A mitigation has been published by Atlassian – please apply to your installations if you feel they are affected.
The mitigation has been applied to our systems.
More information was published about CVE-2021-45046 as well – and you can expect updates in the base Atlassian products: "A related, but much less severe, vulnerability was discovered in non-default configurations of Log4j 2.0-beta9 to 2.15.0 (inclusive), see CVE-2021-45046 (scored CVSS v3 3.7 low): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
Regardless of whether the vulnerable configuration is in use, Atlassian will be addressing CVE-2021-45046 by upgrading to log4j 2.16.0 (or greater) in line with the timeframes detailed in the Atlassian Security Bugfix Policy."
Based on the information made available by Atlassian, our own investigations, and other sources available to us at this moment we conclude that:
- all TechTime apps on Cloud, Server, and Data Center are NOT affected by these vulnerabilities; - our supporting and development systems are NOT affected by these vulnerabilities; - our production Cloud hosting systems are NOT affected by these vulnerabilities; - any Atlassian systems where logging configuration hasn't been modified from its default settings to relay log messages to the external sources via JMS are NOT affected by these vulnerabilities.
"Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17."
Internal investigations have found that the vulnerable classes have been removed from the packages included in Atlassian products.
As per notice on the FAQ for CVE-2021-44228, Atlassian products are using a fork of log4j 1.2.17 maintained by Atlassian themselves.
We have requested clarification from Atlassian and it has been confirmed that the affected classes have indeed been removed by Atlassian as part of the preparing their forked version of the package.
We do not include any log4j dependencies into our packages.
All TechTime products on Cloud, Server, and Data Center are using log4j library versions that are provided by the underlying Atlassian products, e.g., Jira, Confluence, Bitbucket, Bamboo, and Fisheye/Crucible.
This incident affected: TechTime Server Apps (EasySSO for Jira Server, EasySSO for Confluence Server, EasySSO for Bitbucket Server, EasySSO for Bamboo Server, EasySSO for Fisheye/Crucible Server, EasyPage for Confluence, EasySEO for Confluence, UserManagement for Jira Server, UserManagement for Confluence Server, UserManagement for Bitbucket Server, SpaceUnZip for Confluence Server, EasyQRLink for Confluence Server, GoogleMaps Embed macro for Confluence Server), TechTime Data Center Apps (EasySSO for Bitbucket Data Center, EasySSO for Jira Data Center, EasySSO for Confluence Data Center, UserManagement for Jira Data Center, UserManagement for Confluence Data Center, UserManagement for Bitbucket Data Center, GoogleMaps Embed macro for Confluence Data Center), TechTime Cloud Apps (Embed Google Maps Pro in Atlassian Cloud, EasyTime for Jira Cloud), and TechTime Service Desk.