Atlassian Cloud ist not affected by CVE-2021-44228.
Atlassian Server and Data Center are potentially endangered if a non-default configuration is in place
Prerequisite software, Elasticsearch, used by Bitbucket Server & Data Center may be vulnerable
A related vulnerability CVE-2021-45046 was discovered on . The Atlassian security team has not identified any vulnerable configurations in use by Atlassian products or services. Please find more information FAQ CVE-2021-44228 and CVE-2021-45046.
Atlassian Cloud is not affected. Atlassian Cloud Customers are not vulnerable, and no action is required. This vulnerability has been mitigated for all Atlassian cloud products previously using vulnerable versions of Log4j
Atlassian on-premise (Server and Data Center)
Atlassian security team stated that no Atlassian on-premises products are vulnerable to CVE-2021-44228.
However, some on-premises products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228. Atlassian security team have done additional analysis on this fork and confirmed a new but similar vulnerability that can only be exploited by a trusted party.
For that reason, Atlassian rates the severity level for on-premises products as low. Specifically, Atlassian products that use Log4j 1.x are only affected if all of the following non-default configurations are in place:
The JMS Appender is configured in the application's Log4j configuration
javax.jmsAPI is included in the application's
The JMS Appender has been configured with a JNDI lookup to a third party. Note: this can only be done by a trusted user modifying the application's configuration, or by trusted code setting a property at runtime
The following products use the Atlassian-maintained fork of Log4j 1.2.17:
Bamboo Server and Data Center
Confluence Server and Data Center
Crowd Server and Data Center
Fisheye / Crucible
Jira Server and Data Center
Prerequisite software, Elasticsearch, used by Bitbucket Server & Data Center may be vulnerable to CVE-2021-44228
Some Bitbucket versions included an unused log4j-core component which has been removed in the latest update.
Read the section “Impact On Self-Managed Products” on Atlassian Security Advisory - Log4j CVE-2021-44228
Atlassian Marketplace Apps
Please note that Marketplace Apps may also be affected. The information published by Atlassian relates only to Atlassian software. We are expecting Marketplace vendors to soon be updating on this and will try to maintain an overview on this page.
What you should do now
Follow Atlassian’s instructions in Security Advisory - Log4j - CVE-2021-44228 | Atlassian Support. We have also created this article to help you check the log4j.properties. Please do not forget to follow our this update log.
Note for Operations- and Remote Enterprise Support customers
We have checked your situation individually and taken measures if necessary.
Note for Application Support customer
You have the operational responsibility for your Atlassian installation. Our team will not actively take any measures without your prior written instruction. If you need help with any of the tasks involved please create a ticket in the services portal.