Skip to main content
Skip table of contents

Atlassian Marketplace Apps

On this page you will find information about Marketplace Apps for which an assessment of vulnerability CVE-2021-44228 has been published and our support team was able to retrieve from public sources or the vendor.

The information may be outdated or incomplete, so please always check the original source for the most up-to-date information.

Atlassian is also scanning and reviewing Data Center and Server apps. Atlassian has yet to discover apps developed by Atlassian that are vulnerable to CVE-2021-44228, however they have identified third-party apps that are vulnerable.

Each vulnerable Data Center or Server app will be given an expedited deadline. Data Center and Server apps that fail to address the vulnerability within this expedited time frame will be removed from the marketplace, then Atlassian will inform all customers who have vulnerable apps installed.

Vendor link to
Atlassian Marketplace

Note and/or vendor comment



  • Scroll Viewport for Cloud was affected. Update released on DEC 10, 2021 - 12pm CET.

  • Other Scroll Apps are not affected


Adaptavist's apps on the Atlassian Marketplace are not directly impacted by this issue and there are no actions needed to address the vulnerability.


Midori Apps are not affected

Service Rocket

Service Rocket Apps are not affected


  • Tempo Cloud is not at risk

  • Tempo on-prem does not use log4j


Innovalog apps are not impacted by the Log4J vulnerability


See comment #4

Can confirm that it has no impact on eazyBI


META-INF can confirm that for our apps Email this issue, Content Exporter anf ACDC are not affected. Email this issue uses the previous version of Log4j where this vulnerability is not present and the two other apps does not use Log4j.

Our Glass app uses the Log4j v2 in question, but not the aspect that is being exploited.

To be on the safe side this was be resolved by a hotfix recently.

Bug Watcher does not use Log4j, it is not affected in any way by the recent vulnerabilities.

customer support via ticket SD-16608

The Starware

Our add-on does not use Log4j directly we have no dependency to it.

In short, If your Jira is NOT vulnerable, our add-on is also NOT vulnerable.


The Read Confirmations / Plant UML for Confluence app not affected by the Log4Shell vulnerability.

Stilt Soft

Stiltsoft Cloud customers are not affected, and no action is required. Stiltsoft Cloud apps are not vulnerable. We use the framework in all our Cloud apps based on JVM.


Log4j remote code execution vulnerability (CVE-2021-44228)Based on our internal and the research done on Atlassian's side, our current position regarding the recent CVE in the Log4J JSM Appender is that our xApps are NOT affected on any platform. So there is no current need to take any actions to ensure security when using our xApps.

Digital Rose

Digital Rose has reviewed and confirmed that the eSign App is not vulnerable to the Log4J security issue (CVE-2021-44228). The implicated log4J library is not included in any client side or server side components.

ALM Works

We want to assure our customers that the recently discovered Apache Log4j vulnerability does not directly impact the Structure product family.


We don’t see any impact on any of our products.

  • Server/DC products rely Log4J on Jira’s provided library. 

  • We don’t use Log4J in cloud apps.


Gliffy is not affected by the Log4j vulnerability. Learn how Perforce is addressing the issue across other brands.


Our Elements On Premise apps are using Log4J library provided by Atlassian who confirmed in this FAQ for CVE-2021-44228 that their library is not vulnerable.

This vulnerabilities were mitigated for all Elements Cloud apps previously using the vulnerable version of Log4j.


We'd like to assure our customers that JSU app is not impacted by the Log4J vulnerability (CVE-2021-44228). Please refer to the Atlassian Support Documentation - FAQ for CVE-2021-44228 for latest details.

you must login to see the announcement


Our plugin(s) do not bundle any vulnerable versions of the log4j libraries and as such are not affected by the CVE.

Bobswift (Appfire)

We'd like to assure you that most Bob Swift apps are not impacted by the Log4J vulnerability (CVE-2021-44228).

In specific

We would like to inform you that none of the mentioned Bobswift apps are impacted by the mentioned log4shell vulnerability, and you can continue using the apps.

  • Advanced Tables for Confluence

  • Confluence Command Line Interface

  • Jira Command Line Interface

  • Run Self-Service Reports for Confluence

  • Reports and Timesheets for the Jira

  • SQL for Confluence

  • Table library for Bobswift addons

customer support via ticket-8902


We have so far processed the following apps and can confirm that they are not affected by the vulnerability.

Seibert Media /

Seibert Media apps from Atlassian's Marketplace including all joint venture apps.

