Date	13 Dec 2021
Product	Log4j 2
Vulnerability	Not applicable
Official link	CVE-2021-44228

Dear customer,

On Thursday 9th December, developers and security researchers found a security vulnerability in Apache Log4j 2.

What you need to know

A security vulnerability was discovered in Apache Log4j 2. Log4j is a popular logging package for Java.

This is a security issue affecting a broad range of software based upon Java. Atlassian products such as Jira and Confluence run on Java and also utilize Log4j.

Atlassian products

Atlassian on-premise applications use an outdated version of Log4j and are not affected.

As of now, Atlassian issued no full Security Advisory. On 10th December, Atlassian put out a FAQ for this exploit under https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html

bitvoodoo apps

Server and Data Center

App	Status	Explanation
Viewtracker - Analytics for Confluence		We do not use lookup and Confluence uses an old version of Log4j not affected.
Navitabs - Tabs for Confluence
Advanced Panelboxes for Confluence
Translations for Confluence
Chat for Confluence
Enterprise Theme for Confluence
Templates for Blog Posts for Confluence
Redirect for Confluence
Content Scheduler for Confluence
Advanced Search for Confluence
Attachment Tracking for Confluence
Search Analytics for Confluence
Custom Field Option Snychronizer		Even though we use lookup of jndi for datasources, we use a static predefined prefix that contains "java:". This prevents other protocols from being used.

Cloud

App	Status	Explanation
Viewtracker - Analytics for Confluence		Our Cloud apps are not affected. We do not use Log4j in our Cloud Apps. We work with the default logging of Spring Boot instead. See https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
Navitabs - Tabs for Confluence
Advanced Panelboxes for Confluence
Translations for Confluence

What should I do?

If you are using the default configuration of Log4j, you are not affected, and no action is needed. However, if you have ever customized the configuration of Log4j to work with JMS Appenders, please disable them by following the mitigation described by Atlassian.

As we cannot speak for other app vendors, we cannot be sure that other apps are safe. You might need to get in touch with other Atlassian Marketplace vendors.