Dear customer, on On Thursday 9th december December, developers and security researcher researchers found a security vulnerability in Apache Log4j 2. What you need to knowA security vulnerability was discovered in Apache Log4j 2. Log4j is a popular logging package for Java.This is a security issue affecting a broad range of software based upon Java. Atlassian products such as Jira and Confluence run on Java and also utilize Log4j. Atlassian products
| Tip |
|---|
Atlassian on-premise applications use an outdated version of Log4j and are not affected |
therefore
As of now, Atlassian issued no full Security AdviosoryAdvisory. On 10th of December, Atlassian put out a FAQ for this exploit under https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html bitvoodoo appsServer and Data Center | App | Status | Explanation |
|---|
| Viewtracker - Analytics for Confluence | | Status |
|---|
| colour | Green |
|---|
| title | Not vulnerable |
|---|
|
| We do not use lookup and Confluence uses an old version of Log4j not affected.
| | Navitabs - Tabs for Confluence | | Status |
|---|
| colour | Green |
|---|
| title | Not vulnerable |
|---|
|
| | Advanced Panelboxes for Confluence | | Status |
|---|
| colour | Green |
|---|
| title | Not vulnerable |
|---|
|
| | Translations for Confluence | | Status |
|---|
| colour | Green |
|---|
| title | Not vulnerable |
|---|
|
| | Chat for Confluence | | Status |
|---|
| colour | Green |
|---|
| title | Not vulnerable |
|---|
|
| | Enterprise Theme for Confluence | | Status |
|---|
| colour | Green |
|---|
| title | Not vulnerable |
|---|
|
| | Templates for Blog Posts for Confluence | | Status |
|---|
| colour | Green |
|---|
| title | Not vulnerable |
|---|
|
| | Redirect for Confluence | | Status |
|---|
| colour | Green |
|---|
| title | Not vulnerable |
|---|
|
| | Content Scheduler for Confluence | | Status |
|---|
| colour | Green |
|---|
| title | Not vulnerable |
|---|
|
| | Advanced Search for Confluence | | Status |
|---|
| colour | Green |
|---|
| title | Not vulnerable |
|---|
|
| | Attachment Tracking for Confluence | | Status |
|---|
| colour | Green |
|---|
| title | Not vulnerable |
|---|
|
| | Search Analytics for Confluence | | Status |
|---|
| colour | Green |
|---|
| title | Not vulnerable |
|---|
|
| | Custom Field Option Snychronizer | | Status |
|---|
| colour | Green |
|---|
| title | Not vulnerable |
|---|
|
| Even though we use lookup of jndi for datasources, we use a static predefined prefix which that contains "java:" which . This prevents other protocols to be from being used. | Cloud | App | Status | Explanation |
|---|
Viewtracker - Analytics for Confluence | | Status |
|---|
| colour | Green |
|---|
| title | Not vulnerable |
|---|
|
| Our Cloud apps are not affected. We do not use Log4j in our Cloud Apps. We work with the default logging of Spring Boot instead.
See https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot | | Navitabs - Tabs for Confluence | | Status |
|---|
| colour | Green |
|---|
| title | Not vulnerable |
|---|
|
| | Advanced Panelboxes for Confluence | | Status |
|---|
| colour | Green |
|---|
| title | Not vulnerable |
|---|
|
| | Translations for Confluence | | Status |
|---|
| colour | Green |
|---|
| title | Not vulnerable |
|---|
|
| What should I do?If you are using the default configuration of Log4j, you are not affected, and no action is needed. Should However, if you have ever have customized the configuration of Log4j to work with JMS Appenders, please disable them by following the mitigation described by Atlassian. As we can't cannot speak for other app vendors, we cannot be certain sure that other apps are safe. You might need to get in touch with other Atlassian Marketplace vendors.
Further Reading
| 
