On a 0-day exploit in the popular Java logging library log4j (version 2) was discovered. This results in Remote Code Execution (RCE) by logging a certain string. The exploit has been published under CVE-2021-44228. A related vulnerability CVE-2021-45046 was discovered on .
Update 21 JAN 2022 / Log4j related vulnerabilities discovered (see below).
CVE-2022-23307: Apache Log4j 1.x: A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution (critical)
CVE-2022-23305: SQL injection in JDBC Appender in Apache Log4j V1 (high)
CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x (high)
Atlassian has detected these vulnerabilities in both Jira and Confluence server and is working on further analysis. As of now, these are not rated as critical. No security warning has been issued.
Atlassian Cloud is not affected.
Atlassian Server and Data Center are potentially endangered if a non-default configuration is in place.
Watch out for Elasticsearch as this is bundled with Bitbucket.
If you are a Support Customer please read this summary for support customers.
You are a support customer if your company has a support contract active with the K15t support team.
If you are a License Customer please read this summary for license customers.
You are a license customer if your company has licensed Atlassian software or Atlassian Marketplace apps through our license team.
The K15t team,
January 27 2021
(this page was originally posted on December, 14 2021)