Hi Team,
As per recent scan we found out that there are lot of places where Atlassian bundled plugins are using log4j 1.2.17 inside.
We are using Jira Service Management 8.13.
Any suggestions how we can remediate this kind of issues, does Atlassian has released any guideline around bundled plugins?
We can upgrade to newer version but how can we make sure that new version is using updated log4j files.
Here are file names:
Jira
------------
Plugin Output:
Path : C:\Program Files\Atlassian\JIRA\atlassian-jira\WEB-INF\atlassian-bundled-plugins\analytics-client-6.1.7.jar
Installed version : 1.2.17
Fixed version : 2.16.0
Path : C:\Program Files\Atlassian\JIRA\atlassian-jira\WEB-INF\atlassian-bundled-plugins\atlassian-whisper-plugin-3.0.0.jar
Installed version : 1.2.17
Fixed version : 2.16.0
Path : C:\Program Files\Atlassian\JIRA\bin\password-cipher-cli-1.0.15.jar
Installed version : 1.2.17
Fixed version : 2.16.0"
Confluence
---------------------
Plugin Output:
Path : C:\Program Files\Atlassian\Confluence\confluence\WEB-INF\atlassian-bundled-plugins\analytics-client-5.8.10.jar
Installed version : 1.2.17
Fixed version : 2.16.0
Path : E:\Program Files\Atlassian\Application Data\Confluence\plugins-osgi-cache\transformed-plugins\analytics-client-5.8.10_1629078628000.jar
Installed version : 1.2.17
Fixed version : 2.16.0
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.