Is My Jira apps affected by Log4j CVE-2021-44228
What is CVE-2021-44228
CVE-2021-44228 or log4shell is a serious vulnerability discovered recently. It allows an attacker to execute malicious code in any applications which uses a vulnerable version of log4j (Version 2.0 onwards). The impact is very severe because:
- It is extremely simple to execute such an attack
- Log4J is the most popular logging framework used by many Java applications
- There are already many attempts on the Internet to scan for this loophole
The official guideline is to patch the applications to upgrade to Log4J version 2.16 onwards.
Are Akeles Jira/Confluence apps safe?
Thankfully with applications like Bitbucket and Sonatype Nexus Lifecycle, we were able to identify the 3rd party components used in our applications.
We have verified that we do not bundle the log4j library in our Jira/Confluence apps. We are using the log4j library that is provided by Jira/Confluence. Hence we are safe.
Another piece of reassuring news is Atlassian is also scanning the apps listed on the Atlassian Marketplace.
Each vulnerable DC or server app will be given the same expedited deadline as cloud apps. DC and server apps that fail to address the vulnerability within this expedited timeframe will be removed from the marketplace, and then Atlassian will inform customers who have vulnerable paid apps installed.
While doing research for our customers, we have also compiled a list of official statements from fellow App publishers. Hope it will be helpful for those who need to do their “due diligence”.
Is my Atlassian applications safe?
Atlassian has put up a detailed official advisory that stated that Jira and Confluence are using an Atlassian-maintained fork of Log4J 1.2.17 which is not vulnerable to CVE-2021-44228. However they confirmed a similar but low risk vulnerability (CVE-2021-4104) which is exposed only if the log4j configuration has been modified from their default settings.
The risk is low because these settings are not enabled by default. Nevertheless, it is better to counter check again.
While Bitbucket is not affected by the Remote Code Execution, it may be risk of information leakage due to the use of affected versions of ElasticSearch. The remediation steps are available on Atlassian security advisory.
Is my Sonatype applications safe?
For our customers who are using Sonatype products, Nexus Lifecycle, Nexus Firewall or Nexus Repository are using logback instead of log4j. Hence they are not affected. The official statement is available at Sonatype website.
Food for Thoughts
The connectivity of the Internet makes it even more challenging to prevent such zero-day vulnerability. Here are some questions we need to take in considerations for the IT strategy (tooling, SaaS services, architecture, processes, automation, etc)
- How can we be notified of any vulnerabilities as soon as possible?
- How can we minimise the risks and impact of an attack?
- How can we identify the affected applications quickly?
- How can we ensure the 3rd party libraries used are safe?
- How can we patch the affected applications in a timely manner?
You may want to consult the following pages for more information
Share this post
Canned Search for Confluence
After months of hard work, we are proud to announce the availability of Canned Search for Confluence (Data Center edition).
As the plugin has many ways to search content within Confluence, we thought it is easier to digest the information with a Powerpoint deck.
If you find it difficult to get the information you need, you can try this out. You may discover new
Share this post
Akeles releases 5 Forge Apps on Atlassian Marketplace
We are proud to be featured in Atlassian’s annual Developer Day to be one of the pioneer Forge apps listed on Atlassian Marketplace.
What is Atlassian Forge
Forge is Atlassian’s next generation Cloud app development platform. Unlike traditional cloud apps, Forge apps run within Atlassian’s infrastructure, providing better performance and stronger integration. The data can be stored in Atlassian Cloud, which can address compliance issues like GDPR or data residency.
Introducing our 5 new Forge apps
This time round, we are launching not 1, but 5 Cloud apps that are all built on Atlassian Forge. 3 of them are brand new apps which are only available for Atlassian Cloud.
1) Banners for Confluence Cloud (Cloud First)
You can now add Confluence macros to display heading banners to improve the readability of your content in Confluence.
