Update Log

Please always follow original links and official vendor documentation. We cannot guarantee that information has been changed after publication of this log.

Date Unless specified, all time zones are CET	Note	Reference
09 Dec 2021	CVE-2021-4428 discovered	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
13 Dec 2021	Atlassian released general information	https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html
13 Dec 2021 5:30pm	Based on FAQ, sent out warning to all K15t support customers check log4j property file
13 Dec 2021 11:45pm UTC	Atlassian released a Security Advisory	Multiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228
14 Dec 2021	K15t setup a this resources page	https://resources.k15t.com/log4shell-security-advisory
14 Dec 2021 11:00am	ATTENTION Please check log4j property file If you use Bitbucket, don’t forget to check Elasticsearch and modify JVM option as described in community link: Per the guidance on Elastic's Website, you can protect your instance from this vulnerability by setting the below JVM option in Elasticsearch: -Dlog4j2.formatMsgNoLookups=true	Community Information: Elastic search / log4j zero-day
14 Dec 2021 6:10pm	Security Advisory sent out to all K15t customer (support and license) Atlassian Cloud not affected Server/Data Center may be affected if Log4j configuration modified	https://resources.k15t.com/log4shell-security-advisory/Information-for-Support-Customers.14104428586.html https://resources.k15t.com/log4shell-security-advisory/Information-for-License-Customers.14104428577.html
15 Dec 2021 5:30am	Second Log4j vulnerability published (CVE-2021-44228) + CVE-2021-45046 Atlassian has not released any information yet	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
15 Dec 2021 10am	UPDATED BELOW Is Bitbucket vulnerable through Elasticsearch? As we don’t have enough information yet, you might want to consider (preliminary) deactivating Elasticsearch in Bitbucket until more information is available
16 Dec 2021 11:30am	Read Adaptavist’s evaluation about Script Runner: Adaptavist's apps on the Atlassian Marketplace are not directly impacted by this issue and there are no actions needed to address the vulnerability.	Atlassian Marketplace Apps
16 Dec 2021 12:10pm	CVE-2021-45046 not vulnerable to Atlassian Software. Check details here: FAQ for CVE-2021-44228 Elasticsearch, used by Bitbucket Server & Data Center may be vulnerable to CVE-2021-44228. Some Bitbucket versions included an unused log4j-core component which has been removed in the latest update. Read the section “Impact On Self-Managed Products” on Atlassian Security Advisory - Log4j CVE-2021-44228
21 Jan 2022	New Log4j related newly discovered vulnerabilities (see below). CVE-2022-23307: Apache Log4j 1.x: A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution (critical) CVE-2022-23305: SQL injection in JDBC Appender in Apache Log4j V1 (high) CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x (high) Atlassian has detected these vulnerabilities in both Jira and Confluence server and is working on further analysis. We expect Atlassian to publish an official statement anytime soon.