Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

how to resolve log4j-1.2.17-atlassian-15.jar file on confluence server

Stephen_Peprah
Stephen_Peprah
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
March 29, 2022

i have log4j file log4j-1.2.17-atlassian-15.jar that is failing for security scan, how do i remediate this

Answer
Watch
Like Be the first to like this
4318 views

2 answers

1 accepted

1 vote
Answer accepted
Thiago Masutti
Thiago Masutti
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 30, 2022

Hi @Stephen_Peprah 
I hope you are well.

Your security scan is certainly reporting that package as vulnerable because of CVE-2021-44228 .

However, as stated on FAQ for CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 your environment may not be vulnerable to it

Is my on-premises Server/Data Center instance affected?

Our Security team investigated the impact of the Log4j remote code execution vulnerability (CVE-2021-44228) and have determined that no Atlassian on-premises products are vulnerable to CVE-2021-44228.

Some on-premises products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228. We have done additional analysis on this fork and confirmed a new but similar vulnerability that can only be exploited by a trusted party. For that reason, Atlassian rates the severity level for on-premises products as low. Specifically, Atlassian products that use Log4j 1.x are only affected if all of the following non-default configurations are in place: 

  • The JMS Appender is configured in the application's Log4j configuration
  • The javax.jms API is included in the application's CLASSPATH (e.g. for Jira the <install>/WEB-INF/lib sub-directory)
  • The JMS Appender has been configured with a JNDI lookup to a third party. Note: this can only be done by a trusted user modifying the application's configuration, or by trusted code setting a property at runtime 

The following products use the Atlassian-maintained fork of Log4j 1.2.17:

  • Bamboo Server and Data Center
  • Confluence Server and Data Center
  • Crowd Server and Data Center
  • Fisheye / Crucible
  • Jira Server and Data Center

You can check if you are vulnerable by inspecting the Log4j configuration file. If you find a line containing the org.apache.log4j.net.JMSAppender, you may be vulnerable. If you do not find a line containing the org.apache.log4j.net.JMSAppender, you do not have this specific vulnerable configuration.

If you don't have the exact configuration detailed above, then you won't be vulnerable and you can discuss with your security team to have an exception flagged for your Confluence instance.

I hope that helps.

Kind regards,
Thiago Masutti

View More Comments
志强 汤
志强 汤 May 4, 2022

 

May I ask how to solve this problem

 

Apache Log4j 1.2 Remote Code Execution Vulnerability

QID: 376187
Category: Local
Associated CVEs: CVE-2021-4104
Vendor Reference: CVE-2021-4104
Bugtraq ID: -
Service Modified: 04/13/2022
User Modified: -
Edited: No
PCI Vuln: Yes

 

THREAT:
Apache Log4j is a Java-based logging utility. It is part of the Apache Logging Services, a project of the Apache Software Foundation.
The JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration.
The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI
requests that result in remote code execution in a similar fashion to CVE-2021-44228.
Affected versions:
Log4j version 1.2
QID Detection: (Authenticated) - Linux
This detection is based on querying the OS package managers on the target. If the target has a log4j package with a version in 1.2, the target is flagged as potentially vulnerable.

QID Detection: (Authenticated) - Windows
On Windows system, the QID identifies vulnerable instance of log4j via WMI to check log4j included in the running processes via command-line.


IMPACT:
Successful exploitation of this vulnerability could lead to remote code execution (RCE) on the target.


SOLUTION:
Customers are advised to upgrade their Log4j to the version in 2.16. If updating the version is not possible, please refer to the mitigations mentioned
here Log4j (https://logging.apache.org/log4j/2.x/security.html).Workaround:Audit your logging configuration to ensure it has no JMSAppender
configured. Log4j 1.2 configurations without JMSAppender are not impacted by this vulnerability.
Log4j 1.x does not have Lookups, so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their
configuration.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
Log4j 1.2 (https://logging.apache.org/log4j/2.x/security.html#)


COMPLIANCE:
Not Applicable


EXPLOITABILITY:
There is no exploitability information for this vulnerability.


ASSOCIATED MALWARE:
There is no malware information for this vulnerability.
RESULTS:
PATH  
/home/ubuntu/confluence/confluence/WEBINF/lib/log4j-1.2.17-atlassian-3.jar

VERSION
1.2.17-atlassian-3

JMS_CLASS_STATUS

JMSAppender CLASS FOUND

BASE_DIR

/home/ubuntu/confluence

PATH 
/home/ubuntu/downloads/jira.bak/lib/log4j-1.2.17-atlassian-2.jar

VERSION

1.2.17-atlassian-2

JMS_CLASS_STATUS

JMSAppender CLASS FOUND

/home/ubuntu/downloads
/opt/atlassian/jira/lib/log4j-1.2.17-atlassian-3.jar

1.2.17-atlassian-3 JMSAppender CLASS FOUND

BASE_DIR

/opt/atlassian/jira

PATH 
/opt/atlassian/confluence/confluence/WEB-INF/lib/log4j-1.2.17-atlassian-3.jar

VERSION
1.2.17-atlassian-3

JMS_CLASS_STATUS

JMSAppender CLASS FOUND

BASE_DIR

/opt/atlassian/confluence

PATH 
/home/ubuntu/2021_11_10-confluence-7.6.2-back/confluence/confluence/WEB-INF/li
b/log4j-1.2.17-atlassian-3.jar

VERSION
1.2.17-atlassian-3

JMS_CLASS_STATUS

JMSAppender CLASS FOUND

BASE_DIR

/home/ubuntu/2021_11_10-confluence-7.6.2-back

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 5, 2022

Please could you read Thiago's answer - it tells you what to do to prevent this being a security problem.

Like
Reply
0 votes
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 29, 2022

Welcome to the Atlassian Community!

You'll need to upgrade to a later version of Confluence.

View More Comments
志强 汤
志强 汤 May 17, 2022

Both jira and Confluence have been upgraded to the latest version, the log4j problem has not been resolved, what should I do? Can I upgrade log4j myself?

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 18, 2022

You've asked this as a question elsewhere, that's a better place to get an answer.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.