Atlassian Cloud is not affected by CVE-2021-44228.
Atlassian Server and Data Center are potentially endangered if a non-default configuration is in place.
Prerequisite software, Elasticsearch – used by Bitbucket Server and Data Center – may be vulnerable.
A related vulnerability CVE-2021-45046 was discovered on . The Atlassian security team has not identified any vulnerable configurations in use by Atlassian products or services. Please find more information FAQ CVE-2021-44228 and CVE-2021-45046.
Atlassian Cloud is not affected. Atlassian Cloud Customers are not vulnerable, and no action is required. This vulnerability has been mitigated for all Atlassian cloud products previously using vulnerable versions of Log4j.
Atlassian On-Premise (Server and Data Center)
Atlassian’s security team stated that no Atlassian on-premise products are vulnerable to CVE-2021-44228.
However, some on-premise products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228. The Atlassian security team have done an additional analysis on this fork and have confirmed a new but similar vulnerability that can only be exploited by a trusted party.
For that reason, Atlassian rates the severity level for on-premise products as low. Specifically, Atlassian products that use Log4j 1.x are only affected if all of the following non-default configurations are in place:
The JMS Appender is configured in the application's Log4j configuration.
javax.jmsAPI is included in the application's
The JMS Appender has been configured with a JNDI lookup to a third party. Note: only be done by trusted users who modify the application's configuration, or by trusted code setting a property at runtime.
The following products use the Atlassian-maintained fork of Log4j 1.2.17:
Bamboo Server and Data Center
Confluence Server and Data Center
Crowd Server and Data Center
Fisheye / Crucible
Jira Server and Data Center
Prerequisite software, Elasticsearch – used by Bitbucket Server and Data Center – may be vulnerable to CVE-2021-44228.
Some Bitbucket versions included an unused log4j-core component which has been removed in the latest update.
Read the section “Impact On Self-Managed Products” on Atlassian Security Advisory - Log4j CVE-2021-44228.
Your Action Is Required
Follow Atlassian’s instructions in Security Advisory - Log4j - CVE-2021-44228 | Atlassian Support.
We have also created this article to help you check the log4j.properties.
Please also take a look and check back as new information becomes available in the update log.
Atlassian Marketplace Apps
Please note that Atlassian Marketplace Apps may also be affected.
The information published by Atlassian relates only to Atlassian software.
We are expecting Marketplace vendors to provide updates soon on how this affects their individual apps. We will try to maintain an up-to-date overview of other vendors' updates on this page.
What Action Will K15t Take?
We will not automatically take any further action nor check your installation.