Question

Are we affected by the CVE-2021-44228 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228) vulnerability?

Summary

We have investigated this vulnerability on Friday (2021-12-09) and over the weekend. Our plugins do not bundle any vulnerable versions of the log4j libraries and as such are not affected by the CVE.

We have also looked at the current host products (Jira, Confluence, Bitbucket) and none of them should be vulnerable in their default configuration. Atlassian has in the meantime published a FAQ, which does agree with our assessment but has more details:

The following Atlassian article has more info as well: