1. Wombats Avatar Wombats
  2. Marketplace
  3. API Tokens for Jira
  4. Issues

Urgent Security vulnerability reference to Apache Zero-Day Log4J vulnerability" (CVE-2021-44228), Is our Plugin impacted?

Issue #33 resolved
Former user created an issue

Hi Support team,

Please treat this as the highest priority as this is a worldwide security vulnerability.

We need to determine if we are impacted and what is the patch to secure our systems? please provide the step by step document for the patch.

here are some link for the reference:

Here is the CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Here is the Apache Log4j details: https://logging.apache.org/log4j/2.x/security.html

Version:1.4.2 Thanks in Advance!

Regards, Gowri

Comments (2)

  1. Roma Bubyakin [Wombats Corp]

    Hi Gowri,

    All plugins from Wombats Corp do not use Log4j explicitly only Slf4.
    Log4j library is expected to be provided by Jira (or Confluence) application.
    The version of Log4j library that is expected: 1.2.16

    Based on the official report from Log4j:

    Log4j 1.x mitigation: Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.

    -> Risk is lower (1), still exist if JMS Appender is in use(2)

    Our plugins use 1.x version (implicitly) and do not use JMSAppende.
    In a conclusion, plugins from Wombats Corp does not affect by CVE-2021-44228

    Best Regards,

    Roman

  3. Log in to comment
Assignee
Type
bug
Priority
critical
Status
resolved
Votes
0
Watchers
None