Lucene search

K
atlassianSecurity-metrics-botCRUC-8529
HistoryMar 07, 2022 - 8:14 a.m.

Update Log4J to 1.2.17-atlassian-15 to fix CVE-2021-4104

2022-03-0708:14:14
security-metrics-bot
jira.atlassian.com
27

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.976 High

EPSS

Percentile

100.0%

Log4J version 1.2.17-atlassian-3 used in Fisheye and Crucible is vulnerable to CVE-2021-4104. The JMSAppender in Log4J 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4J configuration. Note this issue only affects Log4J 1.2 when specifically configured to use JMSAppender, which is not the default.

The vulnerability has been fixed in Log4J version 1.2.17-atlassian-15, in which the JMS-related code has been deleted, so that it’s even not possible to configure the JMSAppender.

Affected Fisheye / Crucible versions:

< 4.8.9

Fix version:

4.8.9

Notes:

Please note that Log4j 1.2.x is not vulnerable to CVE-2021-44228.

References:

https://nvd.nist.gov/vuln/detail/CVE-2021-4104

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

CPENameOperatorVersion
cruciblele4.8.0
cruciblelt4.8.9

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.976 High

EPSS

Percentile

100.0%