Security Scans flag Log4j1.2.7 in Jira

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Jira uses a custom branch of log4j1.2.7 that causes Security Scans to flag this as a vulnerability.

The version of log4j is a forked branch known as log4j1.2.7-atlassian-16, not impacted by known issues as the vulnerable code has been removed.

CVE-2021-44228

Not vulnerable to CVE-2021-44228:

Some on-premises products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228.

We have done additional analysis on this fork and confirmed a new but similar vulnerability that can only be exploited by a trusted party. For that reason, Atlassian rates the severity level for on-premises products as low.

CVE-2019-17571

Not vulnerable to CVE-2019-17571

Vulnerability details: CVE-2019-17571 and Deserialization of Untrusted Data

SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data.

  • The vulnerability can only be exploited if log4j is configured to receive log messages from other systems over TCP or UDP, this is not a default setting

    (Auto-migrated image: description temporarily unavailable)

    .

  • Also, Jira uses Atlassian-maintained fork of Log4j (1.2.17-atlassian-16). In that version, we deleted the code affected by CVE-2019-17571, so it's no longer even possible to configure it to make the vulnerability exploitable

    (Auto-migrated image: description temporarily unavailable)

    .

Diagnosis

Security Scans will indicate that Jira is using Apache log4j1.2.7 and try to relate it to one of several known CVEs about the library.

Cause

The alerts that are returned in a security scan are false positives due to the custom branch utilized by Jira and the only true-impact is that log4j1.2.7 is End of Life.

Solution

There is no work around at this time and it's not possible to upgrade log4j in Jira.

Vulnerable code, that is the cause of most of log4j1.2.7's CVEs has been removed from the branch utilized by Jira.

Updated on May 22, 2025
Platform
Data Center only
Product
Jira Software Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community