Security
Security
Breadcrumbs

2021-12-15 Security Advisory for Log4Shell vulnerability in OBSS apps on Jira Server and Jira Data Center

Title

Security Advisory for Log4Shell vulnerability about OBSS apps on Jira Server and Jira Data Center

Summary

Log4Shell vulnerability in the OBSS apps listed below was fixed

Security Advisory Release Date

15.12.2021

Severity

Critical

Affected Products

Field Sync

Service Desk Reporter

Affected Version(s)

All Field Sync versions before 5.6.3

All Service Desk Reporter versions before 2.3.5

Fixed Version(s)

Field Sync 5.6.3 and above

Service Desk Reporter 2.3.5 and above

Details

A vulnerability in the widely used log4j library was published on Dev 9th 2021. Details can be found here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Field Sync (v5.6.2 and earlier) and Service Desk Reporter (v2.3.4 and earlier) use this library and are thought to be exposed to this vulnerability.

Workaround

Workarounds for this vulnerability (if any) can be found in the referenced CVE record

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Permanent Fix

Upgrade to Field Sync 5.6.3 or above.

Upgrade to Field Service Desk Reporter 2.3.5 or above.

What you should do

If you are using Field Sync or Service Desk Reporter apps on your Jira Server or Jira Data Center instances, you should update your apps ASAP.

Support

If you have questions, you can reach the OBSS support team through htttps://pluginsupport.obss.com.tr/ or by sending an e-mail to plugin@obss.com.tr

Frequently Asked Questions (FAQ)

  • I am using Jira Cloud. Do I need to do anything?No, this vulnerability only affects Jira Server and Data Center. Jira Cloud users don't need to do anything.

  • Does this vulnerability affect other parts of Jira?Atlassian is investigating the effects of this vulnerability on Jira and other Atlassian products. Please follow the Atlassian links below:https://community.developer.atlassian.com/t/update-atlassians-investigation-on-cve-2021-44228/54352/11https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulne%5B%E2%80%A6%5D-to-remote-code-execution-cve-2021-44228-1103069934.htmlhttps://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html

  • I have an evaluation version of one of the said products. Is my system affected too?Yes, this vulnerability is not related to the installed license. Both evaluations and paid versions are affected.

  • My Jira version is not supported by the latest version of your app. What should I do?You are recommended to upgrade your Jira to a version that is supported by Atlassian and then upgrade the app.

  • I am using other OBSS apps. Are they affected?Our investigations revealed that only Field Sync and Service Desk Reporter are affected by this vulnerability. Details and further updates about this investigation will be published here:2021-12-13 Log4Shell Vulnerability