2) Canned Search for Confluence Cloud
Users can search faster with better results by using contextual information from the current page. You can
- restrict your search to the children pages
- click the auto-generated link to go the previous meeting minutes/release notes
- order the search results based on the modified date
- output the search results in tabular format
3) Countdown Timer for Confluence Cloud
This is a Cloud edition for our popular app for Confluence Server/Data Center. It displays the time remaining based on the date provided in the Confluence macro.
This is useful to remind the project teams how much time they have to their next major delivery.
4) Issue Progress for Jira Cloud (Cloud First)
This Jira Forge app allows users to generate a report across linked/sub-task issues based on the selected metric (e.g. count, story points, number fields, etc) within the issue view. This enables user to have a quick overview of current issue’s progress and the distribution of workload across the related issues.
5) Related Tickets for Jira Cloud (Cloud First)
We built this app specially for ourselves since we use Jira Service Management Cloud to support our customers on Atlassian Marketplace. By dog-fooding, we can understand the pain points and come up with better strategy or solutions.
Now, we can see the tickets raised by the same Reporter in the issue. This helps in providing us with a better picture, so that we can address our customers in a personalized manner.
How is our experience with Forge?
As an Cloud app vendor, we like Forge because the backend infrastructure is taken care totally by Atlassian. There is no need for us to spend time and money to set up and monitor external platforms. We only need to focus on developing the apps.
We are looking forward to more features in Forge so that we can add more capabilities to our Cloud apps. Our #1 wish is to display the number of active instances on the Marketplace listing. Currently, the number of Forge installations are not included in the count.
How can you help?
We look forward to your feedback on how to improve our Cloud apps. You can reach out to us via our Service Desk running on Jira Service Management Cloud.
Also, YouTube requires us to have 100 or more subscribers before we can apply for a custom URL for our Akeles YouTube channel. If you think the videos are useful and would like to support us, kindly click on the Subscribe button on the video. Thank you in advance for your support.
Share this post
Paying It Forward
2020 is a year of many firsts. The first time we cannot work in office and have to work from home. The first time lockdowns are enforced in many cities worldwide at the same time. The first time Atlassian announced the end of support for their server products.
It has been a long journey for Akeles. We launched our 1st paid app – Attachment Checker for Jira plugin on Atlassian Marketplace in 2013. Fast forward 7 years later, we now have 26 apps listed on Atlassian Marketplace with thousands of users.
This could not have been possible without the support from the Atlassian community and our customers all these years.
While we are fortunate that we do not have to downsize, we understand that this year has been difficult for many others. We read news that charities worldwide are also facing challenges with reduced donations this year.
So this Christmas, we are doing something extra to express our gratitude to those who had helped us. In addition to our annual donations, we are going to #PayItForward and spread the spirt of kindness.
For each server app, we are giving away 50 licenses for FREE…
S/N Name of App For 1 Attachment Checker for Confluence Confluence 2 Attachment Checker for Jira Jira 3 Canned Search Gadget Jira 4 Canned Search for Confluence Confluence 5 Dashboard Folders for Jira Jira 6 Days Elapsed Plugin Jira 7 Issue Archiver for Jira Jira 8 Lookup Manager Jira 9 Multiple Filters Chart Gadget Jira 10 Out Of Office Assistant Jira 11 SQL Reporter for Jira Jira 12 Smart Issue Searcher Jira 13 Support Tracker Jira 14 Table Custom Fields for Jira Jira 15 Three Dimensional Date Gadgets Jira
The only condition is that only those who has donated to a charity in 2020 are eligible.
There is no restriction on whichever charity and the amount donated. As long the donation is made before 31 Dec 2020. No proof of donation is required since this is based on trust. It will be administratively tedious to enforce it 😛
So if you or your organization have made any donation this year, you can get a free perpetual plugin license of your choice. We believe one good turn deserves another 😇
If you have yet to make a donation. We hope we can encourage you to lend a helping hand to someone in need. And then you will similarly be eligible too 😄
This offer is only valid for 7 days. The link for the free license will be deactivated on 31st Dec 2020 23:59 UTC.
We hope this small campaign will make a difference to the world we live in.
COVID-19 is a good reminder that we are OK only when everyone around us are OK.
Share this post
Here is a post to commemorate the release of a new feature: Color Scheme Enhancement for Multiple Filters Chart Gadgets version 2.1.0
- “What purpose will this color serve?”
- “Will this (color) serve it’s purpose effectively?”
When color is used effectively, it brings life to the charts and directs users to focus on details required for effective communication.
Such as to (1) highlight a particular data, (e.g. Tasks that has yet to be completed)
(2) encode quantitative values, (e.g. Density of importance corresponds to darker shades)
and, (3) to group items.
Colors themselves tell a story, and it’s the responsibility of the designer to make sure the palette used does not create confusion within a data visualization.
Thus, the palettes used are to have enough variation in hue and brightness.
Try out the different color palettes available in Multiple Filters Chart Gadget and explore the possibilities with colors.
Image Retrieved From https://thumbnails-visually.netdna-ssl.com/color-emotion-guide_512d42458efc1_w1500.png
Deploying Atlassian tools for the Enterprise
seyears, the customer base of Atlassian have evolved from asmall companies who hosted their server under someone’s table to large enterprises. Their tools are being used by NASA for space exploration projects and Rakuten for development of the Japan’s biggest online marketplace.
Many customers have been demanding for improvements for robustness such as clustering, high availability and higher levels of support. So if you are deploying Atlassian products, you might be interested to know their new offerings:
JIRA/Confluence Data Center
- Designed for high availability and performance at scale
- Provides active-active clustering to ensure users have uninterrupted access
- Increases concurrent usage capacity without sacrificing performance
- New nodes can be added without taking the system offline
- Data Center is available at US$24,000 per year for every 1,000 users
- Together withthe introduction of the Data Center, there are 3 flavours available for different types of users
- Server (previously known as Download)
- Cloud (previously known as OnDemand)
- Data Center (new license)
For differences between Server and Cloud editions, check out our Infographic- Atlassian OnDemand vs In-Premise.
Technical Account Management Programme
- Provides 1:1 guidance to help with operational activities, governance and strategic planning to get the most from your Atlassian investment
- A Technical Account Manager (TAM) from Atlassian will be assigned
- Available 1 day per week for US$60,000/year
- Provide access to a dedicated team of senior support engineers with enhanced SLAs and availability
- Has intimate knowledge of your environment to quickly address and manage critical incidents
- Premier support is available for US$35,000/year
For on-site support in Singapore, we have specialised local support plans as well.
For those who are keen on JIRA Data Center, there are some other useful resources:
- Free Data Center Webinars
- Plugin Guide to JIRA High Availability & Clustering
- JIRA Data Center Installation Guide
Share this post
Help your helpdesk staff to go home earlier
Atlassian has announced 3 new products in the recent Atlassian Summit 2003. One of them is the JIRA Service Desk.
JIRA Service Desk is a JIRA addon that
- Allow customers to ask for help easier with an intuitive and clean interface. They get to have the terms in their own language, different from what the IT team sees
- Allows the helpdesk team to distinguish the urgent issues with powerful SLA rules
- Allow customers to solve their problems faster by suggesting solutions when they file the ticket
For details, please refer to the video intro.
Share this post
Make your diagrams more professional
Our favourite diagramming editor has just got better!
Gliffy has recently released updates to their Gliffy Confluence Plugin. In this latest version, improvements have been made to allow users to create their diagrams easier and more professional with Templates and Themes
For more details, check out the video below
Share this post
Stash 2.0 – Giving you more control with DVCS
Atlassian has launched Stash 2.0 together with Enterprise Support for it. Stash is an on-premise Git Repository Management solution that allows teams a central way to manage all the distributed and growing code base.
With Stash, it will be possible to
- integrate with corporate LDAP
- enforce permissions at project or branch level
- integrate with JIRA issue tracker
- extend new features with plugins
- and others
For those who are not heard of Git, it is fastest growing DVCS (Distributed Version Control System) that has increased from 13% (2011) to 27% (2012). People are switching from Subversion to DVCS to be more efficient, reduce dependencies among developers and to take advantage of the workflows.
Share this post