I did a scan of my server today, and received a Log4j vulnerability CVE-2021-4104. Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104) (156103) for easyBI. The version of Apache Log4j on the remote host is 1.2. It is, therefore, affected by a remote code execution vulnerability when specifically configured to use JMSAppender.
Path: D:\Program Files\Atlassian\Application Data\JIRA\plugins.osgi-plugins\transformed-plugins\plugin.335145688991903414.eazybi-jira-6.4.0_1639076969139.jar
Installed version : 1.2.17
Fixed version : 2.16.0
Is there going to be a remediation from easyBI to remove this vulnerability?
Hi,
We rechecked and can confirm that CVE-2021-4104 vulnerability cannot be exploited with eazyBI.
However, we plan that the next version of eazyBI (6.5.0) will come with a new version of the log4j library.
Kindly,
Janis, eazyBI support
Hi,
As per the recommendation, we have upgraded to EazyBI version 6.6. however, we are still seeing this vulnerability listed in the rescan.
Even after clearing the Cache folder, older version of EazyBi (6.4) is appearing in the below path and Vulnerbility is getting listed again.
var/lib/jira/atlassian/application-data/jira/plugins/.osgi-plugins/felix/felix-cache/bundle216/version0.0/plugin_1996030852170769627_eazybi-jira-6.4.0_1644235373056.jar-lib/0/META-INF/rails.root/vendor/gems/mondrian-olap/lib/mondrian/jars/log4j-1.2.17.jar
How can we avoid it?