Data Center and Server Apps

  • Not affected. No action is required.

Cloud Apps

  • Not affected. No action is required


When using Refined, the Refined apps in turn are using log4j via the bundled version included in Jira/Confluence. This means that Refined cannot impact what is being used as Refined accesses it via Atlassian. for CVE-2021-44228%2C log4j

Anova Apps

We would like to inform you that the app SIL Engine for Power Suite, SIL Excel Reporting, SIL Groovy Connector, SIL TableGrid Next Generation Connector, SIL Tempo Connector is not impacted by the mentioned log4shell vulnerability, and you can continue using the app.

customer support via ticket CADS-10591 

Lively Apps

We assessed all of our apps in the Atlassian Marketplace and none of our Server, Data Center or Cloud apps are affected by CVE-2021-44228.


…that our apps are not impacted by this issue. Our Cloud apps do not use Log4J, and our Server/Data Center apps use a version of Log4J that is not affected by the vulnerability.

customer support via ticket SUPPORT-12848

Actonic GmbH

After a careful review by our experienced IT security experts, we can give you a definite all-clear at this point. We are sure that Log4Shell does not impact our products at all.

Actonic via Newsletter (16 DEC 2021)

Akeles Consulting

We have verified that we do not bundle the Log4j library in our Jira/Confluence apps. We are using the Log4j library that is provided by Jira/Confluence. Hence we are safe.


We have received many support requests asking us if our #Jira Apps were impacted by the log4j vulnerability. The answer is NO ☺️ If you are using @Atlassian products, check the security advisory (link in comment).

via Twitter


The results of our investigation is that Exalate is NOT affected by this vulnerability as Exalate is using ch.qos.logback on all Exalate products (except for Exalate for Jira On Premise)

There might be a risk for 'Exalate for Jira On Premise', which is using the logging framework provided by Jira.
Atlassian confirmed here that Jira itself is not vulnerable but the advice is to check for '' in the file.

Redmoon Software

None of our Server or Data Center apps have their own logger.  They all use the default Jira/Confluence logger.  Any changes you make to Jira/Confluence, regarding this vulnerability, will automatically be applied to our apps.
Our cloud apps do NOT use Log4J


All Utoolity Server apps use the SLF4J facade as provided by the respective Atlassian host product via OSGi and do not introduce Log4j on their own. They would thus only be indirectly affected if the Atlassian host product uses a vulnerable version of Log4j – this does not seem to be the case by default, see the Atlassian FAQ for CVE-2021-44228 for details.

All Utoolity Cloud apps do not use Log4j and are thus not affected.

Easy Agile

We completed an assessment of our Data Center and Server apps. We do not bundle log4j and so our apps are not impacted by CVE-2021-44228. We rely entirely on the logging facility provided by Atlassian Jira which they have indicated is not subject to CVE-2021-44228.

Our cloud services are not written in Java and so are not impacted by CVE-2021-44228.

customer support via ticket RS-15530

Mirrorlake Software

We confirm that none of our apps (Pivot Charts, Plan Chart2D and Excel Importer) in all available deployment option (Server, Datacenter, Cloud) are not affected by log4j vulnerability issue (CVE-2021-44228).

Log4j packages are not being included in our app.


Our server/dc apps were not affected and cloud apps were patched immediately the vulnerability got published.

Mohami (Appfire)

We'd like to assure our customers that patches have been made for the Mohami apps impacted by the Log4J vulnerability (CVE-2021-44228).


We do not bundle a version of Log4j in any of our apps. Our apps use the one provided by the respective Atlassian application. Therefore, our apps are not affected by CVE-2021-44228.

customer support via ticket SUPPORT-369


We have looked into the issue outlined by the "CVE-2021-44228" zero-day vulnerability. Specifically the Log4j library in question, and we have concluded that it poses no danger to any of our products.

While we do use the library, the vulnerability is only present in 2.x.x versions. All our products, including the SAML SSO for Jira add-on, use the fork of 1.x.x versions of the library which is not vulnerable to CVE-2021-44228.

customer support via ticket MOHELP-2675


we've already scanned all our apps to verify if they can be affected by the vulnerability found in Log4J … we use loggers covered by Log4j, nevertheless, it is Jira provided. As mentioned in their official announcement (here), Jira is not impacted, therefore, I’d like to confirm that the app itself is vulnerability-free.

