Hey @Lukasz Dabrowka
https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html has a summary that includes:
Some self-managed products use an Atlassian-maintained fork of Log4j 1.2.17, which is not vulnerable to CVE-2021-44228. We have done additional analysis on this fork and confirmed a new but similar vulnerability (CVE-2021-4104) that can only be exploited by a trusted party. For that reason, Atlassian rates the severity level for all other self-managed products as low. Specifically, Atlassian products that use Log4j 1.x are only affected if all of the following non-default configurations are in place:
-
The JMS Appender is configured in the application's Log4j configuration
-
The javax.jms API is included in the application's CLASSPATH
-
The JMS Appender has been configured with a JNDI lookup to a third party. Note: this can only be done by a trusted user modifying the application's configuration, or by trusted code setting a property at runtime
The following products use the Atlassian-maintained fork of Log4j 1.2.17:
-
Bamboo Server and Data Center (including Bamboo Agents)
-
Confluence Server and Data Center
-
Crowd Server and Data Center
-
Fisheye / Crucible
-
Jira Service Management Server and Data Center
-
Jira Software Server and Data Center (including Jira Core)
So, unless you've got a modified log4j config, you should be safe. With something this critical though, I'd suggest doing further analysis of your own to verify.
CCM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.