I did a scan of my server today, and received a Log4j vulnerability CVE-2021-4104. Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104) (156103) for easyBI. The version of Apache Log4j on the remote host is 1.2. It is, therefore, affected by a remote code execution vulnerability when specifically configured to use JMSAppender.
Path: D:\Program Files\Atlassian\Application Data\JIRA\plugins.osgi-plugins\transformed-plugins\plugin.335145688991903414.eazybi-jira-6.4.0_1639076969139.jar
Installed version : 1.2.17
Fixed version : 2.16.0
Is there going to be a remediation from easyBI to remove this vulnerability?
Hi,
We rechecked and can confirm that CVE-2021-4104 vulnerability cannot be exploited with eazyBI.
However, we plan that the next version of eazyBI (6.5.0) will come with a new version of the log4j library.
Kindly,
Janis, eazyBI support
Hi,
As per the recommendation, we have upgraded to EazyBI version 6.6. however, we are still seeing this vulnerability listed in the rescan.
Even after clearing the Cache folder, older version of EazyBi (6.4) is appearing in the below path and Vulnerbility is getting listed again.
var/lib/jira/atlassian/application-data/jira/plugins/.osgi-plugins/felix/felix-cache/bundle216/version0.0/plugin_1996030852170769627_eazybi-jira-6.4.0_1644235373056.jar-lib/0/META-INF/rails.root/vendor/gems/mondrian-olap/lib/mondrian/jars/log4j-1.2.17.jar
How can we avoid it?
Hi,
It seems that Jira does not automatically remove JAR files of previous app versions, so the full scan of the files still can find the obsolete version of the app. There is no actual vulnerability since this file should not be running once you have installed version 6.5 or later.
Perhaps, this suggestion could help Is it safe to/should I remove older versions of pl....
Kindly,
Janis, eazyBI support