In other words, the version we use depends on what version of Jira you are working on, but Atlassian has issued a statement that their versions are also not vulnerable, and therefore our applications are not.

customer support via ticket SUPPORT-53608

TMate Software

  • SVN Mirror add-on does not use log4j and is not affected by the vulnerability.

  • SubGit is not affected

Bolo Apps (Appfire)

We'd like to assure our customers that no Bolo Software apps have been impacted by the Log4J vulnerability (CVE-2021-44228).

Avisi B.V.

None of our listed marketplace apps are vulnerable in regards to CVE-2021-44228. The apps make use of the underlying logging infrastructure of the Atlassian host products.

None of our cloud apps are vulnerable in regards to CVE-2021-44228.

Artemis (Appfire)

We'd like to assure our customers that no Artemis apps have been impacted by the Log4J vulnerability (CVE-2021-44228).

Spartez (Appfire)

Agile Cards, it’s not affected by the security vulnerability of Apache Log4j2. 

customer support via ticket SUP-15153


We concluded that these OBSS products are NOT exposed to Log4Shell vulnerability.

You are not required to take any action specific to these products.

  • Jira Cloud: Time in Status

  • Jira Server/Data Center: Time in Status, Keychain - Delegation for Jira, Auto Plan Time for TEMPO, JQL Issue Select, User Property Manager, Jira Admin Tools, QLogger
    Worklog Sync

  • Confluence Server/DataCenter: Baselines for Confluence, Data Generator for Confluence

Affected Products

The products listed below are thought to be exposed to this vulnerability.

  • Jira Server/Data Center

    • Field Sync

    • Service Desk Reporter

If you are using at least one of these products, please follow the instructions in the following page: Security Advisory for Log4Shell vulnerability in OBSS apps on Jira Server and Jira Data Center


WBS Gantt-Chart for Jira Cloud is not affected by CVE-2021-44228.

WBS Gantt-Chart for Jira Server/Data Center is not dependent on Log4J version 2.x and is therefore not affected by CVE-2021-44228.


We are not using log4j so our apps including Space Hierarchy is not impacted by log4shell issue.

vendor support answer


All Xray/Xporter Server/DC and Cloud products and Xray Exploratory Testing (XEA) - Our investigation confirmed there are no exposed instances of the Apache Log4j library within the version range that contains this vulnerability. Therefore, the investigation confidently concludes all product versions are not impacted by the Apache Log4j vulnerability.


All apps are safe. Check source for detailed report.


JEditor is not affected by this vulnerability. JEditor uses Jira's logging facade which in turn uses Atlassian's fork of Log4j v1.2.x which is not vulnerable to CVE-2021-44228.


Rixter do not bundle a version of Log4j and use for their applications the one provided by the respective Atlassian application. Therefore Rixter are not affected by CVE-2021-44228

customer support via ticket RIX-48

Smart Bear

Please update the Capture for Jira plugin to the latest version we have fixed the same issue on the latest version.

customer support via ticket 00504447


We analyzed all of our apps that used log4j (Via the following link ) and the results are:

  • default configurations and Log4j 1.x were used. could not be found.

As a result, we can deduce that this vulnerability has no effect on our add-ons

customer support via ticket VS-915


Our stack is java-free so there is no room for this issue to surface in our apps.

vendor customer support via email Thu Jan 20 2022


All our Jira/Confluence apps including SuggestiMate rely on the log4j library supplied by the Jira/Confluence instance, so using them doesn't increase your clients' exposure to CVE-2021-44228.

vendor customer support via email Thu Jan 13 2022

Spectrum Groupe

We reassure that we used the library SLF4J version 1.6.6 which is the API of the log4j and it’s safe with respect to CVE-2021-44228 because the vulnerability exists from 2. x onwards.

customer support via ticket SAS-184

Köstebek Teknoloji

Our apps are not directly impacted by this issue. Our Server and Data Center products use the logging libraries provided by the host application and do not provide their own logging libraries.

For more information on this subject please consult the following link

customer support via ticket KSP-154


We are using the provided Log4j version that is shipped with the Atlassian host product in all our Server/DC products, and as such are only vulnerable to the CVEs to the extend that the Atlassian host product is vulnerable, and any mitigations applied to the host product will also mitigate our exposure.

customer support via ticket CS-662


Our apps are not affected by log4shell.

customer support via ticket CS-23

LB Consulting Group

Bulk Clone app is not affected since we base it on an earlier version 1.2

customer support via email Thu Jan 13 2022

updated , information can be outdated or incomplete * please always check original source

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.