Information for Support Customers
Atlassian Cloud is not affected by CVE-2021-44228.
Atlassian Server and Data Center are potentially endangered if a non-default configuration is in place.
Prerequisite software, Elasticsearch – used by Bitbucket Server and Data Center – may be vulnerable.
A related vulnerability CVE-2021-45046 was discovered on . The Atlassian security team has not identified any vulnerable configurations in use by Atlassian products or services. Please find more information FAQ CVE-2021-44228 and CVE-2021-45046.
Atlassian Cloud
Atlassian Cloud is not affected. Atlassian Cloud Customers are not vulnerable, and no action is required. This vulnerability has been mitigated for all Atlassian cloud products previously using vulnerable versions of Log4j.
Atlassian On-Premise (Server and Data Center)
Atlassian’s security team stated that no Atlassian on-premise products are vulnerable to CVE-2021-44228.
However, some on-premise products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228. The Atlassian security team have done an additional analysis on this fork and have confirmed a new but similar vulnerability that can only be exploited by a trusted party.
For that reason, Atlassian rates the severity level for on-premise products as low. Specifically, Atlassian products that use Log4j 1.x are only affected if all of the following non-default configurations are in place:
The JMS Appender is configured in the application's Log4j configuration.
The
javax.jmsAPI is included in the application'sCLASSPATH.The JMS Appender has been configured with a JNDI lookup to a third party. Note: only be done by trusted users who modify the application's configuration, or by trusted code setting a property at runtime.
The following products use the Atlassian-maintained fork of Log4j 1.2.17:
Bamboo Server and Data Center
Confluence Server and Data Center
Crowd Server and Data Center
Fisheye / Crucible
Jira Server and Data Center
Bitbucket
Prerequisite software, Elasticsearch – used by Bitbucket Server and Data Center – may be vulnerable to CVE-2021-44228.
Some Bitbucket versions included an unused log4j-core component which has been removed in the latest update.
Read the section “Impact On Self-Managed Products” on Atlassian Security Advisory - Log4j CVE-2021-44228.
Please check this Security Advisory - Log4j - CVE-2021-44228 | Atlassian Support for more details.
Atlassian Marketplace Apps
Please note that Atlassian Marketplace Apps may also be affected.
The information published by Atlassian relates only to Atlassian software.
We are expecting Marketplace vendors to provide updates soon on how this affects their individual apps. We will try to maintain an up-to-date overview of other vendors' updates on this page.
What You Should Do Now
Follow Atlassian’s instructions in Security Advisory - Log4j - CVE-2021-44228 | Atlassian Support.
We have also created this article to help you check the log4j.properties.
Please do not forget to follow our this update log.
Operations and Remote Enterprise Support customers
We have checked your individual situation and have taken measures if necessary.
Application Support customers
You have the operational responsibility for your Atlassian installation.
Our team will not actively take any measures without your prior written instruction. If you need help with any of the tasks involved please create a ticket in the services portal.