Lucene search

K
atlassianDlaserFE-7400
HistoryApr 08, 2022 - 4:20 p.m.

Update Log4J to 1.2.17-atlassian-16 to fix CVE-2022-23305, CVE-2022-23307, CVE-2020-9493, CVE-2022-23302

2022-04-0816:20:16
dlaser
jira.atlassian.com
314

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.018 Low

EPSS

Percentile

88.0%

CVE-2022-23305

Customers that have JDBCAppender configured may be vulnerable to SQL Injection attacks

Change Summary: Removed JDBCAppender thus no longer allowing customers to use.

CVE-2022-23307 / CVE-2020-9493

Unsafe deserialization issue present in Apache Chainsaw that was bundled in log4j1.

Change Summary: Removed Apache Chainsaw, it is no longer a component of our log4j1 fork

CVE-2022-23302

JMSSink is vulnerable to deserialization of untrusted data

CPENameOperatorVersion
fisheyele4.8.9
fisheyelt4.8.10

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.018 Low

EPSS

Percentile

88.0%