Security Scans flag Log4j1.2.7 in Jira

Related content

Still need help?

The Atlassian Community is here for you.

Ask the community


Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Jira utilizes a custom branch of log4j1.2.7 that causes Security Scans to flag this as a vulnerability. 

The version of log4j used by Jira is actually a forked branch known as log4j1.2.7-atlassian-16 which is not impacted by many known issues as the vulnerable code has been removed altogether.

Note on CVE-2021-44228

Short summary: not vulnerable to CVE-2021-44228

Details:
quote from FAQ for CVE-2021-44228

...
Some on-premises products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228.
We have done additional analysis on this fork and confirmed a new but similar vulnerability that can only be exploited by a trusted party. For that reason, Atlassian rates the severity level for on-premises products as low.

Note on CVE-2019-17571

Short summary: not vulnerable to CVE-2019-17571

Details:
Vulnerability details: CVE-2019-17571 and Deserialization of Untrusted Data

SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data.

  • The vulnerability can only be exploited if log4j is configured to receive log messages from other systems over TCP or UDP, this is not a default setting .
  • Also, Jira uses Atlassian-maintained fork of Log4j (1.2.17-atlassian-16). In that version, we deleted the code affected by CVE-2019-17571, so it's no longer even possible to configure it to make the vulnerability exploitable .

Environment

All Versions of Jira

Diagnosis

Security Scans will indicate that Jira is using Apache log4j1.2.7 and try to relate it to one of several known CVEs about the library.

Cause

The alerts that are returned in a security scan are false positives due to the custom branch utilized by Jira and the only true-impact is that log4j1.2.7 is End of Life.

Solution

There is no work around at this time and it's not possible to upgrade log4j in Jira.

Vulnerable code, that is the cause of most of log4j1.2.7's CVEs has been removed from the branch utilized by Jira.

Last modified on Jan 31, 2025

Was this helpful?

Yes
No
Provide feedback about this article

Related content

Powered by Confluence and Scroll Viewport.