CVE-2021-44228 - Log4j vulnerable to remote code execution
Advisory Release Date
Jan 13, 2022
Impact on JEditor
JEditor is not vulnerable to CVE-2021-44228.
JEditor does not incorporate the Log4j library and instead uses the host application's (Jira Software Server and Data Center/Jira Service Management Server and Data Center) logging facade, which uses Atlassian's fork of Log4j v1.2.x, which is not vulnerable.
Atlassian has discovered a similar vulnerability (CVE-2021-4104) that can only be exploited by a trusted party and has LOW severity. Please refer to the following Atlassian security advisory for more details:
According to the security advisory by Atlassian, the forked version of Log4j is only vulnerable under the following circumstances (all of the following must be true):
- The JMS Appender is configured in the application's Log4j configuration
- The javax.jms API is included in the application's CLASSPATH
- The JMS Appender has been configured with a JNDI lookup to a third party.
Note: this can only be done by a trusted user modifying the application's configuration or by trusted code setting a property at runtime
JEditor doesn't have a separate Log4j configuration as it relies on Jira's logging client.
JEditor's CLASSPATH explicitly excludes javax.jms API.
If you have questions or concerns regarding this security advisory, please feel free to contact our support team using this portal or send a message to firstname.lastname@example.org.