List of security vulnerabilities addressed in atlassian/log4j1
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
While Log4j 1 reached the end-of-life state and is no longer maintained by the Apache Software Foundation, Jira Server and Data Center still heavily rely on the library. The amount of effort required to migrate our software to Log4j 2 is too significant for us to be able to do this quickly enough and still maintain a high level of security and performance.
Solution
To be able to resolve security vulnerabilities as they appear and provide the best possible performance while maintaining backward compatibility with the original library, we've created our own fork of Log4j 1.
The following table lists the vulnerabilities patched in atlassian/log4j1
, the versions of the library they were fixed in, and the Jira release that includes the patched version. For more details, see the source code of the forked library on the atlassian/log4j1 project page.
None of the listed patches change the default configuration of Log4j 1 used in Atlassian products. However, introducing modifications of the default configuration to restore any of the removed parts of the codebase may break backward compatibility.
CVSSv3 score | CVE ID | Status | Fixed in version | Fixed in Jira release | Notes |
---|---|---|---|---|---|
CRITICAL 9.8 | PATCHED | 1.2.17-atlassian-3 |
| Not vulnerable in the default configuration. Removed | |
CRITICAL 9.8 | CVE-2022-23305 | PATCHED | 1.2.17-atlassian-16 |
| Not vulnerable in the default configuration. Removed |
HIGH 8.8 | CVE-2022-23307 (also known as CVE-2020-9493) | PATCHED | 1.2.17-atlassian-16 |
| To exploit the vulnerability, the attacker would need to have access to the host machine, which would be a more serious problem. Removed |
HIGH 8.8 | CVE-2022-23302 | PATCHED | 1.2.17-atlassian-16 |
| Not vulnerable in the default configuration. Removed |
HIGH 7.5 | CVE-2021-4104 (sometimes wrongly reported as CVE-2021-44228, which affects only Log4j 2) | PATCHED | 1.2.17-atlassian-15 |
| Not vulnerable in the default configuration. External lookups were disallowed and now result in an exception. |
LOW 3.7 | CVE-2020-9488 | MITIGATION AVAILABLE | N/A | N/A | Not vulnerable in the default configuration. If you're using Log4j to email errors to admins, as a workaround, set the |