Please always follow original links and official vendor documentation. We cannot guarantee that information has been changed after publication of this log.

Date
unless specified, all time information CET

Note

Reference

CVE-2021-4428 discovered

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Atlassian released general information

https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html

5:30pm

Based on FAQ, sent out warning to all K15t support customers

  • check log4j property file

11:45pm UTC

Atlassian released Security Advisory

Multiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228

K15t setup a this resources page

https://resources.k15t.com/log4shell-security-advisory

11am

ATTENTION

  • please check log4j property file

If you run Bitbucket, don’t forget to check Elasticsearch and modify JVM option as described in community link

Per the guidance on Elastic's Website, you can protect your instance from this vulnerability by setting the below JVM option in Elasticsearch:

-Dlog4j2.formatMsgNoLookups=true

Community Information: Elastic search / log4j zero-day

6:10pm

Security Advisory sent out to all K15t customer (support and license)

  • Atlassian Cloud not affected

  • Server/Data Center may be affected if log4j configuration modified

https://resources.k15t.com/log4shell-security-advisory/Information-for-Support-Customers.14104428586.html

https://resources.k15t.com/log4shell-security-advisory/Information-for-License-Customers.14104428577.html

5:30am

Second log4j Vulnerability Published (CVE-2021-44228) + CVE-2021-45046

  • Atlassian has not released any information yet

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

10am

UPDATED BELOW Is Bitbucket vulnerable through Elasticsearch?

  • As we don’t have enough information yet, you might want to consider (preliminary) deactivating Elasticsearch in Bitbucket until more information is available

11:30am

Read Adaptavist’s evaluation about Script Runner:

Adaptavist's apps on the Atlassian Marketplace are not directly impacted by this issue and there are no actions needed to address the vulnerability.

Atlassian Marketplace Apps

12:10pm

  • CVE-2021-45046 not vulnerable to Atlassian Software. Check details here: FAQ for CVE-2021-44228

  • Elasticsearch, used by Bitbucket Server & Data Center may be vulnerable to CVE-2021-44228. Some Bitbucket versions included an unused log4j-core component which has been removed in the latest update.
    Read the section “Impact On Self-Managed Products” on Atlassian Security Advisory - Log4j CVE-2021-44228