0.x to 2.15.0. On-premises Jira and Confluence instances, and by extension, our apps do not use the affected library. However, your instance may still be exposed depending on local configuration.

See the Atlassian FAQ for more:

Impact

All our apps use the platform provided log4j implementation which is 1.2.x, so are not vulnerable to this exploit.

Validation

We have performed our own validation using a proof-of-concept found online. We verified that the version of log4j shipped with Jira did not result in a replication when using the default logger configuration.

App-specific testing

As JEMH specifically processes user supplied content we have also verified that the exploit doesn’t work from email content with default configurations of log4j.

Our App log4j Dependencies

New releases of our apps will be specifically using log4j version 1.2.17-atlassian-13 (or higher) that is not vulnerable to these exploits. See below for app versions with this update:

App

Version

Host Platform Compatibility

App

Version

Host Platform Compatibility

Enterprise Mail Handler for Jira

3.3.71+

Jira 8.0.0 - 8.21.0

Custom Space User Management for Confluence (CSUM)

3.1.6+

Confluence 6.13.0 - 7.15.0

SU for Jira

1.12.5+

Jira 8.0.0 - 8.21.0

SU for Confluence

2.5.3+

Confluence 6.13.0 - 7.15.0

LaTeX and MathJax for Confluence

1.7.7+

Confluence 7.0.1 - 7.15.0

Enterprise Email Queue for Jira (EMQ)

1.9.26+

Jira 8.0.0 - 8.21.0

Project User Manager for Jira (PUM)

1.2.2+

Jira 8.0.0 - 8.21.0

Unaffected Apps

The following apps do not use log4j so are not applicable.

  • Enterprise Mail Handler for Jira Cloud (JEMHC)

  • SU for Bitbucket