I'm getting a Log4j vulnerability in my Jira/easyBI instance: CVE-2021-4104

I did a scan of my server today, and received a Log4j vulnerability CVE-2021-4104. Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104) (156103) for easyBI. The version of Apache Log4j on the remote host is 1.2. It is, therefore, affected by a remote code execution vulnerability when specifically configured to use JMSAppender.

Path: D:\Program Files\Atlassian\Application Data\JIRA\plugins.osgi-plugins\transformed-plugins\plugin.335145688991903414.eazybi-jira-6.4.0_1639076969139.jar
Installed version : 1.2.17
Fixed version : 2.16.0
Is there going to be a remediation from easyBI to remove this vulnerability?


We rechecked and can confirm that CVE-2021-4104 vulnerability cannot be exploited with eazyBI.
However, we plan that the next version of eazyBI (6.5.0) will come with a new version of the log4j library.

Janis, eazyBI support