• Atlassian Cloud ist not affected by CVE-2021-44228.

  • Atlassian Server and Data Center are potentially endangered if a non-default configuration is in place

  • Prerequisite software, Elasticsearch, used by Bitbucket Server & Data Center may be vulnerable

A related vulnerability CVE-2021-45046 was discovered on . The Atlassian security team has not identified any vulnerable configurations in use by Atlassian products or services. Please find more information FAQ CVE-2021-44228 and CVE-2021-45046.

Atlassian Cloud

Atlassian Cloud is not affected. Atlassian Cloud Customers are not vulnerable, and no action is required. This vulnerability has been mitigated for all Atlassian cloud products previously using vulnerable versions of Log4j

Atlassian on-premise (Server and Data Center)

Atlassian security team stated that no Atlassian on-premises products are vulnerable to CVE-2021-44228.

However, some on-premises products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228. Atlassian security team have done additional analysis on this fork and confirmed a new but similar vulnerability that can only be exploited by a trusted party.

For that reason, Atlassian rates the severity level for on-premises products as low. Specifically, Atlassian products that use Log4j 1.x are only affected if all of the following non-default configurations are in place: 

  • The JMS Appender is configured in the application's Log4j configuration

  • The javax.jms API is included in the application's CLASSPATH

  • The JMS Appender has been configured with a JNDI lookup to a third party. Note: this can only be done by a trusted user modifying the application's configuration, or by trusted code setting a property at runtime 

The following products use the Atlassian-maintained fork of Log4j 1.2.17:

  • Bamboo Server and Data Center

  • Confluence Server and Data Center

  • Crowd Server and Data Center

  • Fisheye / Crucible

  • Jira Server and Data Center

Bitbucket

  • Prerequisite software, Elasticsearch, used by Bitbucket Server & Data Center may be vulnerable to CVE-2021-44228

  • Some Bitbucket versions included an unused log4j-core component which has been removed in the latest update.

(warning) Read the section “Impact On Self-Managed Products” on Atlassian Security Advisory - Log4j CVE-2021-44228

Your action is required

Atlassian Marketplace Apps

Please note that Marketplace Apps may also be affected. The information published by Atlassian relates only to Atlassian software. We are expecting Marketplace vendors to soon be updating on this and will try to maintain an overview on this page.

What will K15t do?

We will not automatically take any further action nor check your installation.