Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Log4j vulnerability

Sandeep Vellore
Sandeep Vellore January 25, 2022

Hi,

We were asked to remove log4j-core.jar and other log4jXXX.jar related files from Confluence ,JIRA & GIT servers.

Kindly confirm if there is any impact to the application if they ask us to remove these files due to log4j vulnerability.

Let us know if you need the path where these files are available

 

 

Answer
Watch
Like Bruce Guy likes this
1824 views

2 answers

1 vote
Pramodh M
Pramodh M
Community Champion
January 25, 2022

Hi @Sandeep Vellore 

Don't remove the jar files, the issue has already been fixed. You just need to upgrade the servers to a fixed version or the latest version if it's possible for you

Please find the reference here

https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html

Thanks,
Pramodh

View More Comments
Guru Darbar
Guru Darbar
Contributor
January 31, 2022

Would it break the application if you replaced the offending .jar files with the updated ones from Apache?

https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.17.1/log4j-core-2.171.jar

and

https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.jar

If that works, then the applications would pass a CVE audit.

Like
Reply
0 votes
Kishan Sharma
Kishan Sharma
Community Champion
January 25, 2022

Hi @Sandeep Vellore 

Atlassian Security team investigated the impact of the Log4j remote code execution vulnerability (CVE-2021-44228) and have determined that no Atlassian on-premises products are vulnerable to CVE-2021-44228.

So you don't need to remove the log4j.jar files. You can check if you are vulnerable by inspecting the Log4j configuration file. If you find a line containing the org.apache.log4j.net.JMSAppender, you may be vulnerable. If you do not find a line containing the org.apache.log4j.net.JMSAppender, you do not have this specific vulnerable configuration. I would suggest you to go through FAQ as well for more details.

Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
atlassian, team '25 europe, atlassian event, barcelona 2025, jira, confluence, atlassian intelligence, rovo, ai-powered collaboration, developer tools, agile teams, digital transformation, teamwork solutions, atlassian conference, product announcements

🌆 Team '25 Europe registration is now open!

Join the largest European gathering of the Atlassian Community and reimagine what’s possible when great teams and transformative technology come together. Plus, grab your Super Fan ticket now and save over €1,000 on your pass before prices rise on 3 June.

Register now
AUG Leaders

Atlassian Community Events

Community
Forums
FAQs Forums guidelines
Learning
About learning Resources
Events
Champions
Copyright © 2025 Atlassian
Privacy Policy Terms Security
Welcome illustration

Welcome to the new Atlassian Community

Online forums and learning are now in one easy-to-use experience.

By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.