Skip to main content
Skip table of contents

Update Log

Please always follow original links and official vendor documentation. We cannot guarantee that information has been changed after publication of this log.

Unless specified, all time zones are CET



CVE-2021-4428 discovered

Atlassian released general information


Based on FAQ, sent out warning to all K15t support customers

  • check log4j property file

11:45pm UTC

Atlassian released a Security Advisory

Multiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228

K15t setup a this resources page



  • Please check log4j property file

If you use Bitbucket, don’t forget to check Elasticsearch and modify JVM option as described in community link:

Per the guidance on Elastic's Website, you can protect your instance from this vulnerability by setting the below JVM option in Elasticsearch:


Community Information: Elastic search / log4j zero-day


Security Advisory sent out to all K15t customer (support and license)

  • Atlassian Cloud not affected

  • Server/Data Center may be affected if Log4j configuration modified


Second Log4j vulnerability published (CVE-2021-44228) + CVE-2021-45046

  • Atlassian has not released any information yet


UPDATED BELOW Is Bitbucket vulnerable through Elasticsearch?

  • As we don’t have enough information yet, you might want to consider (preliminary) deactivating Elasticsearch in Bitbucket until more information is available


Read Adaptavist’s evaluation about Script Runner:

Adaptavist's apps on the Atlassian Marketplace are not directly impacted by this issue and there are no actions needed to address the vulnerability.

Atlassian Marketplace Apps


  • CVE-2021-45046 not vulnerable to Atlassian Software. Check details here: FAQ for CVE-2021-44228

  • Elasticsearch, used by Bitbucket Server & Data Center may be vulnerable to CVE-2021-44228. Some Bitbucket versions included an unused log4j-core component which has been removed in the latest update.
    Read the section “Impact On Self-Managed Products” on Atlassian Security Advisory - Log4j CVE-2021-44228

New Log4j related newly discovered vulnerabilities (see below).

  • CVE-2022-23307: Apache Log4j 1.x: A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution (critical)

  • CVE-2022-23305: SQL injection in JDBC Appender in Apache Log4j V1 (high)

  • CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x (high)

Atlassian has detected these vulnerabilities in both Jira and Confluence server and is working on further analysis. We expect Atlassian to publish an official statement anytime soon.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.