2021-12-09 Apache Log4j2 library CVE-2021-44228

Question

Are we affected by the CVE-2021-44228 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228) vulnerability?

Summary

We have investigated this vulnerability on Friday (2021-12-09) and over the weekend. Our plugins do not bundle any vulnerable versions of the log4j libraries and as such are not affected by the CVE.

We have also looked at the current host products (Jira, Confluence, Bitbucket) and none of them should be vulnerable in their default configuration. Atlassian has in the meantime published a FAQ, which does agree with our assessment but has more details:

https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html

The following Atlassian article has more info as well:

https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html

Question

Summary

SAML Single Sign-On is available for Atlassian Server & Atlassian Data Center products. Our Jira Data Center, Confluence Data Center, Bitbucket Data Center, Jira Server, Confluence Server, Bitbucket Server and other apps are all available on the Atlassian Marketplace.

SAML Single Sign-On is available for Atlassian Server & Atlassian Data Center products.

Our Jira Data Center, Confluence Data Center, Bitbucket Data Center, Jira Server, Confluence Server, Bitbucket Server and other apps are all available on the Atlassian Marketplace.