bitvoodoo Advisories
Space shortcuts
Space Tools
bitvoodoo Advisories BVADVIS

Versions Compared

Old Version 19

changes.mady.by.user Unknown User (niklas.becker@bitvoodoo.ch)

Saved on

compared with

New Version 23

changes.mady.by.user Unknown User (niklas.becker@bitvoodoo.ch)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.



Page properties


Date

 

Product
  • Bamboo Server and Data Center
  • Confluence Server and Data Center
  • Crowd Server and Data Center
  • Fisheye / Crucible
  • Jira Service Management Server and Data Center
  • Jira Software Server and Data Center (including Jira Core)
  • Apache Log4j 2
Vulnerability

Critical

Official linkMultiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228




English

Dear customer,

On Thursday 9th December, developers and security researchers found a security vulnerability in Apache Log4j 2.

Update : Atlassian put out a Security Advisory for this exploit under Multiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228

Update : Atlassian updated the Security Advisory to inform about a finding that shows that some Bitbucket Versions are affected. We created a info page on Bitbucket under Bitbucket Security Advisory - 2021-12-16

What you need to know

A security vulnerability was discovered in Apache Log4j 2. Log4j is a popular logging package for Java.

This is a security issue affecting a broad range of software based upon Java. Atlassian products such as Jira and Confluence run on Java and also utilize Log4j.

Atlassian products

On Monday 13th December, Atlassian put out a Security Advisory for this exploit underMultiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228

Bitbucket Server & Data Center

Warning

Please refer to Bitbucket Security Advisory - 2021-12-16

Bitbucket Server & Data Center is not vulnerable to CVE-2021-44228. However Elasticsearch has advised that while they’re not affected by Remote Code Execution, information leakage is a potential impact as per Elastic security advisory ESA-2021-31. Please refer the table below to determine if action is required to mitigate the risk of information leakage:

All other Server & Data Center Products

Tip

Most

Data Center & Server

Tip

Atlassian on-premise applications use an outdated version of Log4j and are not affected.

Some self managed products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228. We have done additional analysis on this fork and confirmed a new but similar vulnerability that can only be exploited by a trusted party. For that reason, Atlassian rates the severity level for all other self-managed products as low. 

 Cloud


Cloud Products

Tip

Atlassian secured their cloud products and has not identified compromised systems. The on-demad applications and are not affected.

This vulnerability has been mitigated for all Atlassian cloud products previously using vulnerable versions of Log4j. To date, our analysis has not identified compromise of Atlassian systems or customer data prior to the patching of these systems. Atlassian customers are not vulnerable, and no action is required.


What should I do?

Warning

This refers to all products except for Bitbucket, if you use bitbucked Server or Data Center, please refer to Bitbucket Security Advisory - 2021-12-16


Localtab Group


Localtab
activetrue
titleself-hosted
tabIconbvicon-server

You host your application yourselfyourself 

If you have never customized the settings of Log4j inside the Atlassian installation, you are on the safe side. As your Atlassian application uses the default configuration of Log4j, you are not affected by the exploit.

If you have set Log4j to work with JMS Appenders or are unsure, follow the instructions "How can I mitigate this exploit?" in the FAQ for CVE-2021-44228.

Third-party apps can still pose a risk. Atlassian is reviewing all apps and informs the vendors it the find a security risk. We cannot determine whether there is a risk in this respect in your installation. As we cannot speak for other app vendors, we cannot be sure that other apps are safe. You might need to get in touch with other Atlassian Marketplace vendors.

We have checked our bitvoodoo apps and found them to be risk-free. You can find more information about our apps here: Log4Shell - bitvoodoo apps - 2021-12-13

Please contact our support if you need assistance.


Localtab
titlebitvoodoo cloud
tabIconbvicon-cloud

Your application is hosted with bitvoodoo

We have checked our installations according to the information in the FAQ. The installations have no configurations that could lead to misuse. As your Atlassian application uses the default configuration of Log4j, you are not affected by the exploit.

Third-party apps can still pose a risk. Atlassian is reviewing all apps and informs the vendors it the find a security risk. We cannot determine whether there is a risk in this respect in your installation. As we cannot speak for other app vendors, we cannot be sure that other apps are safe. You might need to get in touch with other Atlassian Marketplace vendors.

We have checked our bitvoodoo apps and found them to be risk-free. You can find more information about our apps here: Log4Shell - bitvoodoo apps - 2021-12-13

Please contact our support if you need assistance.


Localtab
titleAtlassian cloud
tabIconbvicon-cloud

You use Confluence or Jira Cloud

Atlassian secured their cloud products and has not identified compromised systems.

This vulnerability has been mitigated for all Atlassian cloud products previously using vulnerable versions of Log4j. To date, our analysis has not identified compromise of Atlassian systems or customer data prior to the patching of these systems. Atlassian customers are not vulnerable, and no action is required.

No steps needed.


Further Recommendation

Please check all Java based software, beside Atlassian products, running in your organisation as this is a serious security risk.

Further Reading

Support

If you still have questions or concerns regarding this advisory, please contact the bitvoodoo support via support.bitvoodoo.ch.


German

Sehr geehrte Kunden,

am Donnerstag, den 9. Dezember, haben Entwickler und Sicherheitsforscher eine Sicherheitslücke in Apache Log4j 2 entdeckt.

Update : Atlassian hat ein Security Advisory für diese Schwachstelle veröffentlicht unter Multiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228

Update : Atlassian hat das Security Advisory aktualisiert, um über einen Fund zu informieren, der zeigt, dass einige Bitbucket-Versionen betroffen sind. Wir haben eine Seite für Bitbucket erstellt unter  Bitbucket Security Advisory - 2021-12-16

Was Sie wissen müssen

In Apache Log4j 2 wurde eine Sicherheitslücke entdeckt. Log4j ist ein beliebtes Protokollierungspaket für Java.

