bitvoodoo Advisories
Space shortcuts
Space Tools
bitvoodoo Advisories BVADVIS

Versions Compared

Old Version 34

changes.mady.by.user Unknown User (niklas.becker@bitvoodoo.ch)

Saved on

compared with

New Version 35

changes.mady.by.user Unknown User (niklas.becker@bitvoodoo.ch)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.




English

Contents


German

Inhalte


Table of Contents


Page properties


Date

 

Product
  • Apache Log4j 2
VulnerabilityNot applicable 
CVECVE-2021-44228, CVE-2021-45046
Official link Multiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228



Advanced Panelbox
titleAlignmentleft
id4
titleLog4Shell Information - Products and hosting
titleIconbvicon-info-circled

Looking for information about Atlassian products and bitvoodoo hostings? Look here.



English

Dear customer,

On Thursday 9th December, developers and security researchers found a security vulnerability in Apache Log4j 2. Atlassian issued their own Security Advisory on 13th December.

What you need to know

A security vulnerability was discovered in Apache Log4j 2. Log4j is a popular logging package for Java. This is a security issue affecting a broad range of software based upon Java. Atlassian products such as Jira and Confluence run on Java and also utilize Log4j. 

bitvoodoo apps

Data Center and Server

AppStatusExplanation
Paid Apps
Viewtracker - Analytics for Confluence

Status
colourGreen
titleNot vulnerable

We do not use lookup and Confluence uses an old version of Log4j that is not affected.










Navitabs - Tabs for Confluence

Status
colourGreen
titleNot vulnerable

Advanced Panelboxes for Confluence

Status
colourGreen
titleNot vulnerable

Translations for Confluence

Status
colourGreen
titleNot vulnerable

Chat for Confluence

Status
colourGreen
titleNot vulnerable

Enterprise Theme for Confluence

Status
colourGreen
titleNot vulnerable

Templates for Blog Posts for Confluence

Status
colourGreen
titleNot vulnerable

Redirect for Confluence

Status
colourGreen
titleNot vulnerable

Content Scheduler for Confluence

Status
colourGreen
titleNot vulnerable

Advanced Search for Confluence

Status
colourGreen
titleNot vulnerable

Attachment Tracking for Confluence

Status
colourGreen
titleNot vulnerable

Search Analytics for Confluence

Status
colourGreen
titleNot vulnerable

Custom Field Option Synchroniser

Status
colourGreen
titleNot vulnerable

Even though we use lookup of jndi for data sources, we use a static predefined prefix that contains "java:". This prevents other protocols from being used.
Free and Labs Apps
Congrats for Confluence

Status
colourGreen
titleNot vulnerable

We do not use lookup and Confluence uses an old version of Log4j that is not affected.
Label Scheduler for Confluence

Status
colourGreen
titleNot vulnerable

Macro Documentation for Confluence

Status
colourGreen
titleNot vulnerable

SBB Widgets for Confluence

Status
colourGreen
titleNot vulnerable

Viewtracker Supplier

Status
colourGreen
titleNot vulnerable

Label Fixer

Status
colourGreen
titleNot vulnerable

Cloud

AppStatusExplanation

Viewtracker - Analytics for Confluence

Status
colourGreen
titleNot vulnerable

Our Cloud apps are not affected. We do not use Log4j in our Cloud Apps. We work with the default logging of Spring Boot instead. See Log4J2 Vulnerability and Spring Boot

Navitabs - Tabs for Confluence

Status
colourGreen
titleNot vulnerable

Advanced Panelboxes for Confluence

Status
colourGreen
titleNot vulnerable

Translations for Confluence

Status
colourGreen
titleNot vulnerable

What should I do?

Regarding our apps there is no need action is needed. If you are using the default configuration of Log4j or are on Atlassian Cloud, you are not affected (with the exception of Bitbucket). If you have ever customized the configuration of Log4j on your Atlassian on-premise installation to work with JMS Appenders, please disable them by following the mitigation described by Atlassian.

As we cannot speak for other app vendors, we cannot be sure that other apps are safe. You might need to get in touch with other Atlassian Marketplace vendors.

Further Reading

Support

If you still have questions or concerns regarding this advisory, please contact the bitvoodoo support via support.bitvoodoo.ch.


German

Dear customer,

On Thursday 9th December, developers and security researchers found a security vulnerability in Apache Log4j 2. Atlassian issued their own Security Advisory on 13th December.

What you need to know

A security vulnerability was discovered in Apache Log4j 2. Log4j is a popular logging package for Java. This is a security issue affecting a broad range of software based upon Java. Atlassian products such as Jira and Confluence run on Java and also utilize Log4j. 

bitvoodoo apps

Data Center and Server

AppStatusExplanation
Paid Apps
Viewtracker - Analytics for Confluence

Status
colourGreen
titleNot vulnerable

We do not use lookup and Confluence uses an old version of Log4j that is not affected.










Navitabs - Tabs for Confluence

Status
colourGreen
titleNot vulnerable

Advanced Panelboxes for Confluence

Status
colourGreen
titleNot vulnerable

Translations for Confluence

Status
colourGreen
titleNot vulnerable

Chat for Confluence

Status
colourGreen
titleNot vulnerable

Enterprise Theme for Confluence

Status
colourGreen
titleNot vulnerable

Templates for Blog Posts for Confluence

Status
colourGreen
titleNot vulnerable

Redirect for Confluence

Status
colourGreen
titleNot vulnerable

Content Scheduler for Confluence

Status
colourGreen
titleNot vulnerable

Advanced Search for Confluence

Status
colourGreen
titleNot vulnerable

Attachment Tracking for Confluence

Status
colourGreen
titleNot vulnerable

Search Analytics for Confluence

Status
colourGreen
titleNot vulnerable

Custom Field Option Synchroniser

Status
colourGreen
titleNot vulnerable

Even though we use lookup of jndi for data sources, we use a static predefined prefix that contains "java:". This prevents other protocols from being used.
Free and Labs Apps
Congrats for Confluence

Status
colourGreen
titleNot vulnerable

We do not use lookup and Confluence uses an old version of Log4j that is not affected.
Label Scheduler for Confluence

Status
colourGreen
titleNot vulnerable

Macro Documentation for Confluence

Status
colourGreen
titleNot vulnerable

SBB Widgets for Confluence

Status
colourGreen
titleNot vulnerable

Viewtracker Supplier

Status
colourGreen
titleNot vulnerable

Label Fixer

Status
colourGreen
titleNot vulnerable

Cloud

AppStatusExplanation

Viewtracker - Analytics for Confluence

Status
colourGreen
titleNot vulnerable

Our Cloud apps are not affected. We do not use Log4j in our Cloud Apps. We work with the default logging of Spring Boot instead. See Log4J2 Vulnerability and Spring Boot

Navitabs - Tabs for Confluence

Status
colourGreen
titleNot vulnerable

Advanced Panelboxes for Confluence

Status
colourGreen
titleNot vulnerable

Translations for Confluence

Status
colourGreen
titleNot vulnerable

What should I do?

Regarding our apps there is no need action is needed. If you are using the default configuration of Log4j or are on Atlassian Cloud, you are not affected (with the exception of Bitbucket). If you have ever customized the configuration of Log4j on your Atlassian on-premise installation to work with JMS Appenders, please disable them by following the mitigation described by Atlassian.

As we cannot speak for other app vendors, we cannot be sure that other apps are safe. You might need to get in touch with other Atlassian Marketplace vendors.

Further Reading

Support

If you still have questions or concerns regarding this advisory, please contact the bitvoodoo support via support.bitvoodoo.ch.


bitvoodoo Advisories BVADVIS