Dear customer, On Thursday 9th December, developers and security researchers found a security vulnerability in Apache Log4j 2. What you need to knowA security vulnerability was discovered in Apache Log4j 2. Log4j is a popular logging package for Java.This is a security issue affecting a broad range of software based upon Java. Atlassian products such as Jira and Confluence run on Java and also utilize Log4j. Atlassian productsOn 13th December, Atlassian put out a Security Advisory for this exploit under Multiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228
bitvoodoo apps Server and Data Center | App | Status | Explanation |
|---|
| Viewtracker - Analytics for Confluence | | We do not use lookup and Confluence uses an old version of Log4j that is not affected.
| | Navitabs - Tabs for Confluence | | | Advanced Panelboxes for Confluence | | | Translations for Confluence | | | Chat for Confluence | | | Enterprise Theme for Confluence | | | Templates for Blog Posts for Confluence | | | Redirect for Confluence | | | Content Scheduler for Confluence | | | Advanced Search for Confluence | | | Attachment Tracking for Confluence | | | Search Analytics for Confluence | | | Custom Field Option Synchroniser | | Even though we use lookup of jndi for data sources, we use a static predefined prefix that contains "java:". This prevents other protocols from being used. | | Congrats for Confluence | | We do not use lookup and Confluence uses an old version of Log4j that is not affected. | | Label Scheduler for Confluence | | | Macro Documentation for Confluence | | | SBB Widgets for Confluence | | | Viewtracker Supplier | | | Label Fixer | | Cloud | App | Status | Explanation |
|---|
Viewtracker - Analytics for Confluence | | Our Cloud apps are not affected. We do not use Log4j in our Cloud Apps. We work with the default logging of Spring Boot instead. See Log4J2 Vulnerability and Spring Boot | | Navitabs - Tabs for Confluence | | | Advanced Panelboxes for Confluence | | | Translations for Confluence | | What should I do?If you are using the default configuration of Log4j, you are not affected, and no action is needed. However, if you have ever customized the configuration of Log4j to work with JMS Appenders, please disable them by following the mitigation described by Atlassian. As we cannot speak for other app vendors, we cannot be sure that other apps are safe. You might need to get in touch with other Atlassian Marketplace vendors.
Further Reading
|