List of security vulnerabilities addressed in atlassian/log4j1

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

While Log4j 1 reached the end-of-life state and is no longer maintained by the Apache Software Foundation, Jira Server and Data Center still heavily rely on the library. The amount of effort required to migrate our software to Log4j 2 is too significant for us to be able to do this quickly enough and still maintain a high level of security and performance.

Solution

To be able to resolve security vulnerabilities as they appear and provide the best possible performance while maintaining backward compatibility with the original library, we've created our own fork of Log4j 1.

The following table lists the vulnerabilities patched in atlassian/log4j1, the versions of the library they were fixed in, and the Jira release that includes the patched version. For more details, see the source code of the forked library on the atlassian/log4j1 project page.

None of the listed patches change the default configuration of Log4j 1 used in Atlassian products. However, introducing modifications of the default configuration to restore any of the removed parts of the codebase may break backward compatibility.

CVSSv3 scoreCVE IDStatusFixed in versionFixed in Jira releaseNotes

CRITICAL 9.8

CVE-2019-17571

PATCHED

1.2.17-atlassian-3
  • 8.13.4 and greater
  • 8.20.0 and greater

Not vulnerable in the default configuration.

Removed SocketServer.

CRITICAL 9.8

CVE-2022-23305

PATCHED

1.2.17-atlassian-16
  • 8.13.21 and greater
  • 8.20.9 and greater
  • 8.22.3 and greater

Not vulnerable in the default configuration.

Removed JDBCAppender.

HIGH 8.8

CVE-2022-23307 (also known as CVE-2020-9493)

PATCHED

1.2.17-atlassian-16
  • 8.13.21 and greater
  • 8.20.9 and greater
  • 8.22.3 and greater

To exploit the vulnerability, the attacker would need to have access to the host machine, which would be a more serious problem.

Removed Apache Chainsaw.

HIGH 8.8

CVE-2022-23302

PATCHED

1.2.17-atlassian-16
  • 8.13.21 and greater
  • 8.20.9 and greater
  • 8.22.3 and greater

Not vulnerable in the default configuration.

Removed JMSSink.

HIGH 7.5

CVE-2021-4104 (sometimes wrongly reported as CVE-2021-44228, which affects only Log4j 2)

PATCHED

1.2.17-atlassian-15 
  • 8.13.21 and greater
  • 8.20.9 and greater
  • 8.22.3 and greater

Not vulnerable in the default configuration.

External lookups were disallowed and now result in an exception.

LOW 3.7

CVE-2020-9488

MITIGATION AVAILABLE

N/AN/A

Not vulnerable in the default configuration.

If you're using Log4j to email errors to admins, as a workaround, set the mail.smtp.ssl.checkserveridentity system property to true.

Setting properties and options on startup

Description
Product
Last modified on Jun 8, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.