Date: Fri, 29 Mar 2024 12:53:42 +0100 (CET) Message-ID: <1576963329.41.1711713222607@bitvoodoo74.nine.ch> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_40_255043040.1711713222606" ------=_Part_40_255043040.1711713222606 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Contents
Looking fo= r information about bitvoodoo apps? Look here.
Dear customer,
On Thursday 9th December, developers and security researchers foun= d a security vulnerability in Apache Log4j 2.
Update : Atlassian put out a Security Advisory for this= exploit here: Multip= le Products Security Advisory - Log4j Vulnerable To Remote Code Execution -= CVE-2021-44228.
Update : Atlassian updated the Security Advisory to inf= orm about a finding that shows that some Bitbucket Data Center and Server V= ersions are affected. We created a info page here: Bitbucket Security Advisory -= 2021-12-16.
Update : Atlassian updated their FAQ with information r= egarding CVE 2021-45046, see here: FAQ for CVE-2021-44228 and CVE-2021-45046.
Update : Atlassian updated their FAQ with information r= egarding CVE-2021-45105, see here: FAQ for CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105= .
A security vulnerability was discovered in Apache Log4j 2. = span>Log4j is a popular = logging package for Java.
This is a security issue affecting a broad range of software based= upon Java. Atlassian products such as Jira and Confluence run on Java and = also utilize Log4j.
Bitbucket
Most Atlassian on-premise applications use an outdated version of Log4j = and are not affected if you didn't modify Log4j yourself. = See FAQ for CVE-= 2021-44228 and CVE-2021-45046.
Atlassian secured their cloud products and has not identified compromise= d systems. The on-demad applications and are not affected.= See FAQ for CVE= -2021-44228 and CVE-2021-45046.
If you have never customized the settings of Log4j inside the Atlassian = installation, you are on the safe side. As your Atlassian application uses = the default configuration of Log4j, you are not af= fected by the exploit.
If you have set Log4j to work wit= h JMS Appenders or are unsure,= follow the instructions "How= can I mitigate this exploit?= " in the FAQ for CVE-2= 021-44228 and CVE-2021-45046.
Apps
Third-party apps can still pose a risk. Atlassian is = reviewing all apps and informs the vendors it the find a security risk. We = have checked our bitvoodoo apps and found them to be risk-free. You can fin= d more information about our apps here: Log4Shell - bitvoodoo apps - 2021-12-13= a>
As we cannot speak for other app vendors, we cannot be sure that o= ther apps are safe. You might need to get in touch with other Atlassian Mar= ketplace vendors. Should we get aware of a vulnerable app we will inform ac= cordingly.
Please contact our support if you need assistance.
We have checked our installations according to the information in = the FAQ. The installations have no configurations that could lead to misuse= . As your Atlassian application uses the default configuration of Log4j, yo= u applications are not affected by the exploit.
Apps
Third-party apps can still pose a= risk. Atlassian is reviewing= all apps and informs the vendors it the find a security risk. We hav= e checked our bitvoodoo apps and found them to be risk-free. You can find m= ore information about our apps here: Log4Shell - bitvoodoo apps - 2021-12-13<= /span>
As we cannot speak for other app vendors, we cannot be sure that o= ther apps are safe. You might need to get in touch with other Atlassian Mar= ketplace vendors. Should we get aware of a vulnerable app we will inform ac= cordingly.
Please contact our support if you need assistance.
Atlassian secured their cloud products and has not identified comp= romised systems. The on-demad applications and are not affected.
Please check all Java based softwa= re, beside Atlassian products, running in your organisation as this is a se= rious security risk.
If you still have questions or concerns regarding this advisory, please = contact the bitvoodoo support via support.bitvoodoo.ch.