Statement regarding log4j vulnerability CVE-2021-44228

Hi,
is there any official statement regarding the log4j vulnerability for eazyBI? I can see that Atlassian themselves seem to rely on a old 1.x implementation from personal plugin development. Could you give a statement regarding the logging libraries you use?
Best regards,
Tobias

2 Likes

Hi,

The eazyBI app uses the log4j library, but we checked that there is no actual impact on eazyBI from the CVE-2021-44228 vulnerability.

The eazyBI app includes the earlier version of log4j 1.2, which is not affected by this vulnerability. In addition, we do not log the user input using this library, so the vulnerability cannot be exploited.

We do not plan immediate action to fix the vulnerability, but the library will be upgraded in the next version of the eazyBI app.

Kindly,
Janis, eazyBI support

4 Likes

Stating that you are not affected because you are using an EOL version (as of 2015) is not sufficient unfortunately because it contains vulnerabilities as well.

https://www.cvedetails.com/cve/CVE-2019-17571/

What is the plan for address the vulnerabilities that exist in the version you are using?

1 Like

Hi,

We are aware of the CVE-2019-17571 vulnerability in the earlier version of the log4j library and can confirm that it has no impact on eazyBI. eazyBI does not listen to the network traffic to deserialize it.

We will let know once the next version release date will be known.

Kindly,
Janis, eazyBI support