What is CVE-2021-44228
CVE-2021-44228 or log4shell is a serious vulnerability discovered recently. It allows an attacker to execute malicious code in any applications which uses a vulnerable version of log4j (Version 2.0 onwards). The impact is very severe because:
- It is extremely simple to execute such an attack
- Log4J is the most popular logging framework used by many Java applications
- There are already many attempts on the Internet to scan for this loophole
The official guideline is to patch the applications to upgrade to Log4J version 2.16 onwards.
Are Akeles Jira/Confluence apps safe?
Thankfully with applications like Bitbucket and Sonatype Nexus Lifecycle, we were able to identify the 3rd party components used in our applications.
We have verified that we do not bundle the log4j library in our Jira/Confluence apps. We are using the log4j library that is provided by Jira/Confluence. Hence we are safe.
Another piece of reassuring news is Atlassian is also scanning the apps listed on the Atlassian Marketplace.
Each vulnerable DC or server app will be given the same expedited deadline as cloud apps. DC and server apps that fail to address the vulnerability within this expedited timeframe will be removed from the marketplace, and then Atlassian will inform customers who have vulnerable paid apps installed.
While doing research for our customers, we have also compiled a list of official statements from fellow App publishers. Hope it will be helpful for those who need to do their “due diligence”.
Is my Atlassian applications safe?
Atlassian has put up a detailed official advisory that stated that Jira and Confluence are using an Atlassian-maintained fork of Log4J 1.2.17 which is not vulnerable to CVE-2021-44228. However they confirmed a similar but low risk vulnerability (CVE-2021-4104) which is exposed only if the log4j configuration has been modified from their default settings.
The risk is low because these settings are not enabled by default. Nevertheless, it is better to counter check again.
While Bitbucket is not affected by the Remote Code Execution, it may be risk of information leakage due to the use of affected versions of ElasticSearch. The remediation steps are available on Atlassian security advisory.
Is my Sonatype applications safe?
For our customers who are using Sonatype products, Nexus Lifecycle, Nexus Firewall or Nexus Repository are using logback instead of log4j. Hence they are not affected. The official statement is available at Sonatype website.
Food for Thoughts
The connectivity of the Internet makes it even more challenging to prevent such zero-day vulnerability. Here are some questions we need to take in considerations for the IT strategy (tooling, SaaS services, architecture, processes, automation, etc)
- How can we be notified of any vulnerabilities as soon as possible?
- How can we minimise the risks and impact of an attack?
- How can we identify the affected applications quickly?
- How can we ensure the 3rd party libraries used are safe?
- How can we patch the affected applications in a timely manner?
You may want to consult the following pages for more information