Exclude Log4j to mitigate JMSAppender RCE vulnerability (CVE-2021-4104)

BraisVQ · BraisVQ · commit c7ac16e81c07 · 2026-02-09T15:53:14.000+01:00
diff --git a/build.gradle b/build.gradle
@@ -130,15 +130,20 @@ dependencies {
             strictly '3.5.2'
         } // Cannot upgrade to '3.5.24'
         transitive = true
+        exclude group: 'log4j', module: 'log4j'
     }
     implementation('com.atlassian.security:atlassian-security:3.2.14') {
         transitive = true
+        exclude group: 'log4j', module: 'log4j'
     }
     implementation('com.atlassian.security:atlassian-cookie-tools:3.2.14') {
         transitive = true
+        exclude group: 'log4j', module: 'log4j'
     }
     implementation('javax.validation:validation-api:2.0.1.Final')
-    implementation('com.atlassian.crowd:crowd-integration-springsecurity:5.1.3')
+    implementation('com.atlassian.crowd:crowd-integration-springsecurity:5.1.3') {
+        exclude group: 'log4j', module: 'log4j'
+    }
     implementation group: 'javax.xml.bind', name: 'jaxb-api', version: '2.3.1'
     implementation group: 'org.glassfish.jaxb', name: 'jaxb-runtime', version: '2.3.1'
     implementation group: 'xerces', name: 'xercesImpl', version: '2.9.1'
@@ -224,6 +229,8 @@ configurations.all {
             it.useTarget 'com.atlassian.platform:platform:3.5.24'
         }
     }
+    // CVE-2021-4104: Exclude Log4j 1.2 to prevent JMSAppender RCE vulnerability
+    exclude group: 'log4j', module: 'log4j'
 }
 
 // configurations.implementation {

Original file line number	Diff line number	Diff line change
`@@ -130,15 +130,20 @@ dependencies {`
`130`	`130`	`strictly '3.5.2'`
`131`	`131`	`} // Cannot upgrade to '3.5.24'`
`132`	`132`	`transitive = true`
	`133`	`+ exclude group: 'log4j', module: 'log4j'`
`133`	`134`	`}`
`134`	`135`	`implementation('com.atlassian.security:atlassian-security:3.2.14') {`
`135`	`136`	`transitive = true`
	`137`	`+ exclude group: 'log4j', module: 'log4j'`
`136`	`138`	`}`
`137`	`139`	`implementation('com.atlassian.security:atlassian-cookie-tools:3.2.14') {`
`138`	`140`	`transitive = true`
	`141`	`+ exclude group: 'log4j', module: 'log4j'`
`139`	`142`	`}`
`140`	`143`	`implementation('javax.validation:validation-api:2.0.1.Final')`
`141`		`- implementation('com.atlassian.crowd:crowd-integration-springsecurity:5.1.3')`
	`144`	`+ implementation('com.atlassian.crowd:crowd-integration-springsecurity:5.1.3') {`
	`145`	`+ exclude group: 'log4j', module: 'log4j'`
	`146`	`+ }`
`142`	`147`	`implementation group: 'javax.xml.bind', name: 'jaxb-api', version: '2.3.1'`
`143`	`148`	`implementation group: 'org.glassfish.jaxb', name: 'jaxb-runtime', version: '2.3.1'`
`144`	`149`	`implementation group: 'xerces', name: 'xercesImpl', version: '2.9.1'`
`@@ -224,6 +229,8 @@ configurations.all {`
`224`	`229`	`it.useTarget 'com.atlassian.platform:platform:3.5.24'`
`225`	`230`	`}`
`226`	`231`	`}`
	`232`	`+ // CVE-2021-4104: Exclude Log4j 1.2 to prevent JMSAppender RCE vulnerability`
	`233`	`+ exclude group: 'log4j', module: 'log4j'`
`227`	`234`	`}`
`228`	`235`
`229`	`236`	`// configurations.implementation {`