Confluence: Multiple vulnerabilities in log4j < 1.2.7-atlassian-16

The version of {{log4j}} used by Confluence has been updated from version 1.2.7-atlassian-15 to 1.2.7-atlassian-16 to address the following vulnerabilities:

[CVE-2020-9493|https://vulners.com/cve/CVE-2020-9493] and [CVE-2022-23307|https://vulners.com/cve/CVE-2022-23307]
Apache Chainsaw is bundled with {{log4j}} 1.2.x, and is vulnerable to a deserialization flaw. A remote, unauthenticated attacker could exploit this to execute arbitrary code. Please note that Chainsaw is a log viewer that is designed to be executed manually. It is not required by Confluence, nor is it executed by default, nor does Atlassian provide any documentation on using Chainsaw with Confluence. Atlassian has [remediated this vulnerability by removing Chainsaw|https://bitbucket.org/atlassian/log4j1/commits/3a06f7e94efa98331a875532212a3005fd9766d0] from the Atlassian version of {{{}log4j{}}}.

[CVE-2022-23302|https://vulners.com/cve/CVE-2022-23302]
JMSSink is vulnerable to a deserialization flaw. A local attacker with privileges to update the Confluence configuration can exploit this to execute arbitrary code. Confluence is not configured to use JMSSink by default, nor does Atlassian provide any documentation on using JMSSink with Confluence. Atlassian has [remediated this vulnerability by removing JMSSink|https://bitbucket.org/atlassian/log4j1/commits/48b34334e5278dfd52b361b1ec6943ca4c3b997e] from the Atlassian version of {{{}log4j{}}}.

[CVE-2022-23305|https://vulners.com/cve/CVE-2022-23305]
JDBCAppender is vulnerable to a SQL injection flaw when configured to use the message converter ({{{}%m{}}}). A remote, unauthenticated attacker can exploit this to execute arbitrary SQL queries. Confluence is not configured to use JDBCAppender by default. Atlassian has [remediated this vulnerability by removing JDBCAppender|https://bitbucket.org/atlassian/log4j1/commits/b933fe460d64ccfc027b4efee74a5ce1875fe3be] from the Atlassian version of {{{}log4j{}}}. Note: {}this may introduce breaking changes in your environment{}. Though JDBCAppender is not used by default, Atlassian previously provided documentation on how to use JDBCAppender with Confluence. You can determine if JDBCAppender was enabled using guidance in that documentation if the following line is present in {}<installation_directory>/confluence/WEB-INF/classes/log4j.properties{}:
{code:java}
log4j.appender.DATABASE=org.apache.log4j.jdbc.JDBCAppender {code}
Affected versions of Confluence:

• Versions < 7.4.17
• All versions 7.5.x through 7.12.x
• Versions 7.13.x < 7.13.6
• Versions 7.14.x < 7.14.3
• Versions 7.15.x < 7.15.2
• Versions 7.16.x < 7.16.4
• Versions 7.17.x < 7.17.2

Fixed versions of Confluence:

• Versions 7.4.x >= 7.4.17
• Versions 7.13.x >= 7.13.6
• Versions 7.14.x >= 7.14.3
• Versions 7.15.x >= 7.15.2
• Versions 7.16.x >= 7.16.4
• Versions 7.17.x >= 7.17.2
• Versions >= 7.18.0