Contents


Inhalte




Date

 

Product
  • Apache Log4j 2
VulnerabilityNot applicable 
CVECVE-2021-44228, CVE-2021-45046, CVE-2021-45105
Official link Multiple Products Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228



Looking for information about Atlassian products and bitvoodoo hostings? Look here.




Dear customer,

On Thursday 9th December, developers and security researchers found a security vulnerability in Apache Log4j 2. Atlassian issued their own Security Advisory on 13th December.

What you need to know

A security vulnerability was discovered in Apache Log4j 2. Log4j is a popular logging package for Java. This is a security issue affecting a broad range of software based upon Java. Atlassian products such as Jira and Confluence run on Java and also utilize Log4j. 

bitvoodoo apps

Data Center and Server

AppStatusExplanation
Paid Apps
Viewtracker - Analytics for Confluence

We do not use lookup and Confluence uses an old version of Log4j that is not affected.










Navitabs - Tabs for Confluence

Advanced Panelboxes for Confluence

Translations for Confluence

Chat for Confluence

Enterprise Theme for Confluence

Templates for Blog Posts for Confluence

Redirect for Confluence

Content Scheduler for Confluence

Advanced Search for Confluence

Attachment Tracking for Confluence

Search Analytics for Confluence

Custom Field Option Synchroniser

Even though we use lookup of jndi for data sources, we use a static predefined prefix that contains "java:". This prevents other protocols from being used.
Free and Labs Apps
Congrats for Confluence

We do not use lookup and Confluence uses an old version of Log4j that is not affected.
Label Scheduler for Confluence

Macro Documentation for Confluence

SBB Widgets for Confluence

Viewtracker Supplier

Label Fixer

Cloud

AppStatusExplanation

Viewtracker - Analytics for Confluence

Our Cloud apps are not affected. We do not use Log4j in our Cloud Apps. We work with the default logging of Spring Boot instead. See Log4J2 Vulnerability and Spring Boot

Navitabs - Tabs for Confluence

Advanced Panelboxes for Confluence

Translations for Confluence

What should I do?

Regarding our apps there is no need for action. If you are using the default configuration of Log4j or are on Atlassian Cloud, you are not affected (with the exception of Bitbucket). If you have ever customized the configuration of Log4j on your Atlassian on-premise installation to work with JMS Appenders, please disable them by following the mitigation described by Atlassian.

As we cannot speak for other app vendors, we cannot be sure that other apps are safe. You might need to get in touch with other Atlassian Marketplace vendors.


Further Reading

Support

If you still have questions or concerns regarding this advisory, please contact the bitvoodoo support via support.bitvoodoo.ch.


Dear customer,

On Thursday 9th December, developers and security researchers found a security vulnerability in Apache Log4j 2. Atlassian issued their own Security Advisory on 13th December.

What you need to know

A security vulnerability was discovered in Apache Log4j 2. Log4j is a popular logging package for Java. This is a security issue affecting a broad range of software based upon Java. Atlassian products such as Jira and Confluence run on Java and also utilize Log4j. 

bitvoodoo apps

Data Center and Server

AppStatusExplanation
Paid Apps
Viewtracker - Analytics for Confluence

We do not use lookup and Confluence uses an old version of Log4j that is not affected.










Navitabs - Tabs for Confluence

Advanced Panelboxes for Confluence

Translations for Confluence

Chat for Confluence

Enterprise Theme for Confluence

Templates for Blog Posts for Confluence

Redirect for Confluence

Content Scheduler for Confluence

Advanced Search for Confluence

Attachment Tracking for Confluence

Search Analytics for Confluence

Custom Field Option Synchroniser

Even though we use lookup of jndi for data sources, we use a static predefined prefix that contains "java:". This prevents other protocols from being used.
Free and Labs Apps
Congrats for Confluence

We do not use lookup and Confluence uses an old version of Log4j that is not affected.
Label Scheduler for Confluence

Macro Documentation for Confluence

SBB Widgets for Confluence

Viewtracker Supplier

Label Fixer

Cloud

AppStatusExplanation

Viewtracker - Analytics for Confluence

Our Cloud apps are not affected. We do not use Log4j in our Cloud Apps. We work with the default logging of Spring Boot instead. See Log4J2 Vulnerability and Spring Boot

Navitabs - Tabs for Confluence

Advanced Panelboxes for Confluence

Translations for Confluence

What should I do?

Regarding our apps there is no need for action. If you are using the default configuration of Log4j or are on Atlassian Cloud, you are not affected (with the exception of Bitbucket). If you have ever customized the configuration of Log4j on your Atlassian on-premise installation to work with JMS Appenders, please disable them by following the mitigation described by Atlassian.

As we cannot speak for other app vendors, we cannot be sure that other apps are safe. You might need to get in touch with other Atlassian Marketplace vendors.


Further Reading

Support

If you still have questions or concerns regarding this advisory, please contact the bitvoodoo support via support.bitvoodoo.ch.