Impact Analysis of CVE-2021-44228 Vulnerability
- Deniz Oğuz
We generally use Atlassian provided dependencies for our add-ons. Our add-on does not use Log4j directly we have no dependency to it. We are using SLF4J (also Atlassian provided dependency) for logging which is a facade for various logging frameworks. When our add-on is deployed to Jira, SLF4J uses Log4j to output log messages due to Jira's configuration. By default Atlassian provides a custom version (1.2.17-atlassian-2, not subject to CVE-2021-44228) of Log4j with Jira and stock log4j.properties file doesn't make use of JMS. So if you haven't modified anything you should be safe. In below link you can find Atlassian's analysis of this issue:
Below is log4j search in our dependency tree using pom.xml. As you can see, we only depend on log4j transitively via jira-core. Jira itself bundles log4j dependency used. Also you can download our app's .jar/.obr file from the marketplace. Rename it to .zip and open it with any archive application and check it's bundled dependencies, you will see that we don't bundle any version of log4j.
In short, If your Jira is NOT vulnerable, our add-on is also NOT vulnerable.