Log4J Issue (CVE-2021-4104)
Following the review of the Log4J Issue (CVE-2021-44228). Atlassian has found a vulnerability (CVE-2021-4104) that can only be exploited by a trusted party. For that reason, Atlassian rates the severity level for all other self-managed products as low. Specifically, Atlassian products that use Log4j 1.x are only affected if all of the following non-default configurations are in place:
The JMS Appender is configured in the application's Log4j configuration
The
javax.jmsAPI is included in the application'sCLASSPATHThe JMS Appender has been configured with a JNDI lookup to a third party. Note: this can only be done by a trusted user modifying the application's configuration, or by trusted code setting a property at runtime
- Idera's investigation confirmed that Xray for Data Center uses the Apache Log4j library within the version range that contains this vulnerability but does not use JMS Appender. Xray for DC is annually assessed by the Atlassian team to continue to be present in the marketplace listing. This vulnerability has been discussed, but it must exist because of a dependency on a Jira API method that most receive this logger (here). The Xray team has created a bug XRAY-9963 - Getting issue details... STATUS to work on a full replacement of this library in the upcoming releases.
Xray for Data Center uses the Apache Log4j library within the version range that contains this vulnerability but does not use JMS Appender, therefore, the investigation confidently concludes that this particular Apache Log4j vulnerability is very hardly exploitable.
Atlassian's security report can be found here.
If you have any questions or concerns, please contact us.
Idera Security and Compliance Team.