Es handelt sich um ein Sicherheitsproblem, das eine breite Palette von Software betrifft, die auf Java basiert. Atlassian-Produkte wie Jira und Confluence laufen auf Java und nutzen ebenfalls Log4j.


Atlassian-Produkte

Bitbucket Server & Data Center

Warning

Please refer to Bitbucket Security Advisory - 2021-12-16

Bitbucket Server & Data Center is not vulnerable to CVE-2021-44228. However Elasticsearch has advised that while they’re not affected by Remote Code Execution, information leakage is a potential impact as per Elastic security advisory ESA-2021-31. Please refer the table below to determine if action is required to mitigate the risk of information leakage:

All other Server & Data Center Products

Tip

Die meisten

Am Montag, den 13. Dezember hat Atlassian ein Security Advisory zu diesem Exploit veröffentlicht unter Multiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228

Data Center & Server

Tip

Atlassian On-Premise-Anwendungen verwenden eine veraltete Version von Log4j und sind daher nicht betroffen.

Some self managed products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228. We have done additional analysis on this fork and confirmed a new but similar vulnerability that can only be exploited by a trusted party. For that reason, Atlassian rates the severity level for all other self-managed products as low. 


Cloud Produkte

Tip

Atlassian hat die Cloud Produkte abgesichert und konnte keine kompromittierten Systeme feststellen. Die On-Demad-Anwendungen sind nicht betroffen.

This vulnerability has been mitigated for all Atlassian cloud products previously using vulnerable versions of Log4j. To date, our analysis has not identified compromise of Atlassian systems or customer data prior to the patching of these systems. Atlassian customers are not vulnerable, and no action is required.


Was soll ich unternehmen?

Warning

This refers to all products except for Bitbucket, if you use bitbucked Server or Data Center, please refer to Bitbucket Security Advisory - 2021-12-16


Localtab Group


Localtab
activetrue
titleself-hosted
tabIconbvicon-server

Sie hosten Ihre Anwendung selbst

Wenn Sie die Einstellungen von Log4j innerhalb der Atlassian-Installation nie angepasst haben, sind Sie auf der sicheren Seite. Da Ihre Atlassian-Anwendung die Standardkonfiguration von Log4j verwendet, sind Sie von dem Exploit nicht betroffen.

Sollten Sie Log4j so eingestellt haben, dass es mit JMS-Appendern arbeitet, oder Sie sich nicht ganz sicher sind, folgen Sie der Anleitung "How can I mitigate this exploit?" in der FAQ for CVE-2021-44228.

Apps von Drittanbietern können dennoch ein Risiko darstellen. Atlassian prüft aktuell alle Apps und informiert die Anbieter, wenn sie ein Sicherheitsrisiko feststellen. Wir können nicht feststellen, ob bei Ihrer Installation ein diesbezügliches Risiko besteht. Da wir nicht für andere Anbieter von Apps sprechen können, können wir nicht sicher sein, dass diese sicher sind. Möglicherweise müssen Sie sich mit anderen Atlassian Marketplace-Anbietern in Verbindung setzen, kontaktieren Sie unseren Support, wenn Sie Hilfe benötigen.

Wir haben unsere bitvoodoo-Apps geprüft und für risikofrei befunden. Mehr Informationen über unsere Apps finden Sie hier:  Log4Shell - bitvoodoo apps - 2021-12-13


Localtab
titlebitvoodoo cloudCloud
tabIconbvicon-cloud

Ihre Anwendung wird bei bitvoodoo gehostet

Unsere Installationen wurden gemäss den Angaben in der FAQ überprüft und weisen keine Konfigurationen auf, die zu einem Missbrauch führen könnten. Da Ihre Atlassian-Anwendung die Standardkonfiguration von Log4j verwendet, sind Sie von dem Exploit nicht betroffen.

Apps von Drittanbietern können dennoch ein Risiko darstellen. Atlassian prüft aktuell alle Apps und informiert die Anbieter, wenn sie ein Sicherheitsrisiko feststellen. Wir können nicht feststellen, ob bei Ihrer Installation ein diesbezügliches Risiko besteht. Da wir nicht für andere Anbieter von Apps sprechen können, können wir nicht sicher sein, dass diese sicher sind. Möglicherweise müssen Sie sich mit anderen Atlassian Marketplace-Anbietern in Verbindung setzen, kontaktieren Sie unseren Support, wenn Sie Hilfe benötigen.

Wir haben unsere bitvoodoo-Apps geprüft und für risikofrei befunden. Mehr Informationen über unsere Apps finden Sie hier:  Log4Shell - bitvoodoo apps - 2021-12-13


Localtab
titleAtlassian cloudCloud
tabIconbvicon-cloud

Sie verwenden Confluence oder Jira Cloud

Atlassian hat die Cloud Produkte abgesichert und konnte keine kompromittierten Systeme feststellen

This vulnerability has been mitigated for all Atlassian cloud products previously using vulnerable versions of Log4j. To date, our analysis has not identified compromise of Atlassian systems or customer data prior to the patching of these systems. Atlassian customers are not vulnerable, and no action is required.

Keine Aktionen notwendig.



Weitergehende Empfehlung

Bitte überprüfen Sie alle Java-basierte Software, die in Ihrer Organisation betrieben wird, da Log4Shell ein ernstes Sicherheitsrisiko darstellt.

Weitere Informationen zum Thema

Support

Wenn Sie noch Fragen oder Bedenken zu diesem Advisory haben, wenden Sie sich bitte an den bitvoodoo Support via support.bitvoodoo.ch.



bitvoodoo Advisories BVADVIS