bitvoodoo Advisories
Space shortcuts
Space Tools
bitvoodoo Advisories BVADVIS
  • Created by Unknown User (niklas.becker@bitvoodoo.ch), last modified on 13. Dec. 2021

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 7 Next »


Date

 

Product

Log4j 2

VulnerabilityNot applicable
Official linkCVE-2021-44228

Dear customer,

on Thursday 9th december developers and security researcher found a security vulnerability in Apache Log4j 2.

What you need to know

A security vulnerability was discovered in Apache Log4j 2. Log4j is a popular logging package for Java.

This is a security issue affecting a broad range of software based upon Java. Atlassian products such as Jira and Confluence run on Java and also utilize Log4j.

Atlassian products

Atlassian on-premise applications use an outdated version of Log4j and are not affected therefore.

As of now Atlassian issued no full Security Adviosory. On 10th of December Atlassian put out a FAQ for this exploit under https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html

Data Center & Server

Our Security team is currently investigating the impact of the Log4j remote code execution vulnerability (CVE-2021-44228) and determining any possible impact on our on-premise products.

So far, we do not believe our on-premises products are vulnerable to exploitation in their default configuration. However, if a you have modified the default logging configuration (log4j.properties) to enable the JMS Appender functionality, remote code execution may be possible in the following products (Bitbucket Server & Data Center are not affected):

  • Jira Server & Data Center

  • Confluence Server & Data Center

  • Bamboo Server & Data Center

  • Crowd Server & Data Center

  • Fisheye

  • Crucible

Our installations have been checked according to information in the FAQ and have no configurations that could lead to misuse.

Third-party apps can pose a risk. We cannot determine whether there is a risk in this respect in your installation. We have checked our own bitvoodoo apps and found them to be risk-free. You can find more information about our apps here: Log4Shell - bitvoodoo apps - 2021-12-13

What should I do?

As your Atlassian application is using the default configuration of Log4j you are not affected.

As we can't speak for other app vendors, we cannot be certain that other apps are safe. You might need to get in touch with other Atlassian Marketplace vendors, contact our support if you need assitance.


Further Reading

Support

If you still have questions or concerns regarding this advisory at support.bitvoodoo.ch with bitvoodoo support.





  • No labels
bitvoodoo Advisories BVADVIS