Dear customer,

On Thursday 9th December, developers and security researchers found a security vulnerability in Apache Log4j 2. Atlassian issued their own Security Advisory on 13th December.

What you need to know

A security vulnerability was discovered in Apache Log4j 2. Log4j is a popular logging package for Java. This is a security issue affecting a broad range of software based upon Java. Atlassian products such as Jira and Confluence run on Java and also utilize Log4j. 

bitvoodoo apps

Data Center and Server

App	Status	Explanation
Paid Apps
Viewtracker - Analytics for Confluence	Status colour Green title Not vulnerable	We do not use lookup and Confluence uses an old version of Log4j that is not affected.
Navitabs - Tabs for Confluence	Status colour Green title Not vulnerable
Advanced Panelboxes for Confluence	Status colour Green title Not vulnerable
Translations for Confluence	Status colour Green title Not vulnerable
Chat for Confluence	Status colour Green title Not vulnerable
Enterprise Theme for Confluence	Status colour Green title Not vulnerable
Templates for Blog Posts for Confluence	Status colour Green title Not vulnerable
Redirect for Confluence	Status colour Green title Not vulnerable
Content Scheduler for Confluence	Status colour Green title Not vulnerable
Advanced Search for Confluence	Status colour Green title Not vulnerable
Attachment Tracking for Confluence	Status colour Green title Not vulnerable
Search Analytics for Confluence	Status colour Green title Not vulnerable
Custom Field Option SnychronizerSynchroniser	Status colour Green title Not vulnerable	Even though we use lookup of jndi for datasourcesdata sources, we use a static predefined prefix which that contains "java:" which . This prevents other protocols to be used.from being used.
Free and Labs Apps
Congrats for Confluence	Status colour Green title Not vulnerable	We do not use lookup and Confluence uses an old version of Log4j that is not affected.
Label Scheduler for Confluence	Status colour Green title Not vulnerable
Macro Documentation for Confluence	Status colour Green title Not vulnerable
SBB Widgets for Confluence	Status colour Green title Not vulnerable
Viewtracker Supplier	Status colour Green title Not vulnerable
Label Fixer	Status colour Green title Not vulnerable

Cloud

What should I do?

Regarding our apps there is no need for action. If you are using the default configuration of Log4j or are on Atlassian Cloud, you are not affected , no action is needed. Should you ever have (with the exception of Bitbucket). If you have ever customized the configuration of Log4j on your Atlassian on-premise installation to work with JMS Appenders, please disable them by following the mitigation described by Atlassian.

As we can't cannot speak for other app vendors, we cannot be certain sure that other apps are safe. You might need to get in touch with other Atlassian Marketplace vendors.

Further Reading

• Original publication by LunaSec  
• CVE-2021-44228  
• Atlassian FAQ for CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105

Support

If you still have questions or concerns regarding this advisory, please contact the bitvoodoo support via support.bitvoodoo